none
What is the correct registry value to Enable TLS v 1.2 in windows server 1 or 0xffffffff RRS feed

  • Question

  • We are enabling the TLS v 1.2 in our server builds using registry. We are setting these registry keys to 1 to enable TLS v 1.2

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled

    CIS benchmark recommends to set the value to 0xffffffff to enable TLS 1.2.

    Can someone please confirm if this (0xffffffff) is a valid value to enable the protocol and how it is different than a value 1.



    Kranti Bhushan | MCSA 2003

    Tuesday, December 12, 2017 3:46 PM

Answers

  • This one might help.

    Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    To disable the TLS 1.2 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1

    https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Dave PatrickMVP Wednesday, December 13, 2017 1:58 PM
    • Unproposed as answer by Dave PatrickMVP Wednesday, December 13, 2017 2:00 PM
    • Marked as answer by kbniranjan Tuesday, December 19, 2017 7:41 AM
    Tuesday, December 12, 2017 4:20 PM
  • Thanks for your suggestion.

    We are already applying this setting as specified. My query is specific to setting 0xffffffff value to enable TLS v 1.2 as suggested in CIS benchmark, and How it is different that setting a value 1.

    Unsigned 0xffffffff (hex) = -1 (decimal so it really isn't different, end result is "enabled"

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    • Edited by Dave PatrickMVP Wednesday, December 13, 2017 2:05 PM
    • Proposed as answer by Dave PatrickMVP Monday, December 18, 2017 1:52 PM
    • Marked as answer by kbniranjan Tuesday, December 19, 2017 7:42 AM
    Wednesday, December 13, 2017 2:04 PM

All replies

  • This one might help.

    Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    To disable the TLS 1.2 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1

    https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Dave PatrickMVP Wednesday, December 13, 2017 1:58 PM
    • Unproposed as answer by Dave PatrickMVP Wednesday, December 13, 2017 2:00 PM
    • Marked as answer by kbniranjan Tuesday, December 19, 2017 7:41 AM
    Tuesday, December 12, 2017 4:20 PM
  • Thanks for your suggestion.

    We are already applying this setting as specified. My query is specific to setting 0xffffffff value to enable TLS v 1.2 as suggested in CIS benchmark, and How it is different that setting a value 1.



    Kranti Bhushan | MCSA 2003

    Wednesday, December 13, 2017 7:32 AM
  • Hi,

    Technically speaking, any non-zero value would match to "Enabled".

    There is a similar thread with you,please refer to it.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/36feef50-0500-4664-b6ab-935b4aad39ee/enable-schannel-protocols-eg-tls-12-dword-enabled-value-0x00000001-or-0xffffffff?forum=winserversecurity

    Best Regards

    Frank

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 13, 2017 9:09 AM
    Moderator
  • Thanks for your suggestion.

    We are already applying this setting as specified. My query is specific to setting 0xffffffff value to enable TLS v 1.2 as suggested in CIS benchmark, and How it is different that setting a value 1.

    Unsigned 0xffffffff (hex) = -1 (decimal so it really isn't different, end result is "enabled"

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    • Edited by Dave PatrickMVP Wednesday, December 13, 2017 2:05 PM
    • Proposed as answer by Dave PatrickMVP Monday, December 18, 2017 1:52 PM
    • Marked as answer by kbniranjan Tuesday, December 19, 2017 7:42 AM
    Wednesday, December 13, 2017 2:04 PM
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 18, 2017 9:14 AM
    Moderator
  • Thanks everyone for your suggestions.

    We have implemented the value 1 to enable the TLS 1.2. Let's see if it pass the security test or the scan team will looks specifically for 0xffffffff value.


    Kranti Bhushan | MCSA 2003

    Tuesday, December 19, 2017 7:44 AM