Windows 10 TLS 1.3 Enablement Registry keys

Jason Kowalczyk 11 Reputation points
2021-04-07T20:31:18.547+00:00

We are deploying TLS 1.3 as a required protocol as well as Disabling TLS 1.1. On the 1909 version of software.

We are doing this via Registry Keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisablebyDefault == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisablebyDefault == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisablebyDefault == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisablebyDefault == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled == 0x1

It follows that we need to control the DefaultSecureProtocols keys as well.

The docs lists the following values and how to calculate complex values by adding the Hex Values

0x00000008 Enable SSL 2.0 by default

0x00000020 Enable SSL 3.0 by default

0x00000080 Enable TLS 1.0 by default

0x00000200 Enable TLS 1.1 by default

0x00000800 Enable TLS 1.2 by default

Can we assume that TLS 1.3 follows the same pattern? e.g.

0x00002000 Enable TLS 1.3 by default

We would set this on the following keys to only allow TLS 1.2 and TLS 1.3

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols == 0x2800

Thanks for any clarification you can give, I can not find this on the Docs site or developer pages, but I could be wrong.

Reference: https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
{count} votes

3 answers

Sort by: Most helpful
  1. MichaelMaxey-2536 112 Reputation points
    2022-06-24T21:07:55.813+00:00

    I had previously set my machine for WinHTTP TLS 1.2 only and about 2 days ago started getting logon failures for OneDrive.

    I had to update the value to 0x2800 and it started working again.

    This is very relevant

    1 person found this answer helpful.
    0 comments No comments

  2. Anonymous
    2021-04-08T07:44:54.567+00:00

    Hi,

    Based on my understanding, TLS 1.3 enabled by default in WinHttp. You don't need to set the DefaultSecureProtocols keys for TLS 1.3.

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Anonymous
    2021-04-12T01:56:51.257+00:00

    Hi @Jason Kowalczyk ,

    See if the following article can help with you:

    Microsoft TLS 1.3 Support Reference

    Taking Transport Layer Security (TLS) to the next level with TLS 1.3

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.