• Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
  • Home
  • About
  • Imprint
Toggle navigation
Admin Enclave
  • Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
Home
/
Articles
/
Office 365
/
Data-Articles
/
Website Articles
/
Articles
/
Windows
/
Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP

Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP

Bastian W.Aug 31, 2017Articles \ Windows

As TLS 1.0 isn´t any longer "secure" every administrator should plan to make the switch to TLS 1.1 and TLS 1.2. Microsoft now released KB 3140245 which allows Administrators to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used (e.g. in every Microsoft Office product as explained here).

According to KB 3140245 this can be controlled via DefaultSecureProtocols in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.

The possible options here are:

TLS 1.1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200

TLS 1.2:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

TLS 1.1 + 1.2 (Preferred option):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

Option 1 +2 are directly from the Microsoft website. However what most administrators do not know is that you can combine the hex values 00000200 and 00000800 (e.g. with an calculator in programmer mode) to get 00000a00. So option 3 would allow you to disable TLS 1.0 (as well as SSL 2.0 and 3.0) but allow TLS 1.1 and TLS 1.2 at the same time to allow a wider range of compatibility.

 

 

Comments (10)

CSR SysAdmin
CSR SysAdmin
  1. about 3 years ago
  2. #359
This comment was minimized by the moderator on the site

Good article, but for what version of Windows does this apply?

I understand that only for Windows 7 and 2012; How can I make sure Windows 8 and 10 are using TLS 1.2 by default?

  1. Reply
Alan
Alan    CSR SysAdmin
  1. about 2 years ago
  2. #455
This comment was minimized by the moderator on the site

Moot. Windows 8+ has TLS 1.1 and 1.2 available by default.

  1. Reply
Alan
Alan    Alan
  1. about 2 years ago
  2. #457
This comment was minimized by the moderator on the site

Also this:

https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl--schannel-ssp-

  1. Reply
Random visitor
Random visitor
  1. about 2 years ago
  2. #392
This comment was minimized by the moderator on the site

The screenshot shows a value of 0xa80 for DefafaultSecureProtocols, but I believe it it should be 0xa00, while SecureProtocols (under the parent "Internet Settings" key) should be 0xa80.

  1. Reply
Leandro
Leandro
  1. about 2 years ago
  2. #448
This comment was minimized by the moderator on the site

Thanks! after do this change en de Registre, I must to restart? becasuse Its not working in my server.

  1. Reply
BastianW
BastianW    Leandro
  1. about 2 years ago
  2. #449
This comment was minimized by the moderator on the site

yes changing the SSL / TLS configuration require that you restart the server after implementing the registry.

  1. Reply
Alan
Alan    BastianW
  1. about 2 years ago
  2. #456
This comment was minimized by the moderator on the site

Or just restart the WINHTTP service. If the key isn't working, check the SCHANNEL Reg key:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

  1. Reply
Bastian W.
Bastian W.    Alan
  1. about 2 years ago
  2. #458
This comment was minimized by the moderator on the site

thanks, that's an interesting approach. I will give it a try the next time.

  1. Reply
bilal
bilal
  1. about 1 year ago
  2. #545
This comment was minimized by the moderator on the site

i have server 2012 and SQL 2012 as well, i have 40 different DBs , is there any impact for this ?

  1. Reply
Bastian W.
Bastian W.    bilal
  1. about 1 year ago
  2. #546
This comment was minimized by the moderator on the site

It hardly depends on the applications and how they connect to your SQL server. It might be that the server isn´t offering a SSL/TLS connection and it also could be that the SSL/TLS connection is option and that the applications do not use it....

It hardly depends on the applications and how they connect to your SQL server. It might be that the server isn´t offering a SSL/TLS connection and it also could be that the SSL/TLS connection is option and that the applications do not use it. Technically you can change the setting, check if everything is working as expected and if some applications have connection issues, you can roll back the change, reboot and you are back to the normal level. Keep additonal noted that changing SSL/TLS will change the RDP connection as well. So check my blog for missing updated on the client/server level to avoid any connection issues (if you have all MS patches applied you should be safe here).

Read More
  1. Reply
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location
Follow me on Twitter

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Tags

Exchange 20162016 - MS ExchangeServer 2015Hardening2016 - MS Skype for Business Server 2017 - MS WindowsWindows Server 2012Windows2017 - MS ExchangeExchange 20132016 - MS Windows2013Exchange2017 - MS Skype for Business Server 2016 - MS SharepointRaspberry PiMicrosoftOpenHABHomeMatic2017 - MS Sharepoint

Archive

      • How to connect a Osram On/Off Plug with Phoscon/deCONZ
      • Update TPM Firmware on Windows 10 1909
      • Upgrade the BIOS from an ReadyNAS device
      • Switch your PC from BIOS to UEFI
      • WLAN 6 (AX) released
      • [ReSolved] Get-MailboxRestoreRequest matches multiple entries and couldn´t be performed
      • Use deCONZ to perform an OTA firmware update of OSRAM devices
      • Remove the Transparent Data Encryption (TDE) from a SQL DB
      • Install OpenHAB 2.4.x on Raspberry Pi (on Debian 9 - Stretch)
      • Windows 10 Driver for HP EliteBook 2570p Notebook-PC
      • Windows 10 Driver for HP EliteBook 850 G1 Notebook
      • Windows 10 Driver for HP EliteBook 8570p Notebook
      • Windows 10 Driver for IBM Thinkpad T560 Notebook
      • Windows 10 Driver for HP EliteBook 850 G5 Notebook
      • Windows 10 Driver for Lenovo T560 Notebook
      • Add an additional Sharepoint Admin to every Site Collection via Powershell
      • Do not install .NET Framework 4.7.2 on Exchange Servers yet
      • [Resolved] Unable to Migrate User to O365 due to "Target user 'XYZ' already has a primary mailbox"
      • Migrate SharePoint Elements to SharePoint Online
      • Microsoft Exchange OU picker is empty when creating new user or group
      • Exchange Online Powershell failed to connect when using MFA
      • Move-DatabasePath caused a "WMI exception occurred on server XY: Quota violation"
      • Privacy Policy
      • D:\AdvancedDataGovernanceLogs created on Exchange 2016
      • After May 2018 security update "An authentication error occurred" using RDP
      • Find out which .NET Framework version is installed
      • Install OpenHAB 2.0.x on Raspberry Pi (on Debian 9 - Stretch)
      • Convert a *.pfx certificate into *.pem
      • Changing last modified and creation date or time via PowerShell
      • Multidimensional arrays in Powershell
      • HowTo create an Enterprise Wiki on SharePoint Online
      • Attention: Microsoft Office 365 will disable support for TLS 1.0 and 1.1
      • [RESOLVED] Graphics Card issue when installing BlueStacks inside VMWare
      • How to create a pkcs12 file with a ordered certificate chain?
      • Publish an S/Mime certificate to AD via Powershell
      • [RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant
      • [RESOLVED] Exchange 2016 CU X failed to install error 1619
      • Headless Raspberry Pi WLAN Configuration
      • How to remove all partitions on an USB stick / SD card
      • How to generate a notifications once Handbreak finished its current work?
      • Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP
      • Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server
      • Change a SSL Certificate on Windows Server 2012 R2 Web Application Proxy
      • Add Windows Updates to a Windows 7 SP1 image
      • When using Import-Module you got an unblock file error
      • [Resolved] Exchange admin got the error "User profile cannot be loaded" when using RDP
      • Google Chrome browser to deprecate trust in existing Symantec-issued certificates
      • [RESOLVED] Error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY when using Google Chome and OWA
      • Cumulative Update 6 for Exchange Server 2016 released
      • Windows Phone 8.1 will reach EOL on the 2017-07-11
      • .NET Framework 4.7.* and Microsoft Exchange Server
      • Disable weak cipher (e.g. 3DES, SSLv3, MD5, ...) suites in Java
      • [RESOLVED] "Could not find stored procedure" after installing SfB Server Updates
      • [RESOLVED] None of the network adapters are bound to the netmon driver.
      • [Resolved] No connectivity with any of Web Conferencing Edge Servers - Event 41026
      • Raspberry Pi - Connect to multiple wireless networks (WLAN) automatically
      • From 0 to Raspberry Pi (start with Raspberry Pi)
      • [RESOLVED] Exchange 2016 IIS not usable after installation from CU5
      • Microsoft Exchange 2007 reached end of life today
      • .NET Framework 4.7 released but not yet supported on Exchange 2016
      • .NET Framework 4.7 released but not yet supported on Skype for Business
      • Using Quest ActiveRoles Management Shell to add/update all users from a OU inside an AD group
      • [RESOLVED] Can´t install Office Web Apps Server because it requires .NET 4.5
      • Cumulative Update 5 for Exchange Server 2016 released
      • Using the Skype for Business device update service
      • Enable XA transactions on Microsoft SQL 2012
      • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
      • WES7 is crashing on VMWare Workstation
      • WES7 / WES8 OS deployment issue on VMWare Workstation
      • [RESOLVED] Growing amount of missing disk space on Microsoft Exchange
      • Disabling TLS 1.0 on Microsoft Sharepoint
      • Reset the content index on an MS Exchange DAG environment
      • Deploy the Statistics Manager for Skype for Business Server
      • HowTo add own formats to the TinyMCE Editor in Joomla?
      • Create a Kerberos authentication account in Skype for Business
      • Hardening Microsoft Exchange 2016 Server
      • Hardening Microsoft SharePoint 2016 Server
      • Hardening Microsoft Skype for Business Server
      • [Workaround] "Screen presenting isn't supported with this contact" with SfB MAC
      • [RESOLVED] Black or frozen screen during screensharing in Skype for Business 2016
      • Exchange Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SfB Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SharePoint Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Hardening Skype for Business Server
      • [RESOLVED] You do not have the permission to send the message on behalf of the specified user
      • Copy Windows Installation DVD to ISO
      • [RESOLVED] The remote certificate is invalid according to the validation procedure.
      • Prevent that the Skype for Business client will open when the user click on an meeting URL
      • Test GroupPolicy (*.admx templates) locally without AD
      • Implementing the Skype for Business Call Quality Dashboard
      • Configure / Finetune the Microsoft Exchange search / indexing feature
      • Disable content indexing on all DBs on an Exchange DAG
      • HowTo: create Search Sharepoint 2013 Foundation Application via Powershell
      • Migrate from Exchange 2010 to Exchange 2016
      • Enable TLS 1.2 on Windows 2012 R2
      • Download Skype for Business for MAC
      • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
      • How to get only a subset from a 2 GB big logfile?
      • Add the Internet Explorer 11 and Updates to a Windows 7 SP1 image
      • [RESOLVED] MSExchange Mailbox Replication error 1006 (database doesn't exist)
      • Nagios Core 3.x installation guide on Debian 8.x (Jessie)
      • Move Exchange 2010/2013 user to Exchange 2016
      • [RESOLVED]: "Whole calendar" greyed out when publishing a calendar via Outlook on a webdav server
      • SfB Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Exchange Windows OS Hardening: Disable the "X-AspNet-Version" header
      • SharePoint Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Powershell: Clean (Remove) all completed Exchange Mailbox move requests
      • HP Data Protector isn´t able to browse an Exchange 2016 DAG
      • Powershell: Get a list from all Exchange users, where the latest logon time is older then 270 days
      • Usefull links
      • Hardening Microsoft Exchange 2013 Server
      • [Solution] Skype for Business Error: This message wan´t send to Firstname LastName
      • Step-By-Step: Configuring Office Online Server with Skype for Business
      • Troubleshooting connection issues from users migrated from Exchange 2010 to Exchange 2013/2016
      • Skype for Business Server DB update needed after patch management
      • How to check the progress of the ‘Shrink Database’ task in SQL Server 2012
      • Build an MS Exchange Throttling Policy to remove inactive mobile device partnerships
      • Exchange Windows OS Hardening: Disable NTFS 8 Dot 3
      • SfB Windows OS Hardening: Disable NTFS 8 Dot 3
      • SharePoint Windows OS Hardening: Disable NTFS 8 Dot 3
      • Windows OS Hardening: Disable NTFS 8 Dot 3
      • [RESOLVED] Centralized Logging Service Agent Error while moving cache files to network share.
      • [RESOLVED] MS Web Application Proxy used with SfB caused a Error 502
      • Manage the SSL certificate on Exchange 2016 via Powershell
      • [RESOLVED] How to fix damaged or corrupt Health Mailbox on Exchange 2016
      • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
      • Homematic IP Schalt und Steckdose mit CCU 2 verbinden / anlernen
      • Exchange 2010 to Exchange 2016 Co-Existence migration OWA redirect not working
      • Factory reset HomeMatic IP devices
      • Factory reset / Werksreset von HomeMatic IP Geräten
      • Pairing / Using Homematic IP Pluggable Switch and Meter with an CCU2
      • [Resolved] A Skype for business user isn´t able to join meeting via invitation link
      • Installation von BluePy auf dem Raspberry Pi
      • Install BluePy on Raspberry Pi
      • Released: Microsoft Exchange 2016 CU 2
      • Install OpenHAB 1.x on Raspberry Pi
      • Installieren von OpenHAB 1.x auf dem Raspberry Pi
      • Rebalance Mailbox Databases in an Exchange Server DAG via TaskManager
      • Fix a failed and suspended content index state on MS Exchange
      • Howto send an email using telnet
      • Hardening Windows Server (Basic Steps)
      • [RESOLVED] No DNS servers could be retrieved from network adapter 00000000-0000-0000-0000-000000000000
      • [RESOLVED] Setup can't use the domain controller because it belongs to Active Directory site
      • Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business
      • [RESOLVED] Error message 0x80094004 when completing a certification request on IIS
      • [RESOLVED] Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
      • Get all Exchange user inclusive details from a list of AD groups
Admin Enclave

The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).

Follow Us

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Popular Posts

  • How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows

    Sunday, 07 April 2013
  • [RESOLVED] You do not have the permission to send the message on behalf of the specified user

    Wednesday, 16 November 2016
  • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size

    Thursday, 13 October 2016
  • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code

    Wednesday, 08 March 2017
  • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"

    Wednesday, 13 July 2016
© 2012 - 2021 admin-enclave.com | Disclaimer | Privacy Policy | Imprint | Articles by year