• Commodity
  • 20 minutes to read

APPLIES TO: no-img-132013 no-img-162016 yes-img-192019 no-img-seSubscription Edition no-img-sopSharePoint in Microsoft 365

SharePoint Server 2019 supports TLS protocol versions 1.0, ane.1, and one.2 by default. However, to enable cease-to-stop back up for TLS protocol versions 1.1 and one.two in your SharePoint 2019 surround, y'all may need to install updates or modify configuration settings in the post-obit locations:

  1. SharePoint servers in your SharePoint subcontract

  2. Microsoft SQL Servers in your SharePoint subcontract

  3. Customer computers used to admission your SharePoint sites

Important

If you practice not update each of these locations, y'all run the risk of systems failing to connect to each other using TLS i.i or TLS 1.2. The systems will instead fall back to an older security protocol; and if the older security protocols are disabled, the systems may neglect to connect entirely.

Example: Customer computers may fail to connect to your SharePoint sites.

Summary of the update process

The following image shows the three step process necessary to enable TLS 1.1 and TLS 1.2 back up on your SharePoint servers, SQL Servers, and client computers.

The three steps to update servers in your SharePoint farm, Microsoft SQL server, and client computers.

SharePoint Server 2019 supports TLS protocol versions 1.0, i.1, and one.2 by default. No changes are necessary on the SharePoint servers in your farm to enable TLS one.one or TLS i.2 support. Follow this pace to update your SharePoint server if you wish to disable certain TLS protocol versions.

Steps for SharePoint Server Windows Server 2016 Windows Server 2019
The following stride is optional. You lot may choose to run this step based on your organization's security and compliance requirements.
one.0 - Disable earlier versions of TLS in Windows Schannel
Optional
Optional

1.0 - Disable before versions of TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't demand to enable or disable one protocol version to enable or disable another protocol version.

Important

SSL 2.0 and SSL 3.0 are disabled past default in Windows Server 2016 and Windows Server 2019 due to serious security vulnerabilities in those protocol versions.

Customers may likewise cull to disable TLS one.0 and TLS ane.one to ensure that just the newest protocol version is used. Notwithstanding, this may cause compatibility issues with software that doesn't support the newest TLS protocol version. Customers should test such a alter before performing it in production.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the awarding explicitly requests that protocol version. If the value is set to 1, the protocol version can exist used if enabled by default or if the awarding explicitly requests that protocol version. If the value is not defined, it will employ a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used past default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is gear up to 0, the protocol version volition be used by default. If the value is set to 1, the protocol version volition not be used by default. If the value is not defined, information technology will use a default value adamant past the operating system.

To disable TLS 1.0 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls10-disable.reg.

  2. Copy, and then paste the following text.

                      Windows Registry Editor Version v.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS ane.0] [HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Save the tls10-disable.reg file.

  4. Double-click the tls10-disable.reg.

  5. Click Yeah to update your Windows Registry with these changes.

  6. Restart your computer for the alter to take result.

To disable TLS 1.1 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls11-disable.reg.

  2. Copy, and so paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.i\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.one\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Salve the tls11-disable.reg file.

  4. Double-click the tls11-disable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your computer for the change to take effect.

SQL Server 2016 and SQL Server 2017 support TLS protocol versions 1.0, i.1, and 1.2 by default on Windows Server 2016 and Windows Server 2019. No changes are necessary on the SQL servers in your SharePoint subcontract to enable TLS 1.one or TLS ane.2 back up. For more information about TLS back up in SQL Server, review the KB article TLS 1.2 back up for Microsoft SQL Server.

Follow this step to update the SQL Servers in your SharePoint farm if you lot wish to disable certain TLS protocol versions.

Steps for your SQL Servers Windows Server 2016 Windows Server 2019
The post-obit step is optional. You may cull to run this step based on your arrangement's security and compliance requirements.
2.1 - Disable earlier versions of TLS in Windows Schannel
Optional
Optional

2.ane - Disable earlier versions of TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can exist enabled or disabled independently. You don't demand to enable or disable one protocol version to enable or disable another protocol version.

Important

SSL 2.0 and SSL 3.0 are disabled by default in Windows Server 2016 and Windows Server 2019 due to serious security vulnerabilities in those protocol versions.

Customers may also choose to disable TLS 1.0 and TLS 1.1 to ensure that merely the newest protocol version is used. Withal, this may cause compatibility issues with software that doesn't support the newest TLS protocol version. Customers should test such a change before performing it in production.

The Enabled registry value defines whether the protocol version can exist used. If the value is set to 0, the protocol version cannot exist used, fifty-fifty if information technology is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the awarding explicitly requests that protocol version. If the value is not defined, information technology will use a default value determined past the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to exist used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value adamant by the operating system.

To disable TLS 1.0 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls10-disable.reg.

  2. Re-create, and and so paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS ane.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS one.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Save the tls10-disable.reg file.

  4. Double-click the tls10-disable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your reckoner for the change to accept effect.

To disable TLS ane.1 back up in Windows Schannel

  1. From Notepad.exe, create a text file named tls11-disable.reg.

  2. Copy, so paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\TLS one.ane\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Relieve the tls11-disable.reg file.

  4. Double-click the tls11-disable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your computer for the change to take effect.

Follow these steps to update your customer computers that access your SharePoint site.

Steps for your customer computers Windows vii Windows viii.1 Windows 10
3.one - Enable TLS 1.1 and TLS 1.2 in Windows Schannel
Required
N/A
Due north/A
3.two - Enable TLS 1.1 and TLS ane.2 support in WinHTTP
Required
North/A
N/A
3.iii - Enable TLS i.1 and TLS 1.2 support in Cyberspace Explorer
Required
N/A
North/A
3.iv - Enable strong cryptography in .Internet Framework four.v or higher
Required
Required
Required
3.5 - Install .Cyberspace Framework iii.5 update for TLS one.i and TLS 1.2 support
Required
Required
Required
The following step is recommended. Although not directly required by SharePoint Server 2019, they provide better security by restricting the use of weak encryption algorithms.
3.6 - Enable strong cryptography in .NET Framework iii.5
Recommended
Recommended
Recommended
The following step is optional. You lot may cull to run this step based on your organization'due south security and compliance requirements.
iii.vii - Disable earlier versions of SSL and TLS in Windows Schannel
Optional
Optional
Optional

3.one - Enable TLS 1.1 and TLS 1.2 in Windows Schannel

SSL and TLS back up are enabled or disabled in Windows Schannel past editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable ane protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if information technology is enabled by default or if the application explicitly requests that protocol version. If the value is ready to 1, the protocol version can be used if enabled by default or if the awarding explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating organisation.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version volition exist used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, information technology volition utilise a default value adamant by the operating organisation.

To enable TLS one.1 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls11-enable.reg.

  2. Re-create, and and so paste the following text.

                      Windows Registry Editor Version 5.00  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.one] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.i\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

  3. Relieve the tls11-enable.reg file.

  4. Double-click the tls11-enable.reg file.

  5. Click Aye to update your Windows Registry with these changes.

  6. Restart your reckoner for the alter to take issue.

To enable TLS 1.2 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls12-enable.reg.

  2. Copy, and so paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Customer] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.two\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

  3. Salve the tls12-enable.reg file.

  4. Double-click the tls12-enable.reg file.

  5. Click Aye to update your Windows Registry with these changes.

  6. Restart your computer for the change to take consequence.

three.2 - Enable TLS ane.one and TLS 1.two support in WinHTTP

WinHTTP doesn't inherit its SSL and TLS encryption protocol version defaults from the Windows Schannel DisabledByDefault registry value. WinHTTP uses its own SSL and TLS encryption protocol version defaults, which vary past operating system. To override the defaults, you lot must install a KB update and configure Windows Registry keys.

The WinHTTP DefaultSecureProtocols registry value is a flake field that accepts multiple values past calculation them together into a unmarried value. Y'all can use the Windows Computer plan (Calc.exe) in Programmer mode to add the following hexadecimal values as desired.

DefaultSecureProtocols value Description
0x00000008
Enable SSL ii.0 by default
0x00000020
Enable SSL 3.0 by default
0x00000080
Enable TLS ane.0 by default
0x00000200
Enable TLS i.ane by default
0x00000800
Enable TLS 1.2 past default

For instance, you can enable TLS 1.0, TLS i.1, and TLS 1.2 past default by calculation the values 0x00000080, 0x00000200, and 0x00000800 together to form the value 0x00000A80.

To install the WinHTTP KB update, follow the instructions from the KB commodity Update to enable TLS 1.ane and TLS 1.ii as a default secure protocols in WinHTTP in Windows

To enable TLS 1.0, TLS 1.1, and TLS i.2 past default in WinHTTP

  1. From Notepad.exe, create a text file named winhttp-tls10-tls12-enable.reg.

  2. Re-create, and then paste the following text.

    For 64-chip operating system 

                      Windows Registry Editor Version five.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Net Settings\WinHttp] "DefaultSecureProtocols"=dword:00000A80 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "DefaultSecureProtocols"=dword:00000A80

    For 32-bit operating system 

                      Windows Registry Editor Version five.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "DefaultSecureProtocols"=dword:00000A80

  3. Save the winhttp-tls10-tls12-enable.reg file.

  4. Double-click the winhttp-tls10-tls12-enable.reg file.

  5. Click Yep to update your Windows Registry with these changes.

  6. Restart your computer for the alter to take effect.

3.three - Enable TLS ane.1 and TLS 1.two back up in Internet Explorer

Net Explorer versions earlier than Cyberspace Explorer 11 did not enable TLS 1.ane or TLS i.2 support by default. Support for TLS i.1 and TLS 1.two is enabled by default starting with Net Explorer 11.

To enable TLS one.1 and TLS 1.ii support in Internet Explorer

  1. From Cyberspace Explorer, click Tools > Internet Options > Advanced or click Settings menu in Internet Explorer > Internet Options > Advanced.

  2. In the Security department, verify that the following cheque boxes are selected. If not, click the following check boxes:

  • Employ TLS 1.i

  • Use TLS ane.2

  1. Optionally, if y'all desire to disable back up for earlier security protocol versions, uncheck the post-obit check boxes:

  • Use SSL 2.0

  • Use SSL 3.0

  • Use TLS one.0

    Note

    Disabling TLS 1.0 may cause compatibility bug with sites that don't support newer security protocol versions. Customers should test this change before performing it in production.

  1. Click OK.

three.4 - Enable strong cryptography in .NET Framework four.5 or college

.NET Framework iv.5 and higher doesn't inherit its SSL and TLS security protocol version defaults from the Windows Schannel DisabledByDefault registry value. Instead, it uses its ain SSL and TLS security protocol version defaults. To override the defaults, yous must configure Windows Registry keys.

The SchUseStrongCrypto registry value changes the .Cyberspace Framework 4.five and higher security protocol version default from SSL three.0 or TLS i.0 to TLS ane.0 or TLS 1.ane or TLS 1.2. In addition, it restricts the utilise of encryption algorithms with TLS that are considered weak such as RC4.

Applications compiled for .Internet Framework 4.half-dozen or higher will bear as if the SchUseStrongCrypto registry value is ready to 1, fifty-fifty if it isn't. To ensure all .NET Framework applications volition utilize potent cryptography, you must configure this Windows Registry value.

Microsoft has released an optional security update for .NET Framework four.5, 4.v.1, and four.v.2 that will automatically configure the Windows Registry keys for you. No updates are bachelor for .NET Framework 4.half-dozen or college. You must manually configure the Windows Registry keys on .Internet Framework 4.6 or higher.

For Windows 7 and Windows Server 2008 R2

  • To enable strong cryptography in .Cyberspace Framework 4.five and 4.5.ane on Windows 7 and Windows Server 2008 R2, run across the KB article Description of the security update for the .NET Framework four.5 and the .Cyberspace Framework 4.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May xiii, 2014.

  • To enable strong cryptography in .Internet Framework 4.5.2 on Windows 7 and Windows Server 2008 R2, see the KB article Description of the security update for the .NET Framework 4.five.2 on Windows 7 Service Pack ane and Windows Server 2008 R2 Service Pack ane: May 13, 2014.

For Windows Server 2012

  • To enable potent cryptography in .Cyberspace Framework iv.five, 4.5.1, and four.v.ii on Windows Server 2012, run into the KB article Description of the security update for the .Net Framework 4.v, the .NET Framework 4.v.i, and the .Net Framework 4.5.2 on Windows 8, Windows RT, and Windows Server 2012: May 13, 2014.

For Windows eight.one and Windows Server 2012 R2

  • To enable stiff cryptography in .Cyberspace Framework iv.5.1 and four.5.2 on Windows 8.1 and Windows Server 2012 R2, run across the KB article Description of the security update for the .NET Framework 4.5.1 and the .NET Framework iv.five.2 on Windows viii.ane, Windows RT viii.1, and Windows Server 2012 R2: May 13, 2014.

To enable strong cryptography in .NET Framework iv.6 or higher

  1. From Notepad.exe, create a text file named net46-stiff-crypto-enable.reg.

  2. Re-create, and and so paste the post-obit text.

    For 64-scrap operating system 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

    For 32-bit operating organization 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

  3. Save the net46-potent-crypto-enable.reg file.

  4. Double-click the net46-strong-crypto-enable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your calculator for the change to have event.

iii.five - Install .Net Framework three.5 update for TLS 1.1 and TLS 1.2 support

.Net Framework three.5 doesn't support TLS one.1 or TLS 1.2 by default. To add support for TLS 1.one and TLS 1.2, yous must install a KB update and configure Windows Registry keys for each of the operating systems listed in this section.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used past .Internet Framework 3.5. If the value is set to 0, .NET Framework 3.five will default to SSL 3.0 or TLS ane.0. If the value is set to 1, .NET Framework iii.5 will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, information technology will comport as if the value is set up to 0.

To enable .NET Framework 3.5 to inherit its encryption protocol defaults from Windows Schannel

For Windows 7 and Windows Server 2008 R2

  1. To install the .Internet Framework 3.5.1 update for Windows vii and Windows Server 2008 R2, encounter the KB article Support for TLS System Default Versions included in the .Cyberspace Framework 3.5.1 on Windows vii SP1 and Server 2008 R2 SP1

  2. After the KB update is installed, manually configure the registry keys.

For Windows Server 2012

  1. To install the .Internet Framework three.5 update for Windows Server 2012, see the KB commodity Back up for TLS System Default Versions included in the .NET Framework iii.5 on Windows Server 2012

  2. Afterwards the KB update is installed, manually configure the registry keys.

For Windows eight.1 and Windows Server 2012 R2

  1. To install the .NET Framework iii.five SP1 update for Windows 8.one and Windows Server 2012 R2, run into the KB commodity Support for TLS System Default Versions included in the .Cyberspace Framework three.5 on Windows 8.1 and Windows Server 2012 R2

  2. Later on the KB update is installed, manually configure the registry keys.

For Windows 10 (Version 1507)

  • This functionality is non available in Windows 10 Version 1507. You must upgrade to Windows 10 Version 1511, and and so install the Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview four: May 10, 2016, or upgrade to Windows ten Version 1607 or higher.

For Windows ten (Version 1511)

  1. To install the Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview four: May 10, 2016, see Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May x, 2016.

  2. After the KB update is installed, manually configure the registry keys.

Windows x (Version 1607) and higher, Windows Server 2016, and Windows Server 2019

No update needs to be installed. Configure the Windows Registry keys every bit described below.

To manually configure the registry keys, do these steps.

  1. From Notepad.exe, create a text file named net35-tls12-enable.reg.

  2. Copy, and then paste the following text.

    For 64-bit operating organization 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

    For 32-scrap operating system 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

  3. Save the net35-tls12-enable.reg file.

  4. Double-click the net35-tls12-enable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your computer for the change to take result.

3.half dozen - Enable strong cryptography in .NET Framework 3.five

The SchUseStrongCrypto registry value restricts the apply of encryption algorithms with TLS that are considered weak such as RC4.

Microsoft has released an optional security update for .Cyberspace Framework 3.5 on pre-Windows 10 operating systems that volition automatically configure the Windows Registry keys for you. No updates are bachelor for Windows 10. Y'all must manually configure the Windows Registry keys on Windows 10.

For Windows seven and Windows Server 2008 R2

To enable strong cryptography in .NET Framework iii.5.1 on Windows 7 and Windows Server 2008 R2, run into the KB article Description of the security update for the .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack one: May 13, 2014

For Windows Server 2012

To enable strong cryptography in .NET Framework three.5 on Windows Server 2012, see the KB article Description of the security update for the .NET Framework iii.five on Windows 8 and Windows Server 2012: May thirteen, 2014

For Windows 8.ane and Windows Server 2012 R2

To enable strong cryptography in .NET Framework 3.v on Windows viii.1 and Windows Server 2012 R2 run into the KB article Clarification of the security update for the .NET Framework 3.5 on Windows 8.ane and Windows Server 2012 R2: May xiii, 2014

To enable strong cryptography in .NET Framework iii.5 on Windows 10

  1. From Notepad.exe, create a text file named net35-strong-crypto-enable.reg.

  2. Copy, and and so paste the post-obit text.

    For 64-chip operating system 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001

    For 32-bit operating system 

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001

  3. Relieve the net35-strong-crypto-enable.reg file.

  4. Double-click the net35-strong-crypto-enable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your figurer for the change to take upshot.

three.seven - Disable before versions of SSL and TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't demand to enable or disable one protocol version to enable or disable another protocol version.

Important

Microsoft recommends disabling SSL two.0 and SSL 3.0 due to serious security vulnerabilities in those protocol versions.

Customers may also choose to disable TLS 1.0 and TLS i.1 to ensure that only the newest protocol version is used. However, this may crusade compatibility problems with software that doesn't support the newest TLS protocol version. Customers should test such a change before performing it in product.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot exist used, even if information technology is enabled past default or if the application explicitly requests that protocol version. If the value is fix to 1, the protocol version tin can exist used if enabled by default or if the awarding explicitly requests that protocol version. If the value is not defined, it will employ a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the awarding doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version volition be used past default. If the value is prepare to 1, the protocol version volition not be used by default. If the value is non defined, it volition use a default value determined by the operating organisation.

To disable SSL ii.0 support in Windows Schannel

  1. From Notepad.exe, create a text file named ssl20-disable.reg.

  2. Copy, and then paste the post-obit text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\SSL ii.0] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Salvage the ssl20-disable.reg file.

  4. Double-click the ssl20-disable.reg file.

  5. Click Yep to update your Windows Registry with these changes.

  6. Restart your computer for the change to take effect.

To disable SSL 3.0 support in Windows Schannel

  1. From Notepad.exe, create a text file named ssl30-disable.reg.

  2. Copy, and then paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL iii.0] [HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Customer] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL iii.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Save the ssl30-disable.reg file.

  4. Double-click the ssl30-disable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your computer for the change to take effect.

To disable TLS 1.0 support in Windows Schannel

  1. From Notepad.exe, create a text file named tls10-disable.reg.

  2. Copy, and then paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS ane.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Salve the tls10-disable.reg file.

  4. Double-click the tls10-disable.reg file.

  5. Click Yeah to update your Windows Registry with these changes.

  6. Restart your computer for the modify to take effect.

To disable TLS i.i support in Windows Schannel

  1. From Notepad.exe, create a text file named tls11-disable.reg.

  2. Copy, and then paste the following text.

                      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.one\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

  3. Relieve the tls11-disable.reg file.

  4. Double-click the tls11-disable.reg file.

  5. Click Yes to update your Windows Registry with these changes.

  6. Restart your calculator for the modify to accept effect.