Windows: Microsoft intends to disable TLS 1.0 and 1.1 soon by default in Schannel protocol

Windows[German]Quick note for administrators in enterprise environments. Microsoft plans to soon deactivate TLS 1.0 and 1.1, which are still used by default in the Schannel protocol (starts in September 2023 with Windows 11 Insider builds). In a statement, the company recommends administrators clarify whether there is a dependency on TLS 1.0 and 1.1. People should be aware of upcoming changes to the Schannel protocol defaults and how to remove dependencies on older TLS versions (or leave them enabled for compatibility).


Advertising

The topic is picked up in the Techcommunity post TLS 1.0 and TLS 1.1 soon to be disabled in Windows – I came across the topic via the following tweet.

TLS 1.0 and 1.1 will fade away

Transport Layer Security (TLS)

Transport Layer Security (TLS) is the most common Internet protocol for establishing an encrypted communication channel between a client and a server. However, for historical reasons, there are different variants.

  • The old protocol TLS 1.0 dates back to 1999, and is no longer considered secure, as several security vulnerabilities have been found in this protocol version over time.
  • The newer TLS 1.1 was released in 2006 and brought some security improvements. However, TLS 1.1 never gained widespread acceptance.
  • TLS 1.2 and TLS 1.3 have since been introduced and are in wide use. TLS implementations attempt to negotiate the connections with the highest available protocol version.

Over the past few years, Internet standards and regulatory agencies have deemed TLS versions 1.0 and 1.1 obsolete or disallowed due to a number of security issues. Now it's time to phase out the old protocols.

Microsoft plans to disable old TLS 1.0/1.1

Microsoft believes that TLS 1.0 and 1.1 usage data is now low enough to act and disable TLS versions 1.0 and 1.1 by default in the operating system soon. This will start in September 2023 with the Windows 11 Insider Preview builds and will then be included in future Windows operating system versions. The goal is to improve the security posture of Windows systems and encourage the use of modern protocols.


Advertising

The impact of this change will largely depend on Windows applications that still use the old TLS protocols. TLS 1.0 and TLS 1.1 have already been disabled in Microsoft 365 products, as well as in the WinHTTP and WinINet API interfaces. Most newer versions of applications support TLS 1.2 or higher protocol versions. Applications that fail to disable TLS 1.0 and TLS 1.1 can be identified by event 36871 in the Windows event log. Entries of the type:

A fatal error occurred while creating a TLS <client/server> credential. The internal error status is 10013. The SSPI client process is <process ID>.

can be found. Then it should be checked whether new versions of the application are available that no longer require TLS 1.0/1.1. If there is no corresponding version of the application, administrators who need to maintain compatibility have the option of re-enabling TLS 1.0 or TLS 1.1.

Note: The collegueas at deskmodder has listet a few applications. The whole Microsoft SQL product familiy up to version 2016 seems to affected. Check this support article to enable TLS 1.2 with update KB3135244.

Reenable TLS 1.0/1.1

To override the system default and set a (D)TLS or SSL protocol version to the "Enabled" state, create a DWORD registry value named "Enabled" with an entry value of "1" under the appropriate version-specific subkey. Examples of TLS 1.0 subkeys are as follows

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Microsoft recommends using the system's default settings to achieve the best balance between security and performance (the registry intervention above is the last option). If organizations restrict TLS cipher suites using Group Policy or PowerShell cmdlets, they should also verify that the cipher suites required for TLS 1.3 and TLS 1.2 are enabled.

Similar articles:
Changes in Edge: TLS certificate validation, no more uninstall, Server 2012/R2 support
SSL/TLS connection issue fix: out-of-band update status and affected applications (Oct. 21, 2022)


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).