How to Disable TLS 1.0 and TLS 1.1 on Windows Server

1. Introduction

Security is a top priority in any IT infrastructure, especially when managing Windows Server environments. Older encryption protocols like TLS 1.0 and TLS 1.1 are now considered insecure and vulnerable to modern cyberattacks. As a result, major organizations, compliance frameworks (like PCI DSS), and software vendors recommend disabling them and using TLS 1.2 or TLS 1.3 instead.

If you’re running web servers, domain controllers, or enterprise applications, leaving outdated protocols enabled can expose your systems to serious risks. The good news is that Windows Server allows you to disable these protocols with a few configuration changes.

In this guide, you’ll learn how to disable TLS 1.0 and TLS 1.1 on Windows Server, along with best practices, troubleshooting tips, and expert recommendations.

2. Quick Answer

To disable TLS 1.0 and TLS 1.1 on Windows Server:

1. Open Registry Editor (regedit)
2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Create keys for:
   • TLS 1.0 → Client & Server
   • TLS 1.1 → Client & Server
4. Add DWORD values:
   • Enabled = 0
   • DisabledByDefault = 1
5. Restart the server

3. Table of Contents

• What is TLS and Why It Matters
• Why Disable TLS 1.0 and 1.1
• Prerequisites Before Configuration
• Step-by-Step Guide to Disable TLS
• PowerShell Method (Optional)
• Common Errors and Fixes
• Best Practices / Pro Tips
• FAQs
• Conclusion

4. Explanation Section

What is TLS?

TLS (Transport Layer Security) is a cryptographic protocol that secures communication over a network. It ensures:

• Data encryption
• Data integrity
• Secure authentication

Why Disable TLS 1.0 and TLS 1.1?

Older TLS versions have known vulnerabilities such as:

• Weak encryption algorithms
• Susceptibility to downgrade attacks
• Non-compliance with modern standards

Most modern browsers and services have already deprecated these versions.

Supported Secure Versions

• TLS 1.2 → Widely used and secure
• TLS 1.3 → Latest and fastest

Prerequisites Before You Begin

• Administrative access to the server
• Backup of registry settings
• Test environment (recommended)
• Ensure applications support TLS 1.2+

💡 If you’re managing user access alongside security, check:
👉 https://multicaretechnical.com/how-to-create-a-new-user-on-windows-11-10-mac

5. Step-by-Step Guide

A. Disable TLS 1.0 and TLS 1.1 Using Registry

Step 1: Open Registry Editor

1. Press Windows + R
2. Type regedit
3. Press Enter

Step 2: Navigate to SCHANNEL Protocols

Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Step 3: Create TLS 1.0 Keys

1. Right-click Protocols → New → Key → TLS 1.0
2. Inside TLS 1.0, create:
   • Client
   • Server

Step 4: Add DWORD Values

Inside both Client and Server:

• Create:
  • Enabled (DWORD) → Value: 0
  • DisabledByDefault (DWORD) → Value: 1

Step 5: Repeat for TLS 1.1

Create same structure for:

• TLS 1.1 → Client & Server

Step 6: Restart Server

Changes apply after reboot.

B. PowerShell Method (Advanced)

Run PowerShell as Administrator:

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0 -PropertyType DWORD

C. Verify TLS Configuration

Use tools like:

• IIS Crypto
• SSL Labs Scanner
• PowerShell Test commands

💡 DNS configuration also plays a role in secure services:
👉 https://multicaretechnical.com/how-to-configure-dns-server-on-windows-server

6. Common Errors and Fixes

❌ Applications Stop Working

Fix:

• Ensure app supports TLS 1.2
• Update .NET framework

❌ RDP Connection Issues

Fix:

• Enable TLS 1.2
• Check group policies

❌ Website Not Loading

Fix:

• Check IIS bindings
• Verify SSL certificates

❌ Registry Changes Not Applied

Fix:

• Restart server
• Double-check registry path

❌ Legacy Systems Compatibility Issues

Fix:

• Upgrade legacy apps
• Use secure fallback configurations

7. Best Practices / Pro Tips

✅ Always Enable TLS 1.2 or Higher

Never disable old protocols without enabling secure ones.

✅ Test Before Production Deployment

Use staging environments to avoid downtime.

✅ Backup Registry

Always export registry before making changes.

✅ Monitor Logs

Use Event Viewer to track TLS-related issues.

✅ Use Group Policy (Enterprise)

Deploy TLS settings across multiple servers efficiently.

✅ Keep Systems Updated

Install latest Windows updates and patches.

✅ Secure Communication Tools

TLS also impacts apps like Teams:
👉 https://multicaretechnical.com/how-to-share-audio-on-teams-complete-guide

8. FAQs

Q1: Is it safe to disable TLS 1.0 and 1.1?

Yes, it is recommended for security and compliance.

Q2: Will disabling TLS break applications?

It may affect older apps that rely on outdated protocols.

Q3: How do I check which TLS version is being used?

Use tools like SSL Labs or PowerShell scripts.

Q4: Can I re-enable TLS 1.0 later?

Yes, by modifying registry values back to default.

Q5: Does Windows Server support TLS 1.3?

Newer versions like Windows Server 2022 support TLS 1.3.