Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2010

 

Applies to: SharePoint Foundation 2010, SharePoint Server 2010

Summary: This article describes how to enable Transport Layer Security (TLS) protocol versions 1.1 and 1.2 in a SharePoint 2010 environment.

SharePoint 2010 can support Transport Layer Security (TLS) encryption protocol versions 1.1 and 1.2.

However, TLS protocol version 1.1 and 1.2 support is not enabled by default in Microsoft SharePoint 2010 Products. To enable support, you'll have to install updates and change configuration settings once in each of the following locations:

1. SharePoint servers in your SharePoint farm

2. Microsoft SQL Servers in your SharePoint farm

3. Client computers used to access your SharePoint sites

Summary of the update process

The following image shows the three step process necessary to enable TLS 1.1 and TLS 1.2 support on your SharePoint servers, SQL Servers, and client computers.

Step 1: Update SharePoint servers in your SharePoint farm

Follow these steps to update your SharePoint server.

Steps for SharePoint Server	Windows Server 2008 R2	Windows Server 2012	Windows Server 2012 R2
1.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel	Required	N/A	N/A
1.2 - Enable TLS 1.1 and TLS 1.2 support in WinHTTP	Required	Required	N/A
1.3 - Enable TLS 1.1 and TLS 1.2 support in Internet Explorer	Required	Required	N/A
1.4 - Install SQL Server 2008 Native Client update for TLS 1.2 support	Required	Required	Required
1.5 - Install ADO.NET 2.0 SP2 update for TLS 1.1 and TLS 1.2 support	Required	Required	Required
1.6 - Install .NET Framework 3.5 update for TLS 1.1 and TLS 1.2 support	Required	Required	Required
The following step is recommended. Although not directly required by SharePoint 2010, this step may be necessary for other software that integrates with SharePoint 2010.
1.7 - Enable strong cryptography in .NET Framework 3.5	Recommended	Recommended	Recommended
The following step is optional. You may choose to run this step based on your organization's security and compliance requirements.
1.8 - Disable earlier versions of SSL and TLS in Windows Schannel	Optional	Optional	Optional

1.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To enable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls11-enable.reg file.

4. Double-click the tls11-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To enable TLS 1.2 support in Windows Schannel

1. From Notepad.exe, create a text file named tls12-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls12-enable.reg file.

4. Double-click the tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

1.2 - Enable TLS 1.1 and TLS 1.2 support in WinHTTP

WinHTTP doesn't inherit its SSL and TLS encryption protocol version defaults from the Windows Schannel DisabledByDefault registry value. WinHTTP uses its own SSL and TLS encryption protocol version defaults, which vary by operating system. To override the defaults, you must install a KB update and configure Windows Registry keys.

The WinHTTP DefaultSecureProtocols registry value is a bit field that accepts multiple values by adding them together into a single value. You can use the Windows Calculator program (Calc.exe) in Programmer mode to add the following hexadecimal values as desired.

DefaultSecureProtocols value	Description
0x00000008	Enable SSL 2.0 by default
0x00000020	Enable SSL 3.0 by default
0x00000080	Enable TLS 1.0 by default
0x00000200	Enable TLS 1.1 by default
0x00000800	Enable TLS 1.2 by default

For example, you can enable TLS 1.0, TLS 1.1, and TLS 1.2 by default by adding the values 0x00000080, 0x00000200, and 0x00000800 together to form the value 0x00000A80.

To install the WinHTTP KB update, follow the instructions from the KB article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

To enable TLS 1.0, TLS 1.1, and TLS 1.2 by default in WinHTTP

1. From Notepad.exe, create a text file named winhttp-tls10-tls12-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
   "DefaultSecureProtocols"=dword:00000A80
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
   "DefaultSecureProtocols"=dword:00000A80
   

3. Save the winhttp-tls10-tls12-enable.reg file.

4. Double-click the winhttp-tls10-tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

1.3 - Enable TLS 1.1 and TLS 1.2 support in Internet Explorer

Internet Explorer versions earlier than Internet Explorer 11 did not enable TLS 1.1 or TLS 1.2 support by default. Support for TLS 1.1 and TLS 1.2 is enabled by default starting with Internet Explorer 11.

To enable TLS 1.1 and TLS 1.2 support in Internet Explorer

1. From Internet Explorer, click Tools > Internet Options > Advanced or click >Internet Options > Advanced.

2. In the Security section, verify that the following check boxes are selected, if not click the following check boxes:

   • Use TLS 1.1

   • Use TLS 1.2

3. Optionally, if you want to disable support for earlier security protocol versions, uncheck the following check boxes:

   • Use SSL 2.0

   • Use SSL 3.0

   • Use TLS 1.0

     Note

     Disabling TLS 1.0 may cause compatibility issues with sites that don't support newer security protocol versions. Customers should test this change before performing it in production.

4. Click OK.

1.4 - Install SQL Server 2008 Native Client update for TLS 1.2 support

The SQL Server 2008 Native Client doesn't support TLS 1.1 or TLS 1.2 by default. You must install the SQL Server 2008 Native Client update for TLS 1.2 support.

To install the SQL Server 2008 Native Client update, see SQL 2008 and 2008 R2 TLS 1.2 SQL Native Client updates not available in Windows Catalog

1.5 - Install ADO.NET 2.0 SP2 update for TLS 1.1 and TLS 1.2 support

ADO.NET in .NET Framework 2.0 SP2 doesn't support connecting to Microsoft SQL Server by using TLS 1.1 or TLS 1.2 by default. To add support for TLS 1.1 and TLS 1.2, you must install a KB update.

For Windows Server 2008 R2

Download and install KB update 3106991, see Hotfix rollup 3106991 for the .NET Framework 2.0 SP2 in Windows Server 2008 R2 SP1 and Windows 7 SP1

For Windows Server 2012

Download and install KB update 3106992, see Hotfix rollup 3106992 for the .NET Framework 2.0 SP2 on Windows Server 2012 and Windows 8

For Windows Server 2012 R2

Download and install KB update 3106993, see Hotfix rollup 3106993 for the .NET Framework 2.0 SP2 in Windows Server 2012 R2 and Windows 8.1

1.6 - Install .NET Framework 3.5 update for TLS 1.1 and TLS 1.2 support

.NET Framework 3.5 doesn't support TLS 1.1 or TLS 1.2 by default. To add support for TLS 1.1 and TLS 1.2, you must install a KB update, and then manually configure Windows Registry keys.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 3.5. If the value is set to 0, .NET Framework 3.5 will default to SSL 3.0 or TLS 1.0. If the value is set to 1, .NET Framework 3.5 will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0.

For Windows Server 2008 R2

1. To install the .NET Framework 3.5.1 update for Windows Server 2008 R2, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1

2. After the KB update is installed, manually configure the registry keys.

For Windows Server 2012

1. To install the .NET Framework 3.5 update for Windows Server 2012, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012

2. After the KB update is installed, manually configure the registry keys.

For Windows Server 2012 R2

1. To install the .NET Framework 3.5 SP1 update for Windows Server 2012 R2, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2

2. After the KB update is installed, manually configure the registry keys.

To manually configure the registry keys, do the following:

1. From Notepad.exe, create a text file named net35-tls12-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
   "SystemDefaultTlsVersions"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
   "SystemDefaultTlsVersions"=dword:00000001
   

3. Save the net35-tls12-enable.reg file.

4. Double-click the net35-tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

1.7 - Enable strong cryptography in .NET Framework 3.5

The SchUseStrongCrypto registry value restricts the use of encryption algorithms with TLS that are considered weak such as RC4.

Microsoft has released an optional security update for .NET Framework 3.5 that will automatically configure the Windows Registry keys for you.

For Windows Server 2008 R2

To enable strong cryptography in .NET Framework 3.5.1 on Windows Server 2008 R2, see the KB article Description of the security update for the .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 13, 2014

For Windows Server 2012

To enable strong cryptography in .NET Framework 3.5 on Windows Server 2012, see the KB article Description of the security update for the .NET Framework 3.5 on Windows 8 and Windows Server 2012: May 13, 2014

For Windows Server 2012 R2

To enable strong cryptography in .NET Framework 3.5 on Windows Server 2012 R2 see the KB article Description of the security update for the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2: May 13, 2014

1.8 - Disable earlier versions of SSL and TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To disable SSL 2.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl20-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl20-disable.reg file.

4. Double-click the ssl20-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable SSL 3.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl30-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl30-disable.reg file.

4. Double-click the ssl30-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.0 support in Windows Schannel

1. From Notepad.exe, create a text file named tls10-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls10-disable.reg file.

4. Double-click the tls10-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls11-disable.reg file.

4. Double-click the tls11-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

Step 2: Update your Microsoft SQL Servers in your SharePoint farm

Follow these steps to update your SQL Servers in your SharePoint farm.

Steps for your SQL Servers	Windows Server 2008 R2	Windows Server 2012	Windows Server 2012 R2
2.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel	Required	N/A	N/A
2.2 - Enable TLS 1.1 and TLS 1.2 support in Microsoft SQL Server	Required	Required	Required
The following step is optional. Run this step depending on your organization's security and compliance requirements.
2.3 - Disable earlier versions of SSL and TLS in Windows Schannel	Optional	Optional	Optional

2.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To enable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls11-enable.reg file.

4. Double-click the tls11-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To enable TLS 1.2 support in Windows Schannel

1. From Notepad.exe, create a text file named tls12-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls12-enable.reg file.

4. Double-click the tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

2.2 - Enable TLS 1.1 and TLS 1.2 support in Microsoft SQL Server

SQL Server versions earlier than SQL Server 2016 don't support TLS 1.1 or TLS 1.2 by default. To add support for TLS 1.1 and TLS 1.2, you must install updates for SQL Server.

To enable TLS 1.1 and TLS 1.2 support in SQL Server, follow the instructions from the KB article TLS 1.2 support for Microsoft SQL Server

2.3 - Disable earlier versions of SSL and TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To disable SSL 2.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl20-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl20-disable.reg file.

4. Double-click the ssl20-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable SSL 3.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl30-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl30-disable.reg file.

4. Double-click the ssl30-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.0 support in Windows Schannel

1. From Notepad.exe, create a text file named tls10-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls10-disable.reg file.

4. Double-click the tls10-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls11-disable.reg file.

4. Double-click the tls11-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

Step 3: Update your client computers used to access your SharePoint sites

Follow these steps to update your client computers that access your SharePoint site.

Steps for your client computers	Windows 7	Windows 8.1	Windows 10
3.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel	Required	N/A	N/A
3.2 Enable TLS 1.1 and TLS 1.2 support in WinHTTP	Required	N/A	N/A
3.3 - Enable TLS 1.1 and TLS 1.2 support in Internet Explorer	Required	N/A	N/A
3.4 - Install .NET Framework 3.5 update for TLS 1.1 and TLS 1.2 support	Required	Required	Required
The following step is recommended. Although not directly required by SharePoint 2010, this step may be necessary for other software that integrates with SharePoint 2010.
3.5 - Enable strong cryptography in .NET Framework 3.5	Recommended	Recommended	Recommended
The following step is optional. You may choose to run this step based on your organization's security and compliance requirements.
3.6 - Disable earlier versions of SSL and TLS in Windows Schannel	Optional	Optional	Optional

3.1 - Enable TLS 1.1 and TLS 1.2 in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To enable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls11-enable.reg file.

4. Double-click the tls11-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To enable TLS 1.2 support in Windows Schannel

1. From Notepad.exe, create a text file named tls12-enable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
   "DisabledByDefault"=dword:00000000
   "Enabled"=dword:00000001
   

3. Save the tls12-enable.reg file.

4. Double-click the tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

3.2 Enable TLS 1.1 and TLS 1.2 support in WinHTTP

WinHTTP doesn't inherit its SSL and TLS encryption protocol version defaults from the Windows Schannel DisabledByDefault registry value. WinHTTP uses its own SSL and TLS encryption protocol version defaults, which vary by operating system. To override the defaults, you must install a KB update and configure Windows Registry keys.

The WinHTTP DefaultSecureProtocols registry value is a bit field that accepts multiple values by adding them together into a single value. You can use the Windows Calculator program (Calc.exe) in Programmer mode to add the following hexadecimal values as desired.

DefaultSecureProtocols value	Description
0x00000008	Enable SSL 2.0 by default
0x00000020	Enable SSL 3.0 by default
0x00000080	Enable TLS 1.0 by default
0x00000200	Enable TLS 1.1 by default
0x00000800	Enable TLS 1.2 by default

For example, you can enable TLS 1.0, TLS 1.1, and TLS 1.2 by default by adding the values 0x00000080, 0x00000200, and 0x00000800 together to form the value 0x00000A80.

To install the WinHTTP KB update, follow the instructions from the KB article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

To enable TLS 1.0, TLS 1.1, and TLS 1.2 by default in WinHTTP

1. From Notepad.exe, create a text file named winhttp-tls10-tls12-enable.reg.

2. Copy, and then paste the following text.

   For 64-bit operating system

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
   "DefaultSecureProtocols"=dword:00000A80
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
   "DefaultSecureProtocols"=dword:00000A80
   

   For 32-bit operating system

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
   "DefaultSecureProtocols"=dword:00000A80
   

3. Save the winhttp-tls10-tls12-enable.reg file.

4. Double-click the winhttp-tls10-tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

3.3 - Enable TLS 1.1 and TLS 1.2 support in Internet Explorer

Internet Explorer versions earlier than Internet Explorer 11 did not enable TLS 1.1 or TLS 1.2 support by default. Support for TLS 1.1 and TLS 1.2 is enabled by default starting with Internet Explorer 11.

To enable TLS 1.1 and TLS 1.2 support in Internet Explorer

1. From Internet Explorer, click Tools > Internet Options > Advanced or click >Internet Options > Advanced.

2. In the Security section, verify that the following check boxes are selected. If not, click the following check boxes:

   • Use TLS 1.1

   • Use TLS 1.2

3. Optionally, if you want to disable support for earlier security protocol versions, uncheck the following check boxes:

   • Use SSL 2.0

   • Use SSL 3.0

   • Use TLS 1.0

     Note

     Disabling TLS 1.0 may cause compatibility issues with sites that don't support newer security protocol versions. Customers should test this change before performing it in production.

4. Click OK.

3.4 - Install .NET Framework 3.5 update for TLS 1.1 and TLS 1.2 support

.NET Framework 3.5 doesn't support TLS 1.1 or TLS 1.2 by default. To add support for TLS 1.1 and TLS 1.2, you must install a KB update, and then manually configure Windows Registry keys for each of the operating systems listed in this section.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 3.5. If the value is set to 0, .NET Framework 3.5 will default to SSL 3.0 or TLS 1.0. If the value is set to 1, .NET Framework 3.5 will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0.

To enable .NET Framework 3.5 to inherit its encryption protocol defaults from Windows

Windows 7 and Windows Server 2008 R2

1. To install the .NET Framework 3.5.1 update for Windows 7 and Windows Server 2008 R2, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 .

2. After the KB update is installed, manually configure the registry keys.

For Windows Server 2012

1. To install the .NET Framework 3.5 update for Windows Server 2012, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012

2. After the KB update is installed, manually configure the registry keys.

Windows 8.1 and Windows Server 2012 R2

1. To install the .NET Framework 3.5 SP1 update for Windows 8.1 and Windows Server 2012 R2, see the KB article Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2

2. After the KB update is installed, manually configure the registry keys.

Windows 10 (Version 1507)

• This functionality is not available in Windows 10 Version 1507. You must upgrade to Windows 10 Version 1511, and then install the Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016, or upgrade to Windows 10 Version 1607 or higher.

Windows 10 (Version 1511)

1. To install the Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016, see Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016.

2. After the KB update is installed, manually configure the registry keys.

Windows 10 (Version 1607) and Windows Server 2016

No update needs to be installed. Configure the Windows Registry keys as described below.

To manually configure the registry keys, do the following:

1. From Notepad.exe, create a text file named net35-tls12-enable.reg.

2. Copy, and then paste the following text.

   For 64-bit operating system

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
   "SystemDefaultTlsVersions"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
   "SystemDefaultTlsVersions"=dword:00000001
   

   For 32-bit operating system

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
   "SystemDefaultTlsVersions"=dword:00000001
   

3. Save the net35-tls12-enable.reg file.

4. Double-click the net35-tls12-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

3.5 - Enable strong cryptography in .NET Framework 3.5

The SchUseStrongCrypto registry value restricts the use of encryption algorithms with TLS that are considered weak such as RC4.

Microsoft has released an optional security update for .NET Framework 3.5 on pre-Windows 10 operating systems that will automatically configure the Windows Registry keys for you. No updates are available for Windows 10. You must manually configure the Windows Registry keys on Windows 10.

Windows 7 and Windows Server 2008 R2

To enable strong cryptography in .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2, see the KB article Description of the security update for the .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 13, 2014

For Windows Server 2012

To enable strong cryptography in .NET Framework 3.5 on Windows Server 2012, see the KB article Description of the security update for the .NET Framework 3.5 on Windows 8 and Windows Server 2012: May 13, 2014

Windows 8.1 and Windows Server 2012 R2

To enable strong cryptography in .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 see the KB article Description of the security update for the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2: May 13, 2014

To enable strong cryptography in .NET Framework 3.5 on Windows 10 and Windows Server 2016

1. From Notepad.exe, create a text file named net35-strong-crypto-enable.reg.

2. Copy, and then paste the following text.

   For 64-bit operating system

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
   "SchUseStrongCrypto"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
   "SchUseStrongCrypto"=dword:00000001
   

   For 32-bit operating system

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
   "SchUseStrongCrypto"=dword:00000001
   

3. Save the net35-strong-crypto-enable.reg file.

4. Double-click the net35-strong-crypto-enable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

3.6 - Disable earlier versions of SSL and TLS in Windows Schannel

SSL and TLS support are enabled or disabled in Windows Schannel by editing the Windows Registry. Each SSL and TLS protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, it will use a default value determined by the operating system.

The DisabledByDefault registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be used by default. If the value is set to 1, the protocol version will not be used by default. If the value is not defined, it will use a default value determined by the operating system.

To disable SSL 2.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl20-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl20-disable.reg file.

4. Double-click the ssl20-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable SSL 3.0 support in Windows Schannel

1. From Notepad.exe, create a text file named ssl30-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the ssl30-disable.reg file.

4. Double-click the ssl30-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.0 support in Windows Schannel

1. From Notepad.exe, create a text file named tls10-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls10-disable.reg file.

4. Double-click the tls10-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.

To disable TLS 1.1 support in Windows Schannel

1. From Notepad.exe, create a text file named tls11-disable.reg.

2. Copy, and then paste the following text.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
   "DisabledByDefault"=dword:00000001
   "Enabled"=dword:00000000
   

3. Save the tls11-disable.reg file.

4. Double-click the tls11-disable.reg file.

5. Click Yes to update your Windows Registry with these changes.

6. Restart your computer for the change to take effect.