none
Disabling SSL 2.0, 3.0 and TLS 1.0 and then updating Outlook clients to use TLS 1.1 or 1.2 RRS feed

  • Question

  • Hello,

    We have a company in the UK that takes credit card payments. Their PCI compliance scan is failing, it reports that SSL 2.0, 3.0 and TLS 1.0 are enabled and need to be disabled to pass.

    I have logged into our Exchange server which is Windows Server 2012 R2 with Exchange 2013 (15.0 with build 847.32), We various versions of Outlook installed, 2010, 2013 and 2016.

    To start with I browsed to the following location in the registry on the Exchange server:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\

    I then disabled the SSL 2.0, SSL 3.0 and TLS 1.0 by changing the Enabled DWORD under server key to 0, I then restarted the server.

    Subsequently all Outlook clients stopped working and are no longer connecting to Exchange, even if they restart the application or computer. When I enabled TLS 1.0 again they start working, so I assume that all Outlook clients are using TLS 1.0.

    My question to the community is how do I get all Outlook clients (2010, 2013 and 2016) to all start using TLS 1.1 or TLS 1.2.


    Wednesday, January 25, 2017 4:43 PM

All replies

  • Hello,

    We have a company in the UK that takes credit card payments. Their PCI compliance scan is failing, it reports that SSL 2.0, 3.0 and TLS 1.0 are enabled and need to be disabled to pass.

    I have logged into our Exchange server which is Windows Server 2012 R2 with Exchange 2013 (15.0 with build 847.32), We various versions of Outlook installed, 2010, 2013 and 2016.

    To start with I browsed to the following location in the registry on the Exchange server:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\

    I then disabled the SSL 2.0, SSL 3.0 and TLS 1.0 by changing the Enabled DWORD under server key to 0, I then restarted the server.

    Subsequently all Outlook clients stopped working and are no longer connecting to Exchange, even if they restart the application or computer. When I enabled TLS 1.0 again they start working, so I assume that all Outlook clients are using TLS 1.0.

    My question to the community is how do I get all Outlook clients (2010, 2013 and 2016) to all start using TLS 1.1 or TLS 1.2.


    This is the current guidance regarding SSL/TLS for Exchange.

    http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

    As far as I know you disabling TLS 1.0 on your Exchange Servers is still not supported.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    • Proposed as answer by KrishKT Thursday, January 26, 2017 11:21 AM
    Wednesday, January 25, 2017 4:49 PM
  • Hello Boffins

    Currently disabling the  TLS 1.0 is not applicable in practice

    as the exchange still use this

    Prioritize TLS 1.2 ciphers You need to create one function key.

    (Take the registry backup 1st)

    Thursday, January 26, 2017 8:25 AM
  • Any update on this..?
    Thursday, February 9, 2017 3:38 PM
  • Hi,

    Still haven't got it working, so waiting for a response.

    Monday, February 13, 2017 1:24 PM