Transport Layer Security (TLS) 1.2 is the standard encryption protocol used for securing data being transmitted across different devices. Legacy versions, such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1, have been deprecated due to known vulnerabilities and must be disabled.
Keeping the encryption protocol up to date protects data-in-transit from downgrade attacks and insecure cipher suites. It also ensures that your devices meet standard security protocols and modern compliance frameworks. With this, administrators can reduce the attack surface for ransomware and help reduce service disruptions.
A guide to enforce TLS 1.2 across managed devices
TLS encryption protocols can be enabled in the Windows Registry through Windows PowerShell or Group Policies. Administrators can confirm if these changes were made using PowerShell or Event Viewer.
They can also tag the encryption status of their managed devices using the Windows Registry. And, for applications that still require legacy encryption protocols, the settings for that can be managed using Windows PowerShell.
📌 Prerequisites:
- You will need Windows 8.1/10/11 or Windows Server 2012 R2 or newer.
- You will need administrator access to all the devices you wish to modify.
- PowerShell 5.1 or higher is required.
- Doing local testing for legacy apps may depend on older protocols. Take that into account before updating the encryption protocol for these applications.
💡Note: You can also use an endpoint management tool like NinjaOne as an option for deploying, verifying, and monitoring configuration enforcement.
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Modify Registry settings to enforce TLS 1.2 and disable legacy protocols | ✓ | |
| Method 2: Apply settings via Group Policy | ✓ | |
| Method 3: Confirm TLS enforcement via PowerShell and logs | ✓ | |
| Method 4: Remediate or monitor applications still using legacy TLS | ✓ |
Method 1: Modify Registry settings to enforce TLS 1.2 and disable legacy protocols
Encryption Protocols can be managed using the Windows Registry. The relevant Registry keys can be found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
To disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and enable TLS 1.2, follow these steps:
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type this script and press Enter:
$base = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
$disableProtocols = @("SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1")
$enableProtocols = @("TLS 1.2")
foreach ($protocol in $disableProtocols) {
New-Item -Path "$base\$protocol\Server" -Force
Set-ItemProperty -Path "$base\$protocol\Server" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "$base\$protocol\Server" -Name "DisabledByDefault" -Value 1 -Type DWord
New-Item -Path "$base\$protocol\Client" -Force
Set-ItemProperty -Path "$base\$protocol\Client" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "$base\$protocol\Client" -Name "DisabledByDefault" -Value 1 -Type DWord
}
foreach ($protocol in $enableProtocols) {
New-Item -Path "$base\$protocol\Server" -Force
Set-ItemProperty -Path "$base\$protocol\Server" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "$base\$protocol\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
New-Item -Path "$base\$protocol\Client" -Force
Set-ItemProperty -Path "$base\$protocol\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "$base\$protocol\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
}
- Restart the computer to apply the changes.
To validate if the changes have been made, follow these steps:
- Open the Start Menu and search for Command Prompt.
- Right-click Command Prompt > Run as administrator.
- Type this command and press Enter:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
Method 2: Apply settings via Group Policy
There’s no native GPO setting that will allow you to enforce TLS versions. However, you can create the necessary Registry keys using Group Policies by following these steps:
- Open the Start Menu and search for Edit Group Policy to open the program.
- Navigate to this address: Computer Configuration > Preferences > Windows Settings > Registry.
- Using this path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, create the following keys:
- SSL 2.0 – Server – Enabled (DWORD) = 0
- SSL 2.0 – Server – DisabledByDefault (DWORD) = 1
- SSL 2.0 – Client – Enabled (DWORD) = 0
- SSL 2.0 – Client – DisabledByDefault (DWORD) = 1
- SSL 3.0 – Server – Enabled (DWORD) = 0
- SSL 3.0 – Server – DisabledByDefault (DWORD) = 1
- SSL 3.0 – Client – Enabled (DWORD) = 0
- SSL 3.0 – Client – DisabledByDefault (DWORD) = 1
- TLS 1.0 – Server – Enabled (DWORD) = 0
- TLS 1.0 – Server – DisabledByDefault (DWORD) = 1
- TLS 1.0 – Client – Enabled (DWORD) = 0
- TLS 1.0 – Client – DisabledByDefault (DWORD) = 1
- TLS 1.1 – Server – Enabled (DWORD) = 0
- TLS 1.1 – Server – DisabledByDefault (DWORD) = 1
- TLS 1.1 – Client – Enabled (DWORD) = 0
- TLS 1.1 – Client – DisabledByDefault (DWORD) = 1
- TLS 1.2 – Server – Enabled (DWORD) = 1
- TLS 1.2 – Server – DisabledByDefault (DWORD) = 0
- TLS 1.2 – Client – Enabled (DWORD) = 1
- TLS 1.2 – Client – DisabledByDefault (DWORD) = 0
💡Note: This is optional. You can go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings and modify the SSL Cipher Suite Order policy. Remove the weak and outdated ciphers to further strengthen your device security.
Method 3: Confirm TLS enforcement via PowerShell and logs
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- To test the TLS connection, type this script and press Enter:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.howsmyssl.com/a/check" -UseBasicParsing
- This will generate a JSON file. Check it to see the protocol version used.
To check the logs using Event Viewer, follow these steps:
- Open the Start Menu and search for Event Viewer to open the program.
- Navigate to this address: Event Viewer > Windows Logs > System.
- Look for the logs that have an SChannel source.
- Under that, there should be logs with Event IDs 36874 and 36888 if there are failed or downgraded attempts.
To use Command Prompt to check the status of these Registry keys, follow these steps:
- Open the Start Menu and search for Command Prompt.
- Right-click Command Prompt > Run as administrator.
- Type this command and press Enter:
reg query HKLM\SOFTWARE\Org\TLSAudit
Use an RMM tool to regularly scan for this key across your managed devices.
Method 4: Remediate or monitor applications still using legacy TLS
You can use Windows PowerShell to scan .NET applications for TLS enforcement by following these steps:
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type this script and press Enter:
Get-ChildItem -Path "C:\inetpub\wwwroot", "C:\Program Files" -Recurse -Include *.config |
Select-String -Pattern "SecurityProtocolType"
- This will display the application’s encryption protocol. Flag the applications that still use TLS 1.0/1.1.
- If there are exceptions to the TLS 1.2 requirement, you can log that information to the Windows Registry by applying this script:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\TLSAudit" -Name "Exceptions" -Value "LegacyBackupApp"
⚠️ Troubleshooting
| Issue | Potential Consequences | Fix |
| You experience app errors after you disable legacy encryption protocols. | You will not be able to use the application. | Re-enable the specific protocols those apps use for compatibility. |
| Registry keys are missing after restarting. | The TLS will not be updated. | Verify GPO precedence and that there is no interference from local security software. |
| The PowerShell test fails. | You will still be using legacy encryption protocols. | Make sure that TLS 1.2 is supported in the environment, and that the script uses the correct .NET security protocol |
| The server is not using TLS 1.2 even after updating. | You will still be using legacy encryption protocols. | Ensure that both client and server registry paths are enforced. |
Additional considerations when enforcing TLS 1.2 and disabling legacy encryption protocols
- TLS 1.3 is available. However, it’s only supported in specific versions of Windows 10/11 and Windows Server 2022.
- Some applications don’t work if TLS 1.0/1.1 is disabled. Make sure to test things before finalizing the rollout.
- Make sure that the browsers also support and enforce TLS 1.2.
- Ensure that the TLS audit is included in your endpoint hardening checklist and quarterly business review documentation.
NinjaOne services for enabling TLS 1.2 and disabling legacy encryption protocols
NinjaOne can help enforce and validate TLS 1.2 compliance by:
| Feature | Benefit | Highlight |
| Hardening scripts | NinjaOne can deploy PowerShell or Registry-based configurations. | This will enforce TLS 1.2 securely and consistently across devices. |
| Device tagging | Our tools can flag non-compliant endpoints. | This simplifies identification and remediation efforts. |
| Automated alerts | You can receive notifications about legacy TLS use or missing keys. | This reduces risk by enabling rapid response. |
| Reporting | You can generate tenant-wide compliance reports. | This streamlines audits and supports business reviews. |
Enable TLS 1.2 in all your managed devices and enforce best-practice security recommendations
Enforcing TLS 1.2+ and disabling insecure protocols strengthens endpoint security, supports compliance, and reduces attack surface. However, some applications may still need to use legacy encryption methods. It’s essential for administrators to properly monitor their managed devices and ensure that everything is meeting organization needs and requirements.
Related Articles:
