TLS 1.0 and TLS 1.1 soon to be disabled in Windows (2024)

Learn about the upcoming changes in Schannel protocol defaults and how to remove dependencies on legacy TLS versions or keep them enabled for compatibility.


Transport Layer Security (TLS) is the most common internet protocol for setting up an encrypted channel of communication between a client and server. TLS 1.0 dates back to 1999 and, over time, several security weaknesses have been found in this protocol version. TLS 1.1 was published in 2006 and made some security improvements, but never saw broad adoption. These versions have long been surpassed by TLS 1.2 and TLS 1.3, and TLS implementations try to negotiate connections using the highest protocol version available.

Over the past several years, internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1, due to a variety of security issues. We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act.

To increase the security posture of Windows customers and encourage modern protocol adoption, TLS versions 1.0 and 1.1 will soon be disabled by default in the operating system, starting with Windows 11 Insider Preview builds in September 2023 and future Windows OS releases. This change applies to both client and server, but it will not impact any in-market OS versions. There is an option to re-enable TLS 1.0 or TLS 1.1 for users who need to maintain compatibility.

Diagnostic events

Applications that start failing when TLS 1.0 and TLS 1.1 are disabled can be identified by Event 36871 in the Windows Event Log.

Sample Event:

A fatal error occurred while creating a TLS <client/server> credential. The internal error state is 10013. The SSPI client process is <process ID>.

Guidance for users and IT admins

The impact of this change depends largely on the Windows applications using TLS. For example, TLS 1.0 and TLS 1.1 have already been disabled by Microsoft 365 products as well as WinHTTP and WinINet API surfaces. Most newer versions of applications support TLS 1.2 or higher protocol versions. Therefore, if an application starts failing after this change, the first step is to look for a newer version of the application that has TLS 1.2 or TLS 1.3 support.

It's recommended to use the system default settings for the best balance of security and performance. If organizations limit TLS cipher suites using Group Policy or PowerShell cmdlets, they should also verify that cipher suites needed for TLS 1.3 and TLS 1.2 are enabled.

If there are no alternatives available and TLS 1.0 or TLS 1.1 is needed, the protocol versions can be re-enabled with a system registry setting. To override a system default and set a (D)TLS or SSL protocol version to the Enabled state, create a DWORD registry value named "Enabled" with an entry value of "1" under the corresponding version-specific subkey. Examples of TLS 1.0 subkeys are as follows:

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Note: Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort, and as a temporary solution until incompatible applications can be updated or replaced. Support for these legacy TLS versions may be removed completely in the future.

Guidance for SSPI application developers

Although most applications and services use Schannel via HTTP and .NET APIs, some call the Security Support Provider Interface (SSPI) directly. Historically, SSPI callers implementing TLS clients and servers would pass the SCHANNEL_CRED structure when calling AcquireCredentialsHandle(). This allowed the hard coding of legacy TLS versions and prevented apps from using new TLS versions. With TLS 1.0 and TLS 1.1 disabled by default, an SSPI application that only allows these versions will fail to connect.

SCHANNEL_CRED was deprecated in Windows 10, and SSPI callers should specify their preferences using SCH_CREDENTIALS instead. Applications using this new structure will be able to negotiate TLS 1.3 and later protocol versions. When updating code to switch from SCHANNEL_CRED to SCH_CREDENTIALS, implementers should test their TLS client or server against a TLS 1.3 peer and ensure that the code correctly handles SEC_I_RENEGOTIATE returned from DecryptMessage().

For more information on finding and removing application dependencies on TLS 1.0 and 1.1, please refer to Solving the TLS 1.0 Problem.

Known issues

We have tested this change against top Windows applications, and found that the following versions rely on TLS 1.0 or TLS 1.1 and are expected to be broken.

Note: This is not an exhaustive list. All systems and organizations should test the disablement using the steps described above and observe any failures. Please reach out directly to the application owner, as they often have an updated version or mitigation available.

  • SQL Server - 2012, 2014, 2016 (see KB3135244 - TLS 1.2 support for Microsoft SQL Server - Microsoft Support for how to upgrade to TLS 1.2 support)
  • Microsoft Office 2008 Professional - Accounting Express
  • Xbox One SmartGlass - 2.2.1702.2004
  • Project Plan 365 - 23.8.1204.14137
  • Safari - 5.1.7
  • EVault Data Protection - 7.01.6125
  • Turbo Tax - 2017, 2014, 2011, 2012, 2016, 2015, 2018
  • BlueStacks 3 (蓝叠3) -
  • BlueStacks X -
  • Splice - 4.0.35686, 4.2.4
  • Driver Support -,
  • K7 Enterprise Security and
  • DRUKI Gofin -
  • vWorkspace - 8.6.1
  • ARMA 3
  • LANGuard - 12.7.2022.0406
  • Adguard - 6.4.1814.4903,
  • 火萤视频桌面 -
  • CCB Security Client (中国建设银行E路航网银安全组件) -
  • ArcGIS - 10.3.3400
  • ACDSee Photo Studio – 2018, 2023
  • Blio e-Reader -,

Continue the conversation. Find best practices. Bookmark the Windows Tech Communityandfollow us @MSWindowsITPro on Twitter. Looking for support? Visit .

TLS 1.0 and TLS 1.1 soon to be disabled in Windows (2024)


TLS 1.0 and TLS 1.1 soon to be disabled in Windows? ›

The internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 due to several security issues. Starting with Windows 11 Insiders Preview and Windows Server Insiders Preview releases in 2024, they will be disabled by default.

How to disable TLS 1.0 and TLS 1.1 on Windows? ›

Create a key named "TLS 1.1" with two DWORDs for both TLS 1.0 & 1.1: "DisabledByDefault=1" & "Enabled=0". Similarly, create a key named "TLS 1.0" with two DWORDs for each protocol, "DisabledByDefault=1" & "Enabled=0".

How do I fix TLS 1.0 TLS 1.1 and TLS 1.2 in advanced settings? ›

Google Chrome
  1. Open Google Chrome.
  2. Click Alt F and select Settings.
  3. Scroll down and select Show advanced settings...
  4. Scroll down to the Network section and click on Change proxy settings...
  5. Select the Advanced tab.
  6. Scroll down to Security category, manually check the option box for Use TLS 1.1 and Use TLS 1.2.
  7. Click OK.
Nov 1, 2023

How do you check TLS 1.1 is enabled or not? ›

For Chrome
  1. Open the Developer Tools (Ctrl+Shift+I)
  2. Select the Security tab.
  3. Navigate to the WebAdmin or Cloud Client portal.
  4. Under Security, check the results for the section Connection to check which TLS protocol is used.
Sep 6, 2023

How to disable SSL 2.0 SSL 3.0 TLS 1.0 and TLS 1.1 in Windows 10? ›

In the Internet Options window on the Advanced tab, under Settings, scroll down to the Security section. In the Security section, locate the Use SSL and Use TLS options and uncheck Use SSL 3.0 and Use SSL 2.0. If they are not already selected, check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.

How to check what TLS version is being used? ›

Enter the URL you wish to check in the browser. Right-click the page or select the Page drop-down menu, and select Properties. In the new window, look for the Connection section. This will describe the version of TLS or SSL used.

Does disabling TLS 1.0 require a reboot? ›

These disable SSL 3.0, TLS 1.0, and RC4 protocols. Because this situation applies to SChannel, it affects all the SSL/TLS connections to and from the server. You must restart the computer after you change these values.

How to enable TLS in Windows? ›

In the Windows menu search box, type Internet options. Under Best match, click Internet Options. In the Internet Properties window, on the Advanced tab, scroll down to the Security section. Check the User TLS 1.2 checkbox.

How do I fix TLS security settings? ›

The fix is easy: In the windows search box, near the Windows Start button, type Internet Options. Open the result Internet options - control panel. Then click the Advanced tab. Scroll down in the long list to security and make sure use TLS 1.2 is checked.

Can you enable TLS 1.0 in Chrome? ›

Scroll down to "Security" e. Click "Use TLS 1.3" (by default) and select "Use TLS 1.0" , "Use TLS 1.1" and "Use TLS 1.2" f. Close Chrome and restart it for the changes to take effect.

How do I know if TLS 1.0 is enabled or disabled? ›

To check for TLS 1.0 you could run Wireshark, on the server, and filter for that kind of traffic ( ssl. handshake. version==0x0301 ). If there is not much then disable TLS 1.0 with IISCrypto, as Alpharius suggested, and test all applications function normally.

How do I know if TLS is enabled in Windows? ›

How to identify if an SSL/TLS protocol is enabled/disabled
  1. Click Start or press the Windows key.
  2. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. ...
  3. Navigate to follow the registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

How do I update my TLS version? ›

Under TLS Versions, you will see the TLS protocol version(s) currently selected. To update the protocol, simply click edit. Next, choose your desired protocol based on your requirements and hit Save Changes. Please note that you can not disable TLS v1.

How to disable TLS 1.0 and 1.1 on Windows? ›

  1. Run Windows Registry Editor (Regedit) as administrator.
  2. Create the following string registry key: ...
  3. Set the value -DenableVistaInteroperability=false.
  4. Open a Command Prompt as an administrator and run commands "net stop wsconnector" and "net start wsconnector" to restart the services.
Apr 18, 2024

How do I enable SSL 3.0 TLS 1.0 TLS 1.1 and TLS 1.2 in advanced settings? ›

Open the Tools menu (click on the tools icon or type Alt - x) and select Internet options. Select the Advanced tab. Scroll down to the bottom of the Settings section. If TLS is not enabled, select the checkboxes next to Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.

How do I disable SSL and TLS? ›

​​ Disable Universal SSL certificate

Select your domain. Go to SSL/TLS > Edge Certificates. For Disable Universal SSL, select Disable Universal SSL.

How do I enable TLS 1.1 and TLS 1.2 in Windows 10? ›

Step 1: Press Win + I to open Run, type inetcpl. cpl, and click OK to open the Internet Properties window. Step 2: Under the Advanced tab, scroll down to find Use TLS 1.2. If it is not selected, check the box and tap on Apply.

How to disable TLS 1.2 Windows? ›

To disable the TLS 1.2 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1.

How do I disable TLS 1.0 in my browser? ›

  1. In the address bar, type about:config and press Enter.
  2. In the search box enter tls. ...
  3. Change the integer value to 2 to force the minimum version of the protocol to TLS 1.1 (entering 3 will force it to TLS 1.2).

How to disable TLS 1.0 and 1.1 on CloudFlare? ›

Disable TLS 1.0/1.1 on Cloudflare:
  1. Login to your Cloudflare account.
  2. Click on SSL/TLS icon.
  3. Click on Edge Certificates.
  4. Scroll to Minimum TLS Version section.
  5. Select TLS 1.2 (this will automatically set the TLS version to 1.2 or higher.)

Top Articles
Latest Posts
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 5531

Rating: 4.6 / 5 (56 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.