Disable TLS in Windows Using GPO: Step-by-Step Guide

How to Disable TLS 1.0, TLS 1.1 and TLS 1 - banner

In this guide, I will be showing you How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO. Both TLS and SSL are both used for web security. They are both cryptographic protocols that encrypt your data and authenticate a connection when transporting your data via the internet. Please see Secure FTP Login Issue: NAT Router Configuration Needed for Passive Mode and Port Forwarding, and how to Block downloads on Microsoft Edge using GPO on Windows Server 2019 and 2022.

The TLS is the short form for transport layer security and it is the current version of SSL. We have had three previous versions of TLS: TLS 1.0, TLS 1.1, and TLS 1.2 with the current version now TLS 1.3.

You may want to read about how to use TLS/SSL Certificates to Secure Web Server on Windows, How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell and how to Enable DNS over TLS in Windows 11

Steps to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO

Group Policy is a security tool that is used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers.

1. Launch Group Policy to Disable TLS Older Versions

Open Run on your Domain Controller and launch the Open Group Policy Management (gpmc.msc).

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-gpmc

2. Create a GPO in the Domain Controller

Navigate to your Domain Controller and right-click the Domain Controller or the Domain itself. Select Create a GP in this domain and Link it here.

Also, see Connect to a FileZilla Server: How to install and configure a FileZilla Server on Windows, and how to Block downloads on Microsoft Edge using GPO on Windows Server 2019 and 2022.

3. Rename the GPO to ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’ in Windows

Rename the New GPO to Disable_TLS 1.0_TLS 1.1_TLS 1.2 and click on ‘OK’. Please see How to check the BIOS version on Windows

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-GPO

This will create a new group policy that will be linked to the organization unit.

4. Edit the gpo ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’

Right-click the Policy and click on Edit.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-GPO3

5. Create a Registry Item in Group Policy

Navigate to Computer Configurations > Preferences > Windows Settings > Registry.

You can create a new registry by clicking on the blank space and selecting New > Registry Item.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-Registry

6. Create a Registry Properties

Create a new Registry Properties: on the Action, drop-down select Create and on the Key Path navigate here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-Protocols

You will now create a new registry entry for each protocol that includes the server and client.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-Key

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-For-all-Protocols

7. Force a group policy update to check changes to affect the TLS Disable change

Open command prompt and enter this command gpupdate /force and hit the enter key. This will update the current changes made on the GPO.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-gpupdate

8. Reconfirm the protocols created from the registry

Open the registry editor and navigate to confirm the protocols you have created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-protocols-created

FAQs on why you should disable TLS 1.0, TLS 1.1 and TLS 1.2

Why should I disable TLS 1.0, TLS 1.1, and TLS 1.2?

Disabling older TLS versions is essential for security. TLS 1.0 and TLS 1.1 are known to have vulnerabilities that make them susceptible to attacks, such as BEAST and POODLE.

TLS 1.2, while more secure, may still have weaknesses that could be exploited in the future. Disabling these older versions helps protect your data and communications from potential threats.

How does disabling older TLS versions improve security?

Disabling older TLS versions forces both the client and server to use more secure protocols like TLS 1.3 or TLS 1.2 with modern cypher suites. These newer versions are designed with improved security features and algorithms. Thereby making it significantly harder for attackers to exploit vulnerabilities and decrypt encrypted data. It helps ensure that your communication remains confidential and tamper-proof.

Will disabling TLS 1.0, TLS 1.1, and TLS 1.2 affect compatibility with older systems or browsers?

While disabling older TLS versions improves security, it can potentially impact compatibility with older systems or outdated browsers that do not support newer TLS versions. It’s essential to assess your user base and the systems interacting with your services. In some cases, you may need to provide alternative access methods or encourage users to update their software to maintain compatibility while ensuring security.

I hope you found this blog post on how to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO Interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.