If you are running Windows 7 or 8 and are having connection issues, this could be due to your TLS settings.
This can be fixed by telling your OS never to use TLS 1.0 anymore, and to stick with TLS 1.1 and 1.2 by default. Here’s a small guide explaining how you can do that.
Install the KB3140245 Security Patch
The first thing to do is to download and install the Windows KB3140245: you can do that using Windows Update, since it’s available as an optional update, or manually download it from the following official website:
This will equip your OS with TLS versions 1.1 and 1.2.
Updating your Windows Registry file
The next step you need to do is to patch your Windows Registry file so that your OS will use the new TLS protocol versions (1.2, and 1.1 as a fallback) instead of the outdated and vulnerable 1.0 one. This can be done either automatically (with an official Microsoft-released patch file) or by manually editing the registry file using Regedit or our TLS12fix.reg file:
Microsoft Patch File
The Microsoft patch file is called MicrosoftEasyFix51044.msi and can be downloaded from this URL:
If you’re doing this to face a common MS Outlook scenario, downloading and executing this file is all that you need to fix your issue.
If you’re an experienced user this probably is the recommended approach, since it allows you to choose which protocol to enable or not.
#1. Setting the default TLS protocols
The first thing you do is to create a new DWORD key called DefaultSecureProtocols in the following sections of your registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
The HEX value to set depends on which protocol(s) you would like to enable by default:
- To enable TLS 1.0, TLS 1.1, and TLS 1.2, set the value to 00000A80 (not recommended- that’s what you want to avoid).
- To enable TLS 1.1 and TLS 1.2 only, thus disabling TLS 1.0, set the value to 00000A00. This is the recommended approach as of today (might change in the future if TLS 1.1 becomes outdated as well).
- To enable TLS 1.1 only, set the value to 00000200.
- To enable TLS 1.2 only, set the value to 00000800.
If you want to know more about these settings, look at this official Microsoft page, which explains and adds valuable information about the whole topic.
#2. Enable TLS 1.1 and 1.2 at the SChannel component level
The second thing to do, as explained in this TechNet article, is to create another DWORD key called DisabledByDefault in the following sections of your registry:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
And set a value of 0 (zero).
Registry Patch File(s)
If you don’t want to manually edit your Windows Registry file using Regedit, you can download these registry patch files to automatically set the above registry keys with a single click.