How to Disable TLS 1.0 and TLS 1.1 via Group Policy

Time needed: 15 minutes.

How to Disable TLS 1.0 and TLS 1.1 via Group Policy

1. Open regedit utility

   Open Group Policy Management (gpmc.msc) in a Domain Controller.

   

2. Creating a GPO in the Domain Controller

   Navigate to the OU where Policy is to be linked and right-click and select ‘Create a GP in this domain and Link it here’; In this demo select ‘Domain Controllers’ OU.

   

3. Rename the GPO to ‘Disable_TLS 1.0_TLS 1.1’

   Name the New GPO and click on ‘OK’; this creates a New GP which is linked to the OU. 

   

4. Edit the ‘Disable_TLS 1.0_TLS 1.1’ GPO

   Right-click the Policy and click on ‘Edit’.

   

5. Create Registry Item in Group Policy

   Navigate to Computer Configurations –> Preferences –> Windows Settings –> Registry.
   Create a new Registry by Right click on the blank space and selecting New –> Registry Item.

   

6. Update Registry Properties

   In new Registry Properties, update the details as below and click on ‘OK’.
   Action: Update
   Hive: HKEY_LOCAL_MACHINE
   Key Path: SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client
   Value name: Enabled
   Value type: REG_DWORD
   Value data: 0
   Base: Hexadecimal   
            

7. [OPTIONAL] Commands to create Registry Item in Group Policy

   Similar to above step, create below keys to Disable TLS 1.0 as well as TLS 1.1,

   

8. [OPTIONAL] List of Registry Items in Group Policy

   The image shows the list of Registry items created in Group Policy.