How to enable TLS 1.2 for windows 7

To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, then download and install the patch from Microsoft's website


About this update



Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections that use the WINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols. This is because the definition of this flag doesn't include these applications and services.

This update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used.

This can allow certain applications that were built to use the WinHTTP default flag to be able to leverage the newer TLS 1.2 or TLS 1.1 protocols natively without any need for updates to the application.

This is the case for some Microsoft Office applications when they open documents from a SharePoint library or a Web Folder, IP-HTTPS tunnels for DirectAccess connectivity, and other applications by using technologies such as WebClient by using WebDav, WinRM, and others.

This update requires that the Secure Channel (Schannel) component in Windows 7 be configured to support TLS 1.1 and 1.2. As these protocol versions are not enabled by default in Windows 7, you must configure the registry settings to ensure Office applications can successfully use TLS 1.1 and 1.2.

This update will not change the behavior of applications that are manually setting the secure protocols instead of passing the default flag.


Method 1: Windows Update



1. Click Start, type update in the search box, and in the list of results, click Windows Update.
2. In the details pane, click Check for updates and then wait while Windows looks for the latest updates for your computer.
3. If you see a message telling you that important or optional updates are available, or telling you to review important or optional updates, click the message to view the updates to install.
4. In the list, select the check box for the updates that you want to install, click OK, and then click Install updates.


Prerequisites



To apply this update, you must install Service Pack 1 for Windows 7. You can refer to the below KB for the same.

https://support.microsoft.com/en-us/topic/information-about-service-pack-1-for-windows-7-and-for-windows-server-2008-r2-df044624-55b8-3a97-de80-5d99cb689063


Registry information



To apply this update, the DefaultSecureProtocols registry subkey must be added.
Note: To do this, you can add the registry subkey manually or install the "Easy fix" to populate the registry subkey.


How to add add the registry subkey manually



Important:This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.You can refer to the below KB for the same

https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692

When an application specifies WINHTTP_OPTION_SECURE_PROTOCOLS, the system will check for the DefaultSecureProtocols registry entry and if present override the default protocols specified by WINHTTP_OPTION_SECURE_PROTOCOLS with the protocols specified in the registry entry. If the registry entry is not present, WinHTTP will use the existing operating system defaults for Win WINHTTP_OPTION_SECURE_PROTOCOLS HTTP. These WinHTTP defaults follow the existing precedence rules and are overruled by SCHANNEL disabled protocols and protocols set per application by WinHttpSetOption.

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.





For example:

The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800), then add them together in calculator (in programmer mode), and the resulting registry value would be 0x00000A00.



Easy fix



Use the below link for downloading EasyFix.



https://download.microsoft.com/download/0/6/5/0658B1A7-6D2E-474F-BC2C-D69E5B9E9A68/MicrosoftEasyFix51044.msi

After downloading, Run or Open, and then follow the steps in the easy fix wizard.


Enable TLS 1.1 and 1.2 on Windows 7



For TLS 1.1 and 1.2 to be enabled and negotiated on Windows 7, you MUST create the "DisabledByDefault" entry in the appropriate subkey (Client) and set it to "0". These subkeys will not be created in the registry since these protocols are disabled by default.

Create the necessary subkeys for TLS 1.1 and 1.2; create the DisabledByDefault DWORD values and set it to 0 in the following locations:

For TLS 1.1
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
DWORD name: DisabledByDefault
DWORD value: 0



For TLS 1.2
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD name: DisabledByDefault
DWORD value: 0

You may have to restart the computer after you apply this update.


Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 3299