Asked by:
TLS 1.1 and 1.2 on W7?

Question
-
On Windows 7 pro, how do I
1) tell if TLS 1.1 and TLS 1.2 are installed?
2) if 1.1 and 1.2 are installed, how do I disable TLS 1.0?
3) how do I tell Remote Desktop not to use TLS 1.0?
Many thanks, -T
Thursday, February 2, 2017 3:16 AM
All replies
-
Hi,
to use TLS1.1 & 1.2 you can just have a look into IE Options > Advanced (last section). It is not recommended to disable TLS 1.0 because many other connections are using this level. Within GPO you can set the order of SSL Ciphers to tell your clients to use TLS1.1 or 1.2 as preferred for connections (also RPD). Only a connection with same supported cipher by client and server will be established.
Regards
Thursday, February 2, 2017 7:11 AM -
Hello,
By default, only TLS 1.0 is supported in Windows 7, you must install the following update to add remote desktop service support for TLS 1.1 and TLS 1.2.
Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2
In addition, for the Remote Desktop Client, make sure Remote Desktop Protocol 8.0 update has been installed. You can get it from the following link
https://support.microsoft.com/en-us/help/2592687/remote-desktop-protocol-rdp-8.0-update-for-windows-7-and-windows-server-2008-r2
For how disable TLS 1.0, you can refer to the following article.
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/
Finally, you can use Network Monitor to verify that the RDP is using TLS1.0, or not.
Best regards,
Andy LiuPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Friday, February 3, 2017 5:34 AM -
Did your first two links. It still fails my sweet32 scan.
warnings: 64-bit block cipher 3DES vulnerable to SWEET32 attack
Saturday, February 4, 2017 6:17 AM -
Hello,
Please run regedit.exe from command prompt to open Registry Editor. Uner the location at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\, create a DWORD value named Triple DES 168, and set the disable value data as 0.
After that, please restart the computer.
More information, please refer to the following article.
Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Edited by Andy Liu50Microsoft contingent staff Monday, February 6, 2017 9:23 AM
Monday, February 6, 2017 9:21 AM