Hi,
According to my knowledge, there is no GPO that can disable the terminal server
Best wishes
Vicky
Disable TLS 1.0 for RDP Protocol using GPO
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 27%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
Federico Coppola
1,181
Reputation points
Hi all,
Inside company we have completed a vulnerability assessment.
I have this vulnerability:
"TLS Version 1.0 Protocol Detection"
All physical servers and virtual machine inside company are Windows Server 2016 DataCenter and they has got the last Windows Updates.
How can I solve it about RDP?
Is it possible disable TLS 1.0 for RDP using GPO?
I would improve security on company servers.
Thanks so much
Best regards
Federico
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
7 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Vicky Wang 2,741 Reputation points2020-12-03T09:21:50.59+00:00 -
Federico Coppola 1,181 Reputation points
2020-12-02T20:07:38.68+00:00 Can anyone suggest me properly GPO to set to disable TLS 1.0 on different servers?
Not servers are Terminal Server (just one at the moment).Thanks
Federico -
Federico Coppola 1,181 Reputation points
2020-11-29T21:18:10.817+00:00 Hi,
thanks for you reply.@Thameur-BOURBITA Ok, so I will disable TLS 1.0 for all system and not just for RDP.
@Vicky Wang Sorry but I did not understood which is the right option about "Remote Desktop Session Host Configuration"
I would generally disable TLS 1.0 to improve security in my LAN where there are differente Windows Server 2016 VM (Domain Controllers, File Server, Print server...)
Can I create a group policy to disable it on different machines?
Thanks so much
Federico -
Vicky Wang 2,741 Reputation points
2020-11-27T07:52:42.833+00:00 Disabling TLS is a system-wide registry setting:
https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10
Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Value: Enabled
Value type: REG_DWORD
Value Data: 0
Also, the PCI requirement for disabling early TLS does not go into effect until June 30, 2016.Internet Explorer is one product I know of that has a separate configuration option for the TLS/SSL encryption settings. There may be others.
I have a Windows 2012 R2 server with TLS 1.0 disabled and I can remote desktop to it.
If you are wondering, below is a screenshot of tsconfig.msc on a Windows 2008 R2 server that has KB3080079 installed. There's nothing to configure because the only thing the update did was add support for the other two TLS encryption levels so that when TLS 1.0 is disabled it continues to work.
Hope this information can help you
Best wishes
Vicky -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,526 Reputation points Moderator2020-11-26T22:48:07.44+00:00 Hi,
You can use Group policy preference to disable or enable TLS 1.0 by setting this registry key mentioned on this link :
Please don't forget to mark this reply as answer if it help you to fix your issue