Disabling TLS 1.0, TLS 1.1 and enabling TLS 1.2 on Windows server

Before you start

1. Take the backup of your registry
2. Send notification to your clients informing that you are about to deprecate support for TLS 1.0, TLS 1.1. So that they can make respective changes in their calling applications.
3. In this activity you need to restart the server so inform downtime of few minutes (depending upon your server nature).

Follow the steps

Following step will help you in disabling TLS 1.0, 1.1 and enabling TLS 1.2

1. Open Windows Registry (Press Windows logo key + R, then enter "regedit" in box and press Enter Key"
2. Locate key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
   
3. Add following keys in Protocols (as shown in image above)
   TLS 1.0, TLS 1.1, TLS 1.2
   
   
   
   
   
   
4. Add following two keys in each key 
   Client, Server
   
   
   
   
5. Add following two values in every client and server key
   Value 1 Name: DisabledByDefault
   Value 1 Type: DWORD (32-bit value)
   Value 1 Data: 1
   
   Value 1 Name: Enabled
   Value 1 Type: DWORD (32-bit value)
   Value 1 Data: 0
   
   

   
   
6. In TLS 1.2, change the data of both the keys as following
   Value 1 Name: DisabledByDefault
   Value 1 Data: 0
   
   Value 1 Name: Enabled
   Value 1 Data: 1
   
   
   
   
   
   
7. Now Restart your server (Its must to restart)

Summary: 

In step 5, we disabled all TLS protocols but in step 6 we enabled TLS 1.2 because we want to disable TLS 1.0, 1.1. With this activity we have disabled TLS 1.0, 1.1 and enabled TLS 1.2 only. After restarting server, if you have hosted any sites then it will accept TLS 1.2 protocol only. Also, if this server is consuming any third party server as a client then it will send data via TLS 1.2 only as we have added Server and Client - both the keys.

Now you can test you website on https://www.ssllabs.com/ssltest/ You will observe following results in test:

Few keynotes:

1. In windows 2016 or above, SSL 2, SSL 3 are disabled by default so you need to do nothing for it. In case if you see "Yes" for SSL 2, SSL 3, then follow steps 3, 4, 5. Key names should be "SSL 2, SSL 3" instead of "TLS 1.0". Then restart the server and test on ssllabs again. 
2. Currently, windows does not support TLS 1.3 so it will show "No". Its OK.
3. When you disable TLS 1.0, 1.1 then it also stops supporting respective ciphers so no additional action required to remove ciphers used in TLS 1.0, 1.1
4. If you are using Tomcat then these settings wont work. I will write separate article for Tomcat.

Finally

Test all the applications hosted on your server and application which you are consuming on this server.

Save the time

To save the time in this whole activity I created one registry file. Simply download following gist, save it as tls.reg and import in your Windows registry. It will create all the necessary keys and values in your registry

EOF