3,085 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 15%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM2%3C/text%3E%3C/svg%3E)
I had previously set my machine for WinHTTP TLS 1.2 only and about 2 days ago started getting logon failures for OneDrive.
I had to update the value to 0x2800 and it started working again.
This is very relevant
Windows 10 TLS 1.3 Enablement Registry keys
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 68%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jason Kowalczyk
11
Reputation points
We are deploying TLS 1.3 as a required protocol as well as Disabling TLS 1.1. On the 1909 version of software.
We are doing this via Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled == 0x1
It follows that we need to control the DefaultSecureProtocols keys as well.
The docs lists the following values and how to calculate complex values by adding the Hex Values
0x00000008 Enable SSL 2.0 by default
0x00000020 Enable SSL 3.0 by default
0x00000080 Enable TLS 1.0 by default
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default
Can we assume that TLS 1.3 follows the same pattern? e.g.
0x00002000 Enable TLS 1.3 by default
We would set this on the following keys to only allow TLS 1.2 and TLS 1.3
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols == 0x2800
Thanks for any clarification you can give, I can not find this on the Docs site or developer pages, but I could be wrong.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 53%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Sébastien Langevin 5 Reputation points2023-02-16T20:49:50.9233333+00:00 How did you find the hex value of TLS 1.3?
Nevermind, you guessed it following the pattern.
Thanks btw, helped me set TLS 1.3 via a reg key!
Sign in to comment
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-04-08T07:44:54.567+00:00 Hi,
Based on my understanding, TLS 1.3 enabled by default in WinHttp. You don't need to set the DefaultSecureProtocols keys for TLS 1.3.
Best Regards,
Candy--------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Jason Kowalczyk 11 Reputation points
2021-04-09T14:24:24.09+00:00 Thank you for the Reply it's appreciated.
Do you know of a way to test this? My auditors are wanting some test of this and I'm finding it hard to come by. I've tried powershell and no matter what I set this default protocols to I'm getting 1.0,1.1,1.2 but not 1.3. Many tools do not support TLS 1.3 and it's hard to prove that the system is doing what it says.
Thanks again!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 6%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
afbarksd 1 Reputation point2022-11-23T23:16:00.107+00:00 I have the same question. I am asking about the client computer, not the server computer. Microsoft article "How to enable TLS 1.2 on client" tells us to use the flag 0x00000800 in DefaultSecureProtocols under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp as part of enabling TLS 1.2. It is natural to assume that one has to do something similar to TLS 1.3 for the client computer.
Sign in to comment -
-
Anonymous
2021-04-12T01:56:51.257+00:00 Hi @Jason Kowalczyk ,
See if the following article can help with you:
Microsoft TLS 1.3 Support Reference
Taking Transport Layer Security (TLS) to the next level with TLS 1.3
Best Regards,
Candy--------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.