none
Internet Explorer SSL/TLS settings disabled RRS feed

  • Question

  • Recently, we ran a pilot where FIPS-compliance mode was enabled on Windows 7 Enterprise SP1 32-bit computers.  Specifically, the "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" security option was set to Enabled.  The pilot is over and we turned off FIPS-compliance mode.

    Since doing that, I have noticed that the SSL/TLS settings in Internet Explorer 9 are disabled on computers that were part of the pilot.  I know the defaults are:

    • SSL 2.0 : off
    • SSL 3.0 : on
    • TLS 1.0 : on
    • TLS 1.1 : off
    • TLS 1.2 : off

    Now, all of these settings are disabled (grayed out) and the following settings are set:

    • SSL 2.0 : on
    • SSL 3.0 : on
    • TLS 1.0 : on
    • TLS 1.1 : off
    • TLS 1.2 : off

    This affects all user accounts on the system.

    The test GPO we used to turn on FIPS mode for these computers has been verified to only be enforcing that FIPS setting.  It was not controlling any Internet Explorer settings.

    Here is the troubleshooting I have done so far:

    • Reset Internet Explorer via the Reset button on the Advanced tab in Internet Options.
    • Put computer in an OU that had Group Policy inheritance blocked, performed gpupdate, and rebooted to ensure no GPOs were affecting the computer.
    • Verified that local policy was not enforcing the Internet Explorer SSL/TLS settings.
    • Ran msconfig, disabled non-Microsoft services, and rebooted.
    • Removed the Internet Explorer feature, rebooted, re-added it, and rebooted.
    • Installed all available important and recommended Windows Updates.
    • Installed Internet Explorer 11.
    • Created a new local account and set it to Administrator and logged in as that.
    • Removed the computer from the domain.
    • Created another local account (with Administrator rights) and logged in as that while the computer was not on a domain.
    • Ran the command from an elevated command prompt:  secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
    • As a last-ditch effort, I ran CCLeaner and performed all the Clean and Registry fixes available.

    Does anyone have any other ideas?



    Tuesday, August 19, 2014 8:18 PM

Answers

  • I got it working!  Now, I realize that I just posted this tread very recently, but I've been working on this all day, adding bullet points as I tried the troubleshooting step.

    I went into local policy (gpedit.msc) and set the Turn Off Encryption Support option for Internet Explorer to SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 in both the Computer and User Settings.  Neither one of these settings was set until this point.  This setting located at <Computer and/or User Settings> | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page.

    After rebooting, IE's SSL/TLS settings were still disabled, but now the following settings are set:

    • SSL 2.0 : off
    • SSL 3.0 : on
    • TLS 1.0 : on
    • TLS 1.1 : on
    • TLS 1.2 : on

    This means that the local policy setting took effect. I then set both of these Turn Off Encryption Support settings to Not Configured and rebooted, and now these options are not grayed out and I can select them manually.

    I did this while off the domain.  I do not know if it would have worked while on domain or if any of other the previous troubleshooting steps were a factor in resolving it.  After rejoining the domain and going back to IE9 by uninstalling IE11, the SSL/TLS settings in IE remained unlocked (the desired behavior).

    I had another thread where I had a very similar issue but with IE11 on Windows 8.1 Enterprise 64-bit:  http://social.technet.microsoft.com/Forums/ie/en-US/c11d8fde-cc86-4eea-81fd-a2d68ef4913e/ie11-unable-to-enable-tls-11-and-12?forum=ieitprocurrentver.  I was never able to solve it in that case and ended up re-imaging my computer.

    So, in this case, the solution was to force the setting via local policy (both User and Computer Settings), reboot, then turn off the local policy settings.  If this doesn't work, at least some of the troubleshooting from my original post should be performed and try again.

    Tuesday, August 19, 2014 8:40 PM
  • If anyone else runs into this, I resolved my issue by modifying the SecureProtocols value in the registry (since I avoid Group Policy at all costs) at HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

    The data to set the registry value to can be found at the link below (just Ctrl+F SecureProtocols).

    http://msdn.microsoft.com/en-us/library/ee487835%28v=winembedded.60%29.aspx

    • Proposed as answer by Aliaslab Tuesday, June 14, 2016 12:50 PM
    • Marked as answer by Scott W. Sander Friday, July 8, 2016 1:08 PM
    Wednesday, January 7, 2015 7:34 PM

All replies

  • I got it working!  Now, I realize that I just posted this tread very recently, but I've been working on this all day, adding bullet points as I tried the troubleshooting step.

    I went into local policy (gpedit.msc) and set the Turn Off Encryption Support option for Internet Explorer to SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 in both the Computer and User Settings.  Neither one of these settings was set until this point.  This setting located at <Computer and/or User Settings> | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page.

    After rebooting, IE's SSL/TLS settings were still disabled, but now the following settings are set:

    • SSL 2.0 : off
    • SSL 3.0 : on
    • TLS 1.0 : on
    • TLS 1.1 : on
    • TLS 1.2 : on

    This means that the local policy setting took effect. I then set both of these Turn Off Encryption Support settings to Not Configured and rebooted, and now these options are not grayed out and I can select them manually.

    I did this while off the domain.  I do not know if it would have worked while on domain or if any of other the previous troubleshooting steps were a factor in resolving it.  After rejoining the domain and going back to IE9 by uninstalling IE11, the SSL/TLS settings in IE remained unlocked (the desired behavior).

    I had another thread where I had a very similar issue but with IE11 on Windows 8.1 Enterprise 64-bit:  http://social.technet.microsoft.com/Forums/ie/en-US/c11d8fde-cc86-4eea-81fd-a2d68ef4913e/ie11-unable-to-enable-tls-11-and-12?forum=ieitprocurrentver.  I was never able to solve it in that case and ended up re-imaging my computer.

    So, in this case, the solution was to force the setting via local policy (both User and Computer Settings), reboot, then turn off the local policy settings.  If this doesn't work, at least some of the troubleshooting from my original post should be performed and try again.

    Tuesday, August 19, 2014 8:40 PM
  • Hi,

    Glad to see your problem resolved, hope your experience is helpfu to others.


    Roger Lu
    TechNet Community Support

    Thursday, September 11, 2014 9:40 AM
    Moderator
  • If anyone else runs into this, I resolved my issue by modifying the SecureProtocols value in the registry (since I avoid Group Policy at all costs) at HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

    The data to set the registry value to can be found at the link below (just Ctrl+F SecureProtocols).

    http://msdn.microsoft.com/en-us/library/ee487835%28v=winembedded.60%29.aspx

    • Proposed as answer by Aliaslab Tuesday, June 14, 2016 12:50 PM
    • Marked as answer by Scott W. Sander Friday, July 8, 2016 1:08 PM
    Wednesday, January 7, 2015 7:34 PM
  •  resolved my issue by modifying the SecureProtocols value in the registry

    For some reason this suggestion has reminded me of the possibility of using numerous new DllRegisterServer entry points related to security.  Has anyone looked at what all they do?  Probably they would do some initialization which would be cheaper than a reimage but more complete than a single value hack.

    I published my list of changed .dlls associated with IE10 somewhere...

    http://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/cant-print-from-internet-explorer/e52834ff-d603-46aa-bbdf-207a84c7e3dd?page=2&msgId=58f9636e-ae23-48f5-ac4a-d48872483d26

    Compare that list with for example one that is still given as an answer to security issues

    https://social.technet.microsoft.com/Forums/en-US/1f492d6a-3cec-41c8-9f81-82f50f4f8253/internet-explorer-does-not-open?forum=ieitprocurrentver#9ca2ebbc-e5c0-4fca-90d7-3176fbc4bb05 

     

    FYI



    Robert Aldwinckle
    ---

    Friday, January 9, 2015 7:04 PM
    Answerer
  • Thanks Scott,

    I used your instructions and worked!

    Sincerely,

    Vlad

    Monday, July 20, 2015 2:49 PM
  • If anyone else runs into this, I resolved my issue by modifying the SecureProtocols value in the registry (since I avoid Group Policy at all costs) at HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

    The data to set the registry value to can be found at the link below (just Ctrl+F SecureProtocols).

    http://msdn.microsoft.com/en-us/library/ee487835%28v=winembedded.60%29.aspx

    I've found that deleting the "SecureProtocols" DWORD value (it's not there at all by default) at "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\" solves this problem.

    I've marked your post as an answer.  This is a better solution than my original answer (which I believe just does the same thing under the hood).

    Friday, July 8, 2016 1:10 PM
  • Many thanks for your help, it's working fine now.

    Can you advise if after restart the policy will be enforced again to the PC?

    Tuesday, July 19, 2016 10:12 AM
  • I've had this page linked as a favorite for over a year now because although it solves my problem, the advanced settings keep getting reset after a time. I don't know why. It's probably happened five times. This is a personal computer not joined to a domain. I do VPN in for work regularly but no policies are being pushed down or it would happen multiple times per week.

    It's a source of frustration because the settings, when returned to default, prevent secure applications which only permit TLS 1.1 or 1.2 connections from functioning. To name one, Webex Meetings...which is embarrassing for an IT guy who has to scramble when he can't get connected to a meeting because his PC is being "protected" from secure protocols in favor of antiquated ones (SSL 2.0 & TLS 1.0).

    Anyway, just thought I'd toss a comment in after lurking for the fix so long.


    • Edited by kdotten Saturday, June 15, 2019 5:30 PM
    Saturday, June 15, 2019 5:29 PM