Share via

Server 2016 not accepting a connection with TLS 1.0 or TLS 1.1, only on TLS 1.2

Ishtiaq 71 Reputation points
2025-03-20T15:48:45.6933333+00:00

I have enabled TLS 1.0, 1.1, 1.2 in the registry and WinHttp DefaultSecureProtocols is set to 0xAA0

I've restarted the server a few times.

When I check the server with SSL Labs Server Test, the report shows only TLS 1.2 is enabled and avialable. The only good thing is I get a grade A.

When I checked on a new install of server 2016, the registry key SCHANNEL\Prtocols is empty. I assume Server 2016 is deafulted to TLS 1.2 but I don't know where or how this default is set. Any help would be very much appreciated.

Windows for business Windows Server User experience Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-21T05:41:19.0966667+00:00

    Hello Ishtiaq,

    Thank you for posting in Q&A forum.

    From the link below, I can see the TLS 1.0 client, TLS 1.0 server, TLS 1.1 client and TLS 1.1 server are supported.
    User's image

    Protocols in TLS/SSL (Schannel SSP)
    https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    You can try to enable TLS 1.0 and 1.1 via registry.

    The following DWORD registry values can be created to enable TLS 1.0 and 1.1 versions system-wide:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled

    For example:

    The following example shows TLS 1.0 client set to the Enabled state:Screenshot of Set TLS 1.0 client-side to enabled in Windows Server registry setting.

    In order to override a system default and set a supported (D)TLS or SSL protocol version to the Disabled state, change the DWORD registry value of Enabled to "0" under the corresponding version-specific subkey.

    For more information, please refer to documents.

    TLS 1.0 and TLS 1.1 deprecation in Windows

    https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows

    Transport Layer Security (TLS) registry settings

    https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-12

    Please note: Always back up the important data and registry before you make changes on registry.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Ishtiaq 71 Reputation points
    2025-03-22T13:11:32.66+00:00

    Hello Daisy

    Thank you for taking the time to respond to my question.

    Both TLS 1.0 and 1.1 are enabled in the Registry as per your post but this has not fixed the issue.

    A few days ago, I did install Entra ID Connect Provisioning Agent on this server but I have removed it.

    Is ther anywhere else in the registry where TLS 1.2 can be set as the only protocol and ignore the protol settings in SCHANNEL?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.