TLSCipherSuiteDenyList

Specify the TLS cipher suites to disable

Supported versions

• On Windows and macOS since 85 or later

Description

Configure the list of cipher suites that are disabled for TLS connections.

If you configure this policy, the list of configured cipher suites will not be used when establishing TLS connections.

If you don't configure this policy, the browser will choose which TLS cipher suites to use.

Cipher suite values to be disabled are specified as 16-bit hexadecimal values. The values are assigned by the Internet Assigned Numbers Authority (IANA) registry.

The TLS 1.3 cipher suite TLS_AES_128_GCM_SHA256 (0x1301) is required for TLS 1.3 and can't be disabled by this policy.

This policy does not affect QUIC-based connections. QUIC can be turned off via the QuicAllowed policy.

Supported features

• Can be mandatory: Yes
• Can be recommended: No
• Dynamic Policy Refresh: Yes
• Per Profile: No
• Applies to a profile that is signed in with a Microsoft account: Yes

Data type

• List of strings

Windows information and settings

Group Policy (ADMX) info

• GP unique name: TLSCipherSuiteDenyList
• GP name: Specify the TLS cipher suites to disable
• GP path (Mandatory): Administrative Templates/Microsoft Edge
• GP path (Recommended): N/A
• GP ADMX file name: MSEdge.admx

Example value

0x1303

0xcca8

0xcca9

Registry settings

• Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList
• Path (Recommended): N/A
• Value name: 1, 2, 3, ...
• Value type: List of REG_SZ

Example registry value

SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\1 =

0x1303

SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\2 =

0xcca8

SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\3 =

0xcca9

Mac information and settings

• Preference Key name: TLSCipherSuiteDenyList
• Example value:

<array>
  <string>0x1303</string>
  <string>0xcca8</string>
  <string>0xcca9</string>
</array>

See also

• Microsoft Edge - Policies