News

Microsoft Ending TLS 1.0 and TLS 1.1 in Windows

Future Windows releases will no longer support the Transport Layer Security (TLS) 1.0 and TLS 1.1 security protocols, Microsoft announced on Tuesday.

Those two protocols will be disabled in all future Windows operating systems releases by default. Microsoft will start the disablement first with its Windows 11 preview builds getting released sometime in September.

Here's how the announcement characterized the approach:

To increase the security posture of Windows customers and encourage modern protocol adoption, TLS versions 1.0 and 1.1 will soon be disabled by default in the operating system, starting with Windows 11 Insider Preview builds in September 2023 and future Windows OS releases. There is an option to re-enable TLS 1.0 or TLS 1.1 for users who need to maintain compatibility.

Older TLS Protocols
The TLS protocol is used to secure client and server traffic during Internet connections. The use of TLS 1.2 or TLS 1.3 is deemed acceptable, but older versions aren't secure.

TLS 1.0 dates from 1999, while TLS 1.1 was published in 2006. These older protocols are subject to "passive decryption" methods and "man-in-the-middle" attacks, according to the U.S. National Security Agency, which issued an advisory to block them back in 2021. Organizations should move to TLS 1.2 or 1.3 "as soon as possible," the spy agency advised, and they also should check for the use of "obsolete cipher suites," which also should be blocked.

Browser makers have long dropped support for TLS 1.0 and TLS 1.1. Client support was dropped for Microsoft 365 and Exchange Online. However, Microsoft's past TLS 1.0 and TLS 1.1 end-of-support goals have not always met their target dates, as illustrated in this 2020 Redmond article.

Microsoft now is ending support for the two older TLS protocols in Windows because their use is low.

"We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act," the announcement indicated.

Solving the Problem
Blocking the use of the older TLS 1.0 and TLS 1.1 protocols may sound simple, but applications may have been "hardcoded" to use them. Organizations need to do a lot of checking for older protocol use, as well as testing their current applications when using TLS 1.2.

Microsoft's announcement listed some "top Windows applications" that it found were affected by disabling Windows support for TLS 1.0 and TLS 1.1. The "known issues" list included applications such as Safari version 5.1.7, SQL 2012, 2014 and 2016, SQL Server 2014 and SQL Server 2016, Turbo Tax 2018 and lower versions, and much more.

The announcement included roll-up-your-sleeves advice for developers and IT pros to ensure that things will work when the legacy protocols are disabled in Windows. Sometimes the problem gets resolved by just installing a newer application. Microsoft's general advice, though, is quite complex. The vicissitudes are outlined in this 2022-dated "Solving the TLS 1.0 Problem, 2nd Edition document."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured