We have covered how to enable TLS 1.2 and TLS 1.3 on Windows Server in the previous post. That lets you know how to enable TLS protocols on a Windows Server locally. If you try enabling TLS on all the servers one after another, it may sound like an uphill task. In such a case, it could be implemented using Active Directory’s Group Policies. We have created this post to let you know how to enable TLS 1.2 and TLS 1.3 via Group Policy. Since TLS 1.3 doesn’t support other than Windows 11 and Windows Server 2022, implement TLS 1.3 only to Windows 11 and Windows Server 2022 operating systems.
Without further due, let’s see how to enable TLS 1.2 and TLS 1.3 via Group Policy.
Time needed: 15 minutes.
- Open regedit utility
Open Group Policy Management (gpmc.msc) in a Domain Controller.
- Creating a GPO in the Domain Controller
Navigate to the OU where Policy to be linked and right click and select ‘Create a GP in this domain and Link it here’; In this demo selecting ‘Domain Controllers’ OU.
- Rename the GPO to ‘Enable_TLS 1.2_TLS 1.3’
Name the New GPO and click on ‘OK’; this creates a New GP which is linked to the OU.
- Edit the ‘Enable_TLS 1.2_TLS 1.3’ GPO
Right-click the Policy and click on ‘Edit’.
- Create Registry Item in Group Policy
Navigate to Computer Configurations –> Preferences –> Windows Settings –> Registry in Group Policy.
Create new Registry by Right click on the blank space and select New –> Registry Item
- Update Registry Properties
In new Registry Properties update the details as below and click on ‘OK’.
Key Path: SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Value name: Enabled
Value type: REG_DWORD
Value data: 1
- [OPTIONAL] Commands to create Registry Item in Group Policy
Create few more keys. Well, you can create the way shown in the above steps or you can also use commands to create the new registry items.
– Create a key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisableByDefault’ and set the value as ‘0’
– Create a key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled’ and set the value as ‘1’
– Create a key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\DisableByDefault’ and set the value as ‘0’
– Create a key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\EnableHttp3’ and set the value as ‘1’
- [OPTIONAL] List of Registry Item in Group Policy
The image shows the list of Registry items created in Group Policy.
We hope this post will help you know how to enable TLS 1.2 and TLS 1.3 via Group Policy to enhance the security of your infrastructure. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.