Microsoft is disabling TLS 1.0 and TLS 1.1 soon in Windows

Microsoft plans to disable the Transport Layer Security (TLS) protocol versions 1.0 and 1.1 in Windows. The company made the announcement on its Tech Community website on August 1, 2023.

The two protocols in question date back to 1999 (TLS 1.0) and 2006 (TLS 1.1) and have since been surpassed by the new versions TLS 1.2 and TLS 1.3.

Microsoft notes that security issues have been found in the older protocol versions and that "internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 as a response. Usage of TLS 1.0 and 1.1 has dropped significantly over the years and that it is Microsoft's believe that the time has come for disabling the two protocols.

Microsoft also believes that the disabling  of the protocols will improve the security of Windows and its users, and that it may also speed up the adoption of never versions of the protocols.

Starting in September 2023, Microsoft plans to disable TLS 1.0 and TLS 1.1 in Insider builds for Windows 11 first. Thereafter, the protocols will also be disabled in "future Windows OS releases". Microsoft does not mention explicitly if the protocols will be disabled on Windows 11 systems only or if it will also make the change on Windows 10 devices. It seems likely, especially since the post has been tagged with the labels Windows 10 and Windows 11.

Check for TLS 1.0 and TLS 1.1 errors on Windows

Administrators may check the Windows Event log to determine if applications require TLS 1.0 or TLS 1.1. To do so, administrators need to look for event ID 36871 in the Windows Event Log. A sample event error message has been posted by Microsoft: "A fatal error occurred while creating a TLS <client/server> credential. The internal error state is 10013. The SSPI client process is <process ID>."

Enable TLS 1.0 and TLS 1.1 again on Windows

Windows administrators may enable TLS 1.0 and/or TLS 1.1 again after the protocols have been disabled by Microsoft. This may be necessary of needed applications rely on these protocols. Microsoft ran tests to find out which widely used applications rely on these protocols. The list includes SQL Server 2014 and 2016, Turbo Tax up to version 2018, and ACDSee Photo Studio version 2023.

Overriding the default requires editing the Windows Registry and opening the path HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\. From there, it is necessary to follow the path of the desired protocol version, e.g. TLS 1.0\Client, and to create a DWORD (32-Bit) value there, give it the name Enabled, and set its value to 1.

Note that there are Client and Server paths. You may want to check out Microsoft's support article on TLS settings in the Registry for additional information on enabling the protocols.

Closing Words

For the majority of Windows users, it might not make a difference whether TLS 1.0 or TLS 1.1 are disabled or enabled. Admins may want to check the event log once the change lands to find out if certain applications require it, and react to this appropriately.

Now You: any of your apps stilly rely on TLS 1.0 or 1.1?

Advertisement