Microsoft is disabling TLS 1.0 and TLS 1.1 soon in Windows
Microsoft plans to disable the Transport Layer Security (TLS) protocol versions 1.0 and 1.1 in Windows. The company made the announcement on its Tech Community website on August 1, 2023.
The two protocols in question date back to 1999 (TLS 1.0) and 2006 (TLS 1.1) and have since been surpassed by the new versions TLS 1.2 and TLS 1.3.
Microsoft notes that security issues have been found in the older protocol versions and that "internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 as a response. Usage of TLS 1.0 and 1.1 has dropped significantly over the years and that it is Microsoft's believe that the time has come for disabling the two protocols.
Microsoft also believes that the disabling of the protocols will improve the security of Windows and its users, and that it may also speed up the adoption of never versions of the protocols.
Starting in September 2023, Microsoft plans to disable TLS 1.0 and TLS 1.1 in Insider builds for Windows 11 first. Thereafter, the protocols will also be disabled in "future Windows OS releases". Microsoft does not mention explicitly if the protocols will be disabled on Windows 11 systems only or if it will also make the change on Windows 10 devices. It seems likely, especially since the post has been tagged with the labels Windows 10 and Windows 11.
Check for TLS 1.0 and TLS 1.1 errors on Windows
Administrators may check the Windows Event log to determine if applications require TLS 1.0 or TLS 1.1. To do so, administrators need to look for event ID 36871 in the Windows Event Log. A sample event error message has been posted by Microsoft: "A fatal error occurred while creating a TLS <client/server> credential. The internal error state is 10013. The SSPI client process is <process ID>."
Enable TLS 1.0 and TLS 1.1 again on Windows
Windows administrators may enable TLS 1.0 and/or TLS 1.1 again after the protocols have been disabled by Microsoft. This may be necessary of needed applications rely on these protocols. Microsoft ran tests to find out which widely used applications rely on these protocols. The list includes SQL Server 2014 and 2016, Turbo Tax up to version 2018, and ACDSee Photo Studio version 2023.
Overriding the default requires editing the Windows Registry and opening the path HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\. From there, it is necessary to follow the path of the desired protocol version, e.g. TLS 1.0\Client, and to create a DWORD (32-Bit) value there, give it the name Enabled, and set its value to 1.
Note that there are Client and Server paths. You may want to check out Microsoft's support article on TLS settings in the Registry for additional information on enabling the protocols.
Closing Words
For the majority of Windows users, it might not make a difference whether TLS 1.0 or TLS 1.1 are disabled or enabled. Admins may want to check the event log once the change lands to find out if certain applications require it, and react to this appropriately.
Now You: any of your apps stilly rely on TLS 1.0 or 1.1?
How is Microsoft going to disable them on older versions of Windows like Windows 7/8/8.1 since these OS don’t receive updates anymore.
@TelV, it’s obvious that an unsupported OS don’t need new updates at all. :S
Good question. Either it ignores these, as they are no longer supported, or it could push a small update. Think the first scenario is plausible.
TLS 1.2 is enough for all current needs. Furthermore the TLS 1.3 sometimes is rejected.
Actually, these protocols should already be disabled in your browser. I know I have my settings in Firefox set to accept only TLS 3 and 4.
The last version of TLS seems to be 1.3, so there is not version 1.4 yet.
[https://en.wikipedia.org/wiki/Transport_Layer_Security]
I beg your pardon, TLS 1.4? I think there is no 1.4 version yet. :S
[https://en.wikipedia.org/wiki/Transport_Layer_Security]
~”Ahh the obsolescence is afoot”
Better check that hardware that has TLS/SSL interface servers (can be web) so that they don’t get “accidentally” unusable. (Think routers, IP cameras, internal controllers, etc.)
At least they have offered a reversal (but for how long is a question).
@Martin should “never” be “newer” in paragraph four? :) Thanks for the article.
“Microsoft plans…”, I know how MS plans, probably they will disable it in 2040, big LOL.