Microsoft has decided to soon disable TLS versions 1.0 and 1.1 by default in the future versions of the Windows Operating system, starting with Windows 11 Insider Preview builds in September 2023. To avoid the compatibility issues that users may face due to the proposed disability, Microsoft will include an option to re-enable TLS 1.0 and 1.1 for users who need it.
Microsoft to disable TLS versions 1.0 and 1.1 by default in Windows 11 and later
Transport Layer Security (TLS) is the most common protocol used to encrypt the communication between a client and server. TLS 1.0 was introduced in 1999, and many security weaknesses have been found over time. TLS 1.1 was published in 2006 with some improvements in security, but its adoption has been minimal. TLS 1.2 and 1.3 have surpassed the older versions as they are the highest protocol version available.
Internet standards and regulatory bodies have deprecated or disallowed TLS 1.0 and 1.1. owing to its security issues, over the past years. As TLS 1.0 and 1.1 usage have decreased over the years, Microsoft is disabling these versions to encourage customers to use modern protocols.
Microsoft’s recommendation for users and IT admins:
The impact of this change depends largely on the Windows applications using TLS. For example, TLS 1.0 and TLS 1.1 have already been disabled by Microsoft 365 products as well as WinHTTP and WinINet API surfaces. Most newer versions of applications support TLS 1.2 or higher protocol versions. Therefore, if an application starts failing after this change, the first step is to look for a newer version of the application that has TLS 1.2 or TLS 1.3 support.
It’s recommended to use the system default settings for the best balance of security and performance. If organizations limit TLS cipher suites using Group Policy or PowerShell cmdlets, they should also verify that cipher suites needed for TLS 1.3 and TLS 1.2 are enabled.
If there are no alternatives available and TLS 1.0 or TLS 1.1 is needed, the protocol versions can be re-enabled with a system registry setting. To override a system default and set a (D)TLS or SSL protocol version to the Enabled state, create a DWORD registry value named “Enabled” with an entry value of “1” under the corresponding version-specific subkey. Examples of TLS 1.0 subkeys are as follows:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Applications that depend on TLS 1.0 and 1.1 which are expected to be broken
Microsoft has tested Windows applications after disabling TLS 1.0 and 1.1 and found the following applications breaking while trying to run them.
- Safari – 5.1.7
- EVault Data Protection – 7.01.6125
- SQL – 2012, 2014, 2016
- SQL Server – 2014, 2016
- Turbo Tax – 2017, 2014, 2011, 2012, 2016, 2015, 2018
- BlueStacks 3 (蓝叠3) – 188.8.131.5213
- BlueStacks X – 0.21.0.1063
- Xbox One SmartGlass – 2.2.1702.2004
- Splice – 4.0.35686, 4.2.4
- Driver Support – 10.1.2.41, 10.1.4.20
- K7 Enterprise Security and 184.108.40.206
- DRUKI Gofin – 220.127.116.11
- Project Plan 365 – 23.8.1204.14137
- vWorkspace – 8.6.1
- ARMA 3
- Microsoft Office 2008 Professional – Accounting Express
- LANGuard – 12.7.2022.0406
- Adguard – 6.4.1814.4903, 18.104.22.168.0
- 火萤视频桌面 – 22.214.171.124
- CCB Security Client (中国建设银行E路航网银安全组件) – 126.96.36.199
- ArcGIS – 10.3.3400
- ACDSee Photo Studio – 2018, 2023
- Blio e-Reader – 188.8.131.5228, 184.108.40.20659
Microsoft has also warned that re-enabling TLS 1.0 and 1.1 should be done as a last resort and should be looked at as a temporary solution until incompatible applications are updated or replaced.