Enable TLS 1.0 for lsass after KB5018419

Simon G 26 Reputation points
2022-10-19T16:39:32.27+00:00

Hello,
Update KB5018419 turns off Transport Layer Security (TLS) 1.0 and 1.1 by default in Microsoft browsers and applications.

I've tried to Enable TLS 1.0 by default creating these entries in registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000aa8

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000

This solution was working with KB5017379 (preview of KB5018419) See this question.

But with KB5018419, it's seems something is missing...
Application accessing to the TLS 1.0 server using winhttp is working. But BITS refuse to download anything from the server and raise an error code 0x80072f7d due to an error during the secured connection.

Enabling SChannel logs, in event viewer, I can see an log "The TLS protocol defined fatal alert code is 70" each time I try to resume my BITS job.
This error seems to be related to the protocol version (see here) and is linked to the process lsass.exe ( processid 632 given in the detail of this log).

What could be done to correct that?
Thanks!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,691 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,897 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Simon G 26 Reputation points
    2022-10-21T07:29:04.037+00:00

    Hi!
    In fact, installing a new server, I realized that BITS service don't use SCHANNEL and so, this registry is not needed:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    "DisabledByDefault"=dword:00000000

    However, DefaultSecureProtocols needs to be defined in two different registry for 64bits systems:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000AA8

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000AA8

    The second key was missing in my case.

    0 comments No comments

  2. mamamiya 81 Reputation points
    2022-10-23T01:55:46.447+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.