none
IE11: Unable to enable TLS 1.1 and 1.2 RRS feed

  • Question

  • I have recently been testing Windows in FIPS-compliance mode for compliance with a common security policy mandated by a state government agency.  This included my assigned laptop, which is running Windows 8.1 Update Enterprise x64.

    As part of the test, I enabled the "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" both in local security policy on my machine and later via a test GPO.  Since that test has completed, I have deleted the GPO and disabled the setting in local security policy.  I've also rebooted several times to verify the setting is truly disabled and also tried creating a GPO that forces that setting to disabled.

    What I am seeing is, since performing these tests, I can no longer enable TLS 1.1 or 1.2 on IE11.  They were previously enabled.  The settings for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 are all grayed out.  SSL 2.0, SSL 3.0, and TLS 1.0 are checked (and cannot be unchecked) and TLS 1.1 and TLS 1.2 are unchecked (and cannot be checked).

    Suspecting group policy, I put my user account and computer account in an OU that has group policy inheritance blocked and made a GPO that only forces SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 on for my user account and applied it to my test GPO.  The particular setting is Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page | Turn off encryption support | Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.  I ran gpupdate /force, rebooted, checked local security policy to confirm that my laptop is not in FIPS mode, then checked the IE11 advanced options and there was no change.


    How can I get TLS 1.1 and TLS 1.2 back?


    Thursday, June 5, 2014 9:32 PM

Answers

  • I solved it by going toRegistry entry HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings and renaming the SecureProtocols key into something else. This unlocks all TLS options from Internet Explorer.

    You can rename it back if you want only secure protocols.

    • Proposed as answer by rob_long Thursday, March 3, 2016 9:49 PM
    • Marked as answer by Scott W. Sander Friday, July 8, 2016 12:51 PM
    Friday, January 8, 2016 6:54 AM

All replies

  • I forgot about some of the other troubleshooting I did.

    I logged into my computer as a test user and had the same issue.  This particular test user account had never logged into my computer before.

    I also had other members of my team that have the same role that I do in the organization (and therefore the same placement in Active Directory and the same group membership) and they do not have this issue.  They are also using the same operating system.

    I also made sure that the following two keys existed in my registry:

    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.1\Client
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client

    Both of these keys contained two DWORD attributes:

    • DisabledByDefault = 0
    • Enabled = 1

    I also tried resetting Internet Explorer entirely.


    Thursday, June 5, 2014 9:42 PM
  • I also checked the registry for the value of the following:

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy

    Enabled = 0

    It was set to 0 as expected.

    Thursday, June 5, 2014 9:51 PM
  • Just removed the Internet Explorer feature, rebooted, then re-added it.  I still cannot control the IE SSL/TLS settings.
    Thursday, June 5, 2014 10:01 PM
  • Hi,

    I sugegst you run RSOP and check the poliies which have been applied to your machine, maybe we just missed something important.

    And if you have a restore point, then you can choose to restore your PC to a previous point at which your PC is functioning fine.


    Yolanda Zhu
    TechNet Community Support

    Monday, June 9, 2014 1:43 AM
    Moderator
  • I've already run RSOP and verified that there is no policy enforcing FIPS mode or forcing the SSL/TLS settings in IE, except when I tried to create policies to force FIPS off and force TLS 1.1 and 1.2 on.

    Unfortunately, I can't use System Restore.  It broke sometime a few weeks ago, and I'm not willing to go back that far.

    Monday, June 9, 2014 12:33 PM
  • Hi,

    From your description, seems not a policy issue, but I'm really suspect this, because FIPS mode can cause only TLS1.0 to be used, just as described in the post.

    What is the result if we create a new user account in this PC?

    What is the result if we disjoin the PC from the domain?


    Yolanda Zhu
    TechNet Community Support

    Wednesday, June 11, 2014 7:01 AM
    Moderator
  • I am 100% certain of the following:

    • Group policy is not forcing the aforementioned FIPS-related setting on this computer, or if it is, it is me attempting to force disable it (depending on what I'm doing at the time when trying to solve this problem).
    • Local security policy has this setting disabled.

    In response to you suggestions:

    • I created a new local user account on the computer.  The result was the same.
    • If I find more free time today, I'll try disjoining my workstation from the domain and see if it has any effect.  I'll let you know the result.

    Additionally, I found this article on TechNet that describes another FIPS-related registry setting I had not checked yet:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy.  Well, I checked and the Enabled DWORD is set to "0" on my machine, so this isn't the issue either.

    Wednesday, June 11, 2014 1:43 PM
  • Alright, I tried the domain rejoin.  First, I created another new local user account.  Then I disjoined the computer from the domain, rebooted, and logged in as the new user.  I checked Internet Explorer's options.  No change!  The SSL/TLS settings are still disabled and it still said "Some settings are managed by your system administrator."  I reset Internet Explorer and rebooted and logged in again, but the problem was still present.  I went into Local Security Policy, and the FIPS setting was still disabled.  I enabled it, applied the setting, disabled it again, applied the setting, rebooted, and logged in again.  Still have the same problem.

    I rejoined the computer to the domain, and of course the problem is still present.

    Wednesday, June 11, 2014 2:04 PM
  • Since you're doing a lot with Group Policies (and force disabling them), have you tried running gpmc.msc's Group Policy Modeling, Group Policy Results on the computer in question?

    I don't think there's a guarantee that all policies that you once applied to a workstation simply revert to default when you stop applying them, thus, I suggest applying upon the workstation what you need/want. That is FIPS, SChannel (client) related things as well as Internet Explorer settings.

    Note that you should manage IE 11 Group Policies only on a Win 8.1 or Win Srv 2012 R2 Server. Win 7 (RSAT) didn't even have that option when I last checked

    Thursday, June 12, 2014 7:18 AM
  • Yes, I absolutely have checked group policy results, as I mentioned earlier in response to Yolanda Zhu.  I have verified that, without a doubt per RSOP, the aforementioned FIPS-related setting is being disabled on my computer for my user account and SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 are being enabled.  However, I still can't modify the settings in Internet Explorer and TLS 1.1 and 1.2 are not being marked as checked.

    I've also verified that the boxes that are checked in IE (SSL 2.0, SSL 3.0, and TLS 1.0) are what is taking effect and now what I have set in group policy.  I tried connecting to an internal site that uses TLS 1.2 and it negotiaged TLS 1.0 in IE on my computer (it does negotiate to TLS 1.2 on other computers that have it enabled).

    My workstation is Windows 8.1, and that is where I am running the GPMC from.  Regardless, the setting I am referring to for forcing TLS 1.1+ on in IE is a group policy setting in administrative templates, not an Internet Explorer preference setting where they are version-specific.

    Thursday, June 12, 2014 3:48 PM
  • At this point, I would re-install the workstation since you have only one machine that is affected (or now two). When no GPO settings are applied but IE, despite re-set, greys out options I’d say FUBAR.

    I did not observe this behaviour when I enabled and disabled the FIPS option. IE would still give me the SSL/TLS options to check and uncheck. That was IE 10 on Windows 8.

    Alternatively, manually setting the cipher suites via GPO may also get you the TLS 1.2 desired behaviour.

    Thursday, June 12, 2014 6:13 PM
  • Ignore that second workstation you might have seen mentioned if you received an alert email.  The behavior I was seeing was due to a group policy I was applying to force TLS 1.1 and 1.2 on.  Once I disabled that, the options weren't disabled on the other test workstation. I removed that paragraph.

    I agree with you, I think I just need to re-image my workstation.  I was having trouble with my JET security database awhile back and had to work on that.  Perhaps this issue is related.

    In regards to force enabling TLS 1.1 and 1.2 via GPO regardless of what IE shows, it doesn't work.  Even when those settings are being forced on my user account, it still negotiates TLS 1.0 to sites that support 1.2.  It's not a cipher suite thing, because the site and my workstation are configured to use the default suites.

    Thanks.


    Thursday, June 12, 2014 9:04 PM
  • Did you get this resolved? i had the same issue and tried the schannel ciphers, protocols and fips compliance keys to no avail, as well as specific IE 10 preference policies...all to no avail. Found this and it worked nicely however:

    http://www.bauer-power.net/2014/06/how-to-enabled-tls-11-and-tls-12-in.html#.U6AgFpRdUud

    Regards, 


    • Proposed as answer by K.ryn Thursday, October 16, 2014 1:46 PM
    Tuesday, June 17, 2014 11:03 AM
  • Did you get this resolved? i had the same issue and tried the schannel ciphers, protocols and fips compliance keys to no avail, as well as specific IE 10 preference policies...all to no avail. Found this and it worked nicely however:

    http://www.bauer-power.net/2014/06/how-to-enabled-tls-11-and-tls-12-in.html#.U6AgFpRdUud

    Regards, 



    Thank you for the information, but I've already tried that.  I think something is wrong with my local security policy on my workstation and I am going to have to reinstall Windows.
    Thursday, June 19, 2014 12:43 PM
  • This bloggers solution looks okay but I don't understand why he goes on a rant against IE ("The problem I was running into was that some people in my organization still like to use Internet Explorer for some reason.") and Microsoft ("in cahoots with the NSA") instead of looking into where he went wrong.

    It is my experience and understanding that as per default if you have a Windows 7 or higher (8, 8.1) and the latest updates, you should have IE 11 with very options the blogger 'achieved'.

    SSL 2.0 off
    SSL 3.0 on
    TLS 1.0 on
    TLS 1.1 on
    TLS 1.2 on

    If you don't have that you have either an outdated version of Windows or Internet Explorer or have tampered with the default settings. I just checked 3 workstations (WIn 7, 8, 8.1) and they all have this setting. And I haven't done anything special to achieve this configuration.

    Thursday, June 19, 2014 7:38 PM
  • Duke73, you are correct.  IE11 has TLS 1.1 and TLS 1.2 as the default.

    In this case, I have just reimaged my computer to get TLS 1.1 and TLS 1.2 back.  Nothing else i had tried was getting the options back.  As I stated previously, I think something was wrong with my local security database.

    Monday, July 7, 2014 7:32 PM
  • Scott,

    I have the same problem, but when installing some VPN clients, like Cisco Anyconnect, Checkpoint Endpoint and even McAfee Stonegate. Those SSL options stay gray and without any kind of method to re-enable the default behavior. Every time a have to back those settings to default, neither a system restore to a previous point of VPN client installation fixes the internet settings back. Only a full re-image works.

    The last time I face this problem, I has with a fresh installed win 8, so internet options was with default settings, as Duke73 show us, then I install a VPN client and the options became gray without chance to change. Trying to achieve the default behavior, I made a system restore, to the previous point, where there isn't the VPN client. The result was successful, the VPN client was removed, but internet settings never back to default settings, it's gray until now and I tryied the same procedures you have post here, but I think only a new re-image will fix it.

    • Proposed as answer by Rigelic Wednesday, December 7, 2016 2:06 PM
    Thursday, September 11, 2014 6:20 PM
  • All - so I have a near identical issue and but it's with IE9 and it's not with one workstation but with my entire network.  Tried to remove SSL 3.0 using GPO and found a number of sites my users needed were affected by this decision so I wanted to reverse it.  Removed the GPO and NONE  (zero, zip , nada) of my workstations will revert.  They all have SSL 3.0 and 2.0 grayed out.  THIS SERIOIUSLY SUCKS! 
    • Edited by WJRED66 Thursday, October 16, 2014 9:17 PM
    Thursday, October 16, 2014 9:16 PM
  • I too would like to find a resolution to this WITHOUT resorting to re-imaging!

    Chris

    Monday, October 20, 2014 6:07 PM
  • Everyone:  I resolved my issue in this thread by reimaging my computer, but I ended up having a similar problem again on a series of Windows 7 computers and was able to solve it.  Check out my other thread where I describe my troubleshooting and ultimate solution in detail:

    https://social.technet.microsoft.com/Forums/en-US/96049b0a-fcda-4f96-88c2-71d487aee8fb/internet-explorer-ssltls-settings-disabled?forum=ieitprocurrentver

    Unfortunately, I don't know if the last step was enough to solve the issue or if it was a combination of some of my troubleshooting steps, but I did solve it without reimaging.

    Good luck!

    Wednesday, October 22, 2014 1:18 AM
  • Hi Scott,

    I meant to post back yesterday to say that I had managed to achieve a similar resolution to you, however, I used a GPO applied to the the Domain.

    I had checked the local machine with RSOP and GPRESULT, but I could see NO indication that any policy (either domain or local) had been applied that should have affected these settings. However, I did notice that for some reason the affected PCs had the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy registry entry set to 1, but even setting this back to 0 and rebooting did not re-enable the settings in IE. I'm not sure what has happened, but I have read in some places that this may be something to do with the installation of VPN products - we did have Cisco AnyConnect on these machine but it was removed some time ago.

    However, my overall goal was to ensure that SSLv3 was switched OFF in IE for all domain joined PCs, and so I thought I would apply the same GPO to the domain:

    Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY

    Whilst this did not (obviously) fix the greyed out option in IE (and, of course, it will apply the policy to ALL Domain machines so ALL will end up with greyed out options), it did achieve what I wanted AND updated the machine/s that had the problems.

    I suspect that at some point in time some software has been installed that has manipulated the local policy setting on the machines, but even though this has been removed and the policy setting returned to a NOT CONFIGURED state, Windows has got its knickers in a twist and continued to apply the settings. This might account for the fact that switching the local setting on then off again worked for you????

    Cheers.


    Chris

    Wednesday, October 22, 2014 9:41 AM
  • Hi Scott,

    I meant to post back yesterday to say that I had managed to achieve a similar resolution to you, however, I used a GPO applied to the the Domain.

    I had checked the local machine with RSOP and GPRESULT, but I could see NO indication that any policy (either domain or local) had been applied that should have affected these settings. However, I did notice that for some reason the affected PCs had the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy registry entry set to 1, but even setting this back to 0 and rebooting did not re-enable the settings in IE. I'm not sure what has happened, but I have read in some places that this may be something to do with the installation of VPN products - we did have Cisco AnyConnect on these machine but it was removed some time ago.

    However, my overall goal was to ensure that SSLv3 was switched OFF in IE for all domain joined PCs, and so I thought I would apply the same GPO to the domain:

    Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY

    Whilst this did not (obviously) fix the greyed out option in IE (and, of course, it will apply the policy to ALL Domain machines so ALL will end up with greyed out options), it did achieve what I wanted AND updated the machine/s that had the problems.

    I suspect that at some point in time some software has been installed that has manipulated the local policy setting on the machines, but even though this has been removed and the policy setting returned to a NOT CONFIGURED state, Windows has got its knickers in a twist and continued to apply the settings. This might account for the fact that switching the local setting on then off again worked for you????

    Cheers.


    Chris

    Chris/Swinster:

    I'm not sure your issue is the same as the one I was having.

    I didn't mention it in the other thread I linked to, but that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy registry setting was set to "0" on both the Windows 8.1 I was talking about in this thread and the Windows 7 machine I was talking about in the other one.

    Also, in both cases we had purposely turned on the System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms setting in Group Policy.  It wasn't a result of some accident or unknown reason.  As far as Cisco AnyConnect Secure Mobility Client, we use it here (v3.1.51790), but I don't have the same experience with it messing with the Windows FIPS settings unless you turn on FIPS mode in the AnyConnect client, which results in it putting Windows in FIPS mode upon the next reboot.

    In any case, I don't know the exact cause, but clearly it is unexpected and undesirable behavior, but I'm hoping flipping the local policy around turns out to be a solution for people having this issue.

    Thursday, October 23, 2014 1:00 PM
  • I do not have a  "Turn off encryption support" option under "Advanced Page" in Active Directory group policy. Does anyone know how get that added?

    Monday, November 17, 2014 5:12 PM
  • I do not have a  "Turn off encryption support" option under "Advanced Page" in Active Directory group policy. Does anyone know how get that added?

    Which OS and version of RSAT are you using precisely?

    On Windows 8.1 x64 with RSAT for Windows 8.1 (Windows8.1-KB2693643-x64.msu)

    In Computer Configuration\Policies\Administrative Templates\All Settings\All Settings it should be there.

    Either one of these should get you there

    Wednesday, December 31, 2014 9:47 AM
  • Scott I am confused by your question and the answers received.  I am a non-prolific, retired home windows user.  I have a PC running windows 7 home premium and IE 11.  A few months ago I went to check my email at Yahoo from my home page and the Yahoo page would NOT open.  I went to the advanced properties of IE and discovered that 3 boxes (tls 1.0, 1.1 and 1.2 were NO LONGER checked.  I checked them, hit apply and OK and the Yahoo page worked fine.  Now, every single day when I open IE those same 3 boxes are UNCHECKED.  Once I check them, if I let my PC sit idle for awhile the settings/boxes become UNCHECKED.  I do not have a clue as to what is causing this problem nor how to fix it.  I contacted Microsoft On-line support and the tech took over my PC for awhile to see if she could find the problem.  She never said if she found any problem all she said was that I would HAVE to purchase the YEARLY subscription to their support services.  As I said I am retired and on a fixed income and cannot afford the large fee to solve just ONE SINGLE PROBLEM by them. 
    Thanks for your time in this matter.  I'll look forward to your reply.

    Joe Bosko

    Tuesday, March 3, 2015 7:19 PM
  • Scott I am confused by your question and the answers received.  I am a non-prolific, retired home windows user.  I have a PC running windows 7 home premium and IE 11.  A few months ago I went to check my email at Yahoo from my home page and the Yahoo page would NOT open.  I went to the advanced properties of IE and discovered that 3 boxes (tls 1.0, 1.1 and 1.2 were NO LONGER checked.  I checked them, hit apply and OK and the Yahoo page worked fine.  Now, every single day when I open IE those same 3 boxes are UNCHECKED.  Once I check them, if I let my PC sit idle for awhile the settings/boxes become UNCHECKED.  I do not have a clue as to what is causing this problem nor how to fix it.  I contacted Microsoft On-line support and the tech took over my PC for awhile to see if she could find the problem.  She never said if she found any problem all she said was that I would HAVE to purchase the YEARLY subscription to their support services.  As I said I am retired and on a fixed income and cannot afford the large fee to solve just ONE SINGLE PROBLEM by them. 
    Thanks for your time in this matter.  I'll look forward to your reply.

    Joe Bosko

    Joe/acrubray:

    The problem you are experiencing is not the same as the one I described in my opening post in this thread.  Additionally, this thread is already marked answered, greatly reducing the likelihood of people seeing your request for assistance with your problem.

    I recommend submitting a brand new question in the Internet Explorer forum.

    Tuesday, March 3, 2015 11:22 PM
  • Thanks Scott I will do as advised and open a new thread.

    Joe

    Wednesday, March 4, 2015 12:40 AM
  • I solved it by going toRegistry entry HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings and renaming the SecureProtocols key into something else. This unlocks all TLS options from Internet Explorer.

    You can rename it back if you want only secure protocols.

    • Proposed as answer by rob_long Thursday, March 3, 2016 9:49 PM
    • Marked as answer by Scott W. Sander Friday, July 8, 2016 12:51 PM
    Friday, January 8, 2016 6:54 AM
  • Dimitris Zacharopoulos - Your suggestion worked for me.

    I believe my issue was I had installed a Cisco VPN client with FIPS (not knowing what FIPS was).  When I changed the AnyConnect client config to not require it, and changed the registry setting "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" to 0 I continued to have issues.

    The issues I was experiencing were:

    • Visual Studio could not login to acquire a license
    • Could not login to login.live.com from IE 11, but worked in Chrome just fine.
    • Could not download apps from the Microsoft App store
    • IE 11 Advanced settings said they were managed by the administrator and I could not change the options for SSL or TLS.

    I renamed the "SecureProtocols" and the issue was fixed.  I verified with other users in the company that did not have the FIPS VPN client and they did not have this key. 

    Dimitris: Thank you! I don't know how you found this, but nice work!

    Greatly appreciative,

    - Rob


    • Edited by rob_long Thursday, March 3, 2016 9:49 PM
    Thursday, March 3, 2016 9:49 PM
  • I solved it by going toRegistry entry HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings and renaming the SecureProtocols key into something else. This unlocks all TLS options from Internet Explorer.

    You can rename it back if you want only secure protocols.

    This is absolutely the solution!  Thank you!!!

    I'm still cleaning up from the mess that trying out FIPS mode caused (the problem described in my OP).  Users in the department where I tried out FIPS mode sometimes raise tickets about being unable to connect to some websites and when I investigate, it's always an HTTPS site that uses only TLS 1.2 and the IE11 settings on the client machine are locked to only SSL 2.0, SSL 3.0, and TLS 1.0.

    What I do now in order to solve this is to simply delete the "SecureProtocols" DWORD at "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"  This immediately unlocks the SSL/TLS settings in IE and reverts them back to whatever the defaults are for the currently installed Windows hotfixes (currently that seems to be TLS 1.0, TLS 1.1, and TLS 1.2).

    Do note that the SSL/TLS settings for IE11 via group policy (the "Turn off encryption support" setting I mentioned in my OP) use that "SecureProtocols" DWORD.  If you are using the "Turn off encryption support" group policy setting, the solution might need to be more complex than simply deleting that DWORD.



    Friday, July 8, 2016 12:58 PM