Versions 1.0 and 1.1

Many sources have already shut down TLS 1.0/1.1 and Windows 10 and updated versions of Office (365) already support it, however, there may be some machines running Windows 7 that may not be compliant with these changes, especially those running older versions of Office (2010). Soon, 365 will retire the 3DES cipher usage. This will require older PC OS (Windows 7 & 8/8.1) to be patched and communicating on TLS 1.2 by default in order to communicate with Exchange Online. Windows 10 is ready by default, as are up to date versions of Office, and 365 versions.

To do so, I’ve prepared 2 files in the attached ZIP:

 – DefaultSecureProtocolsUpdate.msi – 

       –  This is a Microsoft Easy Fix that will update the necessary protocols and set them as default.

 – TLS Negotiation_WIN7.reg – 

       –  Prevents TLS 1.1/1.2 from being disabled on Windows 7 machines as Windows 7 still negotiates over 1.1 for some WinHTTP-based applications.

To apply the update, run the DefaultSecureProtocolsUpdate.msi, and follow it with merging the attached registry file. (TLS Negotiation_WIN7.reg) The registry entries are HKLM meaning, it’s applied for the entire computer and does not have to be done per each profile. In the event that the PC is already patched, the installer will not make any changes.

  1. Determine which TLS versions you want to enable, and determine the corresponding value for DefaultSecureProtocols (which we will add shortly):
    1. For only TLS 1.1 and 1.2, the value will be 0xA00
    2. For TLS 1.0, 1.1, and 1.2, the value will be 0xA80
  2. Install the or verify the KB3140245 update (https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245)
  3. Create a DWORD value called DefaultSecureProtocols in both of the following locations and set its value to the value determined in Step 1:
    1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    2. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  4. Be sure to create the DisabledByDefault DWORD value and set it to 0 in the following locations:
    1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
    2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  5. Reboot the PC

Need more assistance? Contact Us today.