How to Enable TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

Updated on March 23, 2018 by Rahul K.

Security, Windows Tutorials POODLE, tls, TLS 1.1, TLS 1.2

Nowadays there is an SSL vulnerability called POODLE discovered by Google team in SSLv3 protocol. So uses of SSLv3 is not secure to use. Now it’s recommended using TLS 1.2. This article will help you enable TLS security in Windows Server 2008 R2 or later versions by editing registry.

Step 1 – Backup Registry Settings

We strongly recommend taking a backup of the registry before making any changes. Use below link to find steps to how to export registry values.

Step 2 – Enable TLS 1.2 on Windows

You have two options to enable TLS version on your system.

Option 1 – Merge Resistry File

Download the Enable-TLS12-Windows.reg and Enable-TLS12-TLS11-Windows.reg files on your Windows system. Now right click on file and click Merge.

Option 2 – Manually Update Registry

You can do this by directly editing registry file manually.

2.1 Open registry on your server by running ‘regedit‘ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.

2.3 Now create two keys Client and Server under both TLS keys.

2.4 Now create the DWORD Values under Server and Client key as following

  DisabledByDefault [Value = 0]
  Enabled [Value = 1]

Step 3 – Disable TLS and SSL Older Versions

3.1 Open registry on your server by running ‘regedit’ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3.2 Now change DWORD Values under Server and Client under TLS 1.0, SSL 3.0 and Older SSL version keys.

  DisabledByDefault [Value = 0]
  Enabled  [Value = 0]

After making all above setting reboot your server.

Rahul K.

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

16 Comments

JEFF Reply to JEFF
May 1, 2018 at 11:39 pm
The notion that setting the Enable key to 0x00000001 is absolutely incorrect. To activate the TLS setting, the Enable key must be set to 0xffffffff. This is the only way I could get it to function correctly
prat Reply to prat
March 19, 2018 at 11:34 pm
I have did exactly same on windows 2008R2 SP1 but to my surprise when i run wireshark logs i can see the communication still happens on tls 1.0. Why is it so ?
Ed Reply to Ed
June 10, 2016 at 3:47 pm
I am running Server 21012R2, and made all the suggested changes. Still, I get the handshake error when using Chrome. Is there anything else that must be done, downloaded, upgraded, whatever, to make Chrome work again?
- Ed Reply to Ed
  June 28, 2016 at 12:12 pm
  If, like me, after making the suggested registry edits, you continue to receive the handshake fallback error, this might help:
  https://support.microsoft.com/en-us/kb/2992611
  This is an update that came out in 2014, but had not been installed on my server. It is a fix to a vulnerability in SChannel. After installation, Chrome displays my site properly.
MpDay Reply to MpDay
December 10, 2015 at 11:27 pm
Ugo Meex, you have made my day! This is the official Golden TIP of the month! Took me 4 days to investigate why Windows 10 1511 (fall update) clients couldn’t connect to our RADIUS Wi-Fi network anymore. With your tool, it took me 3 mouse clicks and 1 reboot…. everything solved.
curly Reply to curly
May 13, 2015 at 4:28 pm
It should be made very clear that this works for Server 2008 R2 and later, but *will not* work for “Server 2008” (which also means, it will not work for SBS 2008 either). Unfortunately, the article title is misleading; TLS 1.1/1.2 are not supported prior to Server 2008R2 and SBS 2011 on the server side.
Ugo Meex Reply to Ugo
April 30, 2015 at 2:49 am
While this article is certainly very useful, in a windows environment it would be far easier to use the IISCrypto tool by Nartac Software. It’s small, it’s free, it’s easy to use.
Rather than having to read and edit the registry, this utility gives you a GUI to make these changes.
It also offers 1 click config for: Best practices, PCI and FIPS 140-2
https://www.nartac.com/Products/IISCrypto/
Same result, but faster and certainly easier. 🙂
Mike Varga Reply to Mike
March 4, 2015 at 8:23 pm
These instructions have been tested as incomplete… They do not disable the protocols properly… We’ve used the following script to resolve the issue successfully…
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“DisabledByDefault”=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]
“Enabled”=dword:00000001
“DisabledByDefault”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]
“Enabled”=dword:00000000
“DisabledByDefault”=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
- Payton Reply to Payton
  April 6, 2016 at 5:42 pm
  Your script does the exact same thing as the manual instructions listed in this article, how is it incomplete?
  - Kris Reply to Kris
    June 27, 2016 at 9:54 am
    for ssl 2.0 you have DisabledByDefault [Value = 0] but the script does “DisabledByDefault”=dword:00000001
    - Vikas Reply to Vikas
      June 29, 2016 at 5:54 pm
      I ran this script and it did nothing. I have Server 2008 R2. FYI, I do not have TSL 1.0 and 2.0 but if I am not wrong this script should create entries for these.
      Thanks
Ken Nelson Reply to Ken
January 15, 2015 at 9:24 pm
This will not work on Windows Server 2008 SP2 but does work on Windows Server 2008 R2.
TLS 1.1 and TLS 1.2 does not seem to come with Windows Server 2008 SP2, a bit of an issue for me.
Greg Reply to Greg
December 22, 2014 at 8:48 pm
Hi Rahul, thanks for this. Shouldn’t your Step 3.2 be: DisabledByDefault [Value = 1] rather than [Value = 0] to disable by default?
- Ryan Reply to Ryan
  December 26, 2014 at 3:02 pm
  Greg,
  No. By setting the value of DisabledByDefault to 1, you are making the value true, thus disabling the protocol “by default”.
  - Payton Reply to Payton
    April 6, 2016 at 5:46 pm
    Isn’t disabling the SSL protocols by default exactly what is wanted?
Moe Reply to Moe
December 13, 2014 at 3:53 pm
Will this instruction to add TLS 1.1 and TLS 1.2 work on Windows 2008 Standard version?