locked
Using GPO to enable TLS1.2 on a Windows2008R2 server. RRS feed

  • Question

  •  am running through a road block using GPO to enable TLS1.2 on a Windows2008R2 server.

    The manual process is not an issue but I wanted to use GPO to disable SSL and Enable TLS1.2

    Any help will highly appreciated.

    Tuesday, September 19, 2017 6:01 PM

Answers

  • Hi,

    You may create the DWORD entry on DC first, so you could navigate to it later when configuring GPP, here is a screenshot below:

    After that, restart target systems to apply registry settings.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Tuesday, October 3, 2017 3:01 AM
    • Marked as answer by Femola_Intellifed Tuesday, November 14, 2017 7:46 PM
    Thursday, September 21, 2017 10:23 AM
  • Hi,

    Is further assistance required?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 10, 2017 9:38 AM

All replies

  • Hi,

    You may use the group policy setting below to configure specific Cipher Suite Order, remove unwanted ones from the list.

    Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order

    Or, you may use GPP to deploy the registry subkeys to enable or disable TLS/SSL

    TLS/SSL Settings

    https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

    Configure a Registry Item

    https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Wednesday, September 20, 2017 7:37 AM
    • Proposed as answer by Amy Wang_ Monday, September 25, 2017 3:03 AM
    Wednesday, September 20, 2017 7:36 AM
  • Amy -

            I do appreciate your swift response but how do you in the case of enabling TLS1.2  using GPO on Windows server 2008R2/2012 create TLS Keys and Subkeys Client\Server below , then go ahead to enable the protocol. manually it is no problem but I am kind of confused using GPO. See below steps manually.

    Translating these manual steps below to GPO is the issue.

      • Right click on the TLS 1.2 key and add two new keys underneath it.
      • Rename the two new keys as:
      • Client
      • Server
    1. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.
    2. Rename the DWORD to DisabledByDefault.
    3. Right-click the name DisabledByDefault and select Modify... from the drop-down menu.
    4. Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.
    5. Create another DWORD for the Client key as you did in Step 7.
    6. Rename this second DWORD to Enabled.
    7. Right-click the name Enabled and select Modify... from the drop-down menu.
    8. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
    9. Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).
    Wednesday, September 20, 2017 6:19 PM
  • Hi,

    You may create the DWORD entry on DC first, so you could navigate to it later when configuring GPP, here is a screenshot below:

    After that, restart target systems to apply registry settings.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Tuesday, October 3, 2017 3:01 AM
    • Marked as answer by Femola_Intellifed Tuesday, November 14, 2017 7:46 PM
    Thursday, September 21, 2017 10:23 AM
  • Hi,

    Is further assistance required?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 10, 2017 9:38 AM