Windows 10 TLS 1.3 Enablement Registry keys

J

JasonKowalczyk

We are deploying TLS 1.3 as a required protocol as well as Disabling TLS 1.1. On the 1909 version of software.


We are doing this via Registry Keys:


HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisablebyDefault == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisablebyDefault == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled == 0x0


HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisablebyDefault == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisablebyDefault == 0x0

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled == 0x1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled == 0x1


It follows that we need to control the DefaultSecureProtocols keys as well.


The docs lists the following values and how to calculate complex values by adding the Hex Values


## 0x00000008 Enable SSL 2.0 by default

## 0x00000020 Enable SSL 3.0 by default

## 0x00000080 Enable TLS 1.0 by default

## 0x00000200 Enable TLS 1.1 by default

## 0x00000800 Enable TLS 1.2 by default


Can we assume that TLS 1.3 follows the same pattern? e.g.

[COLOR=rgba(215, 57, 0, 1)]## 0x00002000[/COLOR] [COLOR=rgba(215, 57, 0, 1)]Enable TLS 1.3 by default[/COLOR]


We would set this on the following keys to only allow TLS 1.2 and TLS 1.3


HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols == 0x2800

Thanks for any clarification you can give, I can not find this on the Docs site or developer pages, but I could be wrong.


Reference: SUPPORT SITE

Continue reading...
 
Back
Top Bottom