How to know which versions of TLS is/are enabled on Windows Server 2019?

techresearch7777777 1,776 Reputation points
2022-09-13T23:33:51.703+00:00

Hello, sorry I've searched around websites but am confused how to know which versions of TLS is/are enabled on Windows Server 2019?

Is TLS v1.0 & v1.1 disabled by default?

And TLS v1.2 is enabled by default?

What's the difference via the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols and TLS listed in Web Browser settings?

Thanks in advance.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,457 questions
0 comments
Accepted answer
  1. Limitless Technology 43,931 Reputation points
    2022-09-19T08:18:04.437+00:00

    Hello there,

    Microsoft announced this week that it enabled TLS 1.3, the latest version of the security protocol, in the latest Windows 10 builds starting with build 20170.

    -Press the Windows key + R to start Run, type regedit, and press Enter or click OK.
    -Now go to the following key and check it. If it’s present, the value should be 0:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault
    -Also, check the following key. If you find it, its value should be 1:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled
    -If you can’t find any of the keys or if their values are not correct, then TLS 1.2 is not enabled.

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    -------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    3 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,916 Reputation points
    2022-09-14T07:30:41.77+00:00

    Schannel SSP implements versions of the TLS, DTLS, and SSL protocols.

    The system administrator can override the default (D)TLS and SSL protocol version settings by creating DWORD registry values "Enabled" and "DisabledByDefault". These registry values are configured separately for the protocol client and server roles under the registry subkeys named using the following format:

    <SSL/TLS/DTLS> <major version number>.<minor version number><Client\Server>

    These version-specific subkeys can be created under the following registry path:

    HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    For example, here are some valid registry paths with version-specific subkeys:

    HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client

    HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

    HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.2\Client

    In order to override a system default and set a supported (D)TLS or SSL protocol version to the Enabled state, create a DWORD registry value named "Enabled" with a non-zero value, and a DWORD registry value named "DisabledByDefault" with a value of zero, under the corresponding version-specific subkey.

    The following example shows TLS 1.0 client set to the Enabled state:
    240915-image.png

    The following example shows TLS 2.0 client set to the disabled state:

    240906-image.png

    Also you can try this tool to verify the version -

    IISCrypto

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. techresearch7777777 1,776 Reputation points
    2022-09-19T19:45:37.733+00:00

    My current situation Windows Server 2019 in registry have currently TLS versions: 1.0 = Disabled, 1.1 = Disabled, 1.2 = Enabled

    We have SQL Server 2019 with TLS v1.2 installed on this same server so from my understanding any outside connection attempts into this SQL Server can only do via TLS v1.2 and both lower versions TLS v1.0 & v1.1 would not work since it would need to be enabled at the Windows OS level in order to be matching, correct?

    Thanks so much for all the replies.

    1 person found this answer helpful.
  3. tnch57-5060 21 Reputation points
    2024-02-10T21:40:25.5033333+00:00

    Our Windows 2019 Version 1809 (OS Build 17763.53.29) RRAS VPN servers are still accepts request on TLS 1.0 & 1.1 even after applying the following change this week. can someone please shed some light on it what could be the reason behind. please refer the screenshot attached this post where you will see how we have created the registry entries to disable TLS 1.0 & 1.1. Step1: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" Key name = "TLS 1.1" two DWORD's for each TLS 1.0 & 1.1 "DisabledByDefault=1" & "Enabled=0"
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" Key name = "TLS 1.0" two DWORD's for each TLS 1.0 & 1.1, "DisabledByDefault=1" & "Enabled=0" Step 2: Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA"
    Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA" Reference: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman Post CR completion, when I check to see if TLS 1.0 & 1.1 is still on and it looks like it is still on. User's image

    This is how we created in our server. TLS 1.0 Registry.png