none
IE 11 on Win10: Enabling TLS 1.0 via User Preferences GPO does not work RRS feed

  • Question

  • I have installed the latest .ADMx and .ADML gpo-files in AD and set Internet Explorer 10 User Prefernces so that TLS 1.0, TLS 1.1 and TLS 1.2 are checked.

    BUT: When GPO is applied, only TLS 1.1 and TLS 1.2 is enabled i IE 11. Registry shows:

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
    "SecureProtocols"=dword:00000a00

    If I check TLS 1.0 manually, registry shows:

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
    "SecureProtocols"=dword:00000a80

    Runing gpupdate /force resets to TLS 1.1 and TLS 1.2 only. (dword:00000a00)

    Also tried to use the Computer policy "Internet in control panel\Advanced" and that makes all TLS checed, but TLS 1.0 is NOT working as it should, some webpages pop ask me to check TLS 1.0-1,2. Also enabling SSL2.0 and 3.0 makes these pages work, but then som use RC4 as encryption and that is not desired.

    A bug or what? Tested on several machines with Win10, both 1511 and 16087, same results.

    Enabling TLS 1.0/1.1/1.2 via Regedit ("SecureProtocols"=dword:00000a80) is working to the point when te GPO is applied again and therefore not an option.

    Thursday, August 18, 2016 12:51 PM

Answers

  • EDIT:

    Problem is resolved. There was some fault in the GPO itself somewhere, I never found what it was. But I scapped that GPO completely and built a New one from scratch and all is well. TLS 1.0 is now being ticked by setting it i User Prefernces in the New GPO.

    • Marked as answer by RayHell Wednesday, September 7, 2016 1:51 PM
    Wednesday, September 7, 2016 1:51 PM

All replies

  • Hi RayHell,

    I have some confusion with your issue. For your last sentence, could you apply the GP for TLS 1.0 to enable normally? Do you meet some error when the issue occurred? We could turn on the TLS 1.0, TLS 1.1 and TLS 1.2 under the Advanced Setting. Also we need check the SSL2.0 and SSL 3.0.

    Hope it will be helpful to you


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 19, 2016 11:27 AM
    Moderator
  • Explained in another way:

    Last week we got problems accessing the site https://response.questback.com.

    a) We have a GPO, Computer policy "Windows Components\Internet Explorer\Internet in control panel\Advanced" with all TLS checked and no SSL checked and it is Applied ok, TLS 1.0, TLS 1.1 and TLS 1.2 is checked and grayed out on the PCs. But we still get the errormessage " ...Activate TLS 1.0, TLS 1.1 og TLS 1.2 in Advanced settings..." when going to that site.

    b) If we drop that GPO in a) and check all TLS-versions manually, that site works, With no SSL at all checked. (Already here there is something odd going on, why does this work manually and not in scenario a) With GPO??)

    c) Now, If we try another GPO With User Preferences\Internet\Explorer 10 With TLS 1.0, TLS 1.1 and TLS 1.2 checked and no SSL checked, only TLS 1.1 and TLS 1.2 is being checked in IE on the PCs. Now checking TLS 1.0 manually makes the site work. BUT: When this GPO is Applied again, TLS 1.0 is being unchecked and we are back to the misery.

    d) If we take the GPO in a) and also check SSL 2.0 and SSL 3.0, that site Works. BUT: IE is now running RC4 encryption ith that site and that is not good. Firefox runs that site flawlessly and With encryption 3des-ede-cbc-sha.

    Hope this clarifies.


    • Edited by RayHell Friday, August 19, 2016 12:08 PM
    Friday, August 19, 2016 12:01 PM
  • EDIT:

    Problem is resolved. There was some fault in the GPO itself somewhere, I never found what it was. But I scapped that GPO completely and built a New one from scratch and all is well. TLS 1.0 is now being ticked by setting it i User Prefernces in the New GPO.

    • Marked as answer by RayHell Wednesday, September 7, 2016 1:51 PM
    Wednesday, September 7, 2016 1:51 PM
  • I've just had this problem so for others finding this in future, here's the fix that doesn't require a full GPO delete that worked for us.

    Go into the GPO - User Config - Preferences - Control Panel Settings - Internet Settings.

    Right Click on the Internet Explorer 10 preference in the right hand pane, copy it then paste to the desktop

    Edit the created XML in notepad and search for an entry called "SecureProtocols"

    Just below this you'll probably find a "SubProp" entry called <SubProp id ="SecureProtocolsTLS1" value="00000000" mask="00000080"/>

    Delete this entire section of the XML including the <> then save the XML (Ensure you are NOT deleting the SubProp id ="SecureProtocolsTLS10" entry).

    Once that's edited go back to your GPO, right click on the Internet Explorer 10 preference and delete it to clear the GPO of all IE preferences. Now copy the XML from the desktop back into the IE preference window to recreate the preference settings without this rogue entry and you should now have GPO control of the TLS1 setting.

    It seems that this <SubProp id ="SecureProtocolsTLS1" entry is a duplicate or deprecated version of the setting <SubProp id ="SecureProtocolsTLS10" which also controls TLS1. The latter is the value that changes when you tick/untick the option in the GPO preference on a 2012 server but if the rogue element exists in the XML after the correct element, it then overwrites the setting you intended to set. It would appear that if you edit the same GPO preference on a 2008 server with an earlier version of IE and tick the TLS 1 box, it creates the rogue element so I'm sure in our case that's where it's come from, an admin at some point using an old 2008 server to edit the GPO rather than a 2012 with the correct version of IE on.


    • Edited by Locoblade Thursday, December 20, 2018 12:46 PM
    • Proposed as answer by Locoblade Friday, December 21, 2018 8:52 AM
    Thursday, December 20, 2018 12:18 PM