TLS 1.1 & 1.2 in Legacy Versions of Windows
While TLS 1.1 and TLS 1.2 were standardized in 2006 and 2008 respectively, Microsoft was always a bit reluctant to add them in a timely manner. Here you find information on how to turn on TLS 1.1 and 1.2 on older versions of Windows:
Operating Systems
Windows 9x, NT, 2000
No patch was released to make TLS 1.1 and 1.2 available to these operating systems.
Windows XP
Windows XP never received an update to have support for TLS 1.1 and 1.2, however in 2018 a patch was released for Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 to add support for it. This update can also be installed on Windows XP after applying the POSReady registry trick.
Support article: KB4019276
Microsoft Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276
After installing the update, the system needs to be restarted. Also some registry keys need to be set. See the registry section for information on what to set.
Note that only few cyphers are supported with this update. Most modern websites will still not work properly after applying the patch.
Windows Server 2003 & XP x64 Edition
No patch was released to make TLS 1.1 and 1.2 available to these operating systems.
Windows Vista & Server 2008
Windows Vista never received an update to have support for TLS 1.1 and 1.2, however in 2018 a patch was released for Windows Server 2008 to add support for it. This update can also be installed on Windows Vista.
Support article: KB4019276
Microsoft Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276
After installing the update, the system needs to be restarted. Also some registry keys need to be set. See the registry section for information on what to set.
Note that only few cyphers are supported with this update. Most modern websites will still not work properly after applying the patch.
Windows 7 & Server 2008, Windows 8 & Server 2012
TLS 1.1 and TLS 1.2 are built in to the OS and are automatically enabled when installing Internet Explorer 9 or later (on Windows 7). Otherwise they can be enabled under Control Panel -> Network and Internet -> Internet Options -> Advanced -> Security
WinHTTP
Some applications that use the WinHTTP API applications might still not work with the settings enabled. To fix this, the following Update needs to be installed.
Support article: KB3140245
Microsoft Catalog: https://catalog.update.microsoft.com/search.aspx?q=kb3140245
After installing the update, the system needs to be restarted. Also some registry keys need to be set. See the registry section for information on what to set.
Windows 8.1 and newer
TLS 1.1 and TLS 1.2 are built in to the OS and are automatically enabled.
Registry values
To enable TLS 1.1 and 1.2 after applying the relevant patches, copy and paste the following text into a .reg file and import it by opening it.
Enable TLS 1.1 and 1.2 (Windows XP and newer)
Note: KB4019276 needs to be installed for these changes to work. (Windows XP, Windows Vista & Server 2008 only)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
Make the TLS 1.1 and 1.2 settings visible in the Internet Options (Windows XP, Windows Vista & Server 2008)
Note: KB4019276 needs to be installed for these changes to work.
32-bit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-
64-bit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-
Enable TLS 1.1 and 1.2 for WinHTTP (Windows 7 & Server 2008, Windows 8 & Server 2012)
Note: KB3140245 needs to be installed for these changes to work.
32-bit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"SecureProtocols"=dword:00000a80
"DefaultSecureProtocols"=dword:00000a80
64-bit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"SecureProtocols"=dword:00000a80
"DefaultSecureProtocols"=dword:00000a80
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"SecureProtocols"=dword:00000a80
"DefaultSecureProtocols"=dword:00000a80
Software
Some software has its own TLS libraries built in and thus is able to use more modern TLS versions than the underlying OS supports.
Here is an incomplete table of software and its support:
| Software | Version | Released | Min Windows Ver | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 |
|---|---|---|---|---|---|---|---|
| Internet Explorer | 4.0 | 22 Sep 1997 | Windows 3.1 | opt-in | no | no | no |
| 7 | 18 Oct 2006 | Windows XP SP2 | yes | no | no | no | |
| 8 | 19 Mar 2009 | Windows XP SP3 | yes | opt-in1 | opt-in1 | no | |
| 10 | 04 Sep 2012 | Windows 7 | yes | yes | yes | no | |
| 11 | 17 Oct 2013 | Windows 7 SP1 | |||||
| 21 May 2019 | Windows 10 1903 | yes | yes | yes | opt-in | ||
| 05 Oct 2021 | Windows 11 | yes | yes | yes | yes | ||
| Microsoft Edge | 20 | 15 Jul 2015 | Windows 10 | yes | yes | yes | no |
| 78 | 15 Jan 2020 | Windows 7 SP1 | yes | yes | yes | yes | |
| Mozilla Firefox | 1.0 | 09 Nov 2004 | Windows 95 | yes | no | no | no |
| 23 | 06 Aug 2013 | Windows XP SP2 | yes | opt-in | no | no | |
| 24 | 17 Sep 2013 | Windows XP SP2 | yes | opt-in | opt-in | no | |
| 27 | 04 Feb 2014 | Windows XP SP2 | yes | yes | yes | no | |
| 49 | 20 Sep 2016 | Windows XP SP2 | yes | yes | yes | opt-in | |
| 60 | 09 May 2018 | Windows 7 | yes | yes | yes | yes | |
| Google Chrome
Chromium |
1 | 24 Nov 2008 | Windows XP SP2 | yes | no | no | no |
| 22 | 25 Sep 2012 | Windows XP SP2 | yes | yes | no | no | |
| 30 | 01 Oct 2013 | Windows XP SP2 | yes | yes | yes | no | |
| 54 | 12 Oct 2016 | Windows 7 | yes | yes | yes | opt-in | |
| 67 | 29 May 2018 | Windows 7 | yes | yes | yes | yes | |
| Opera | 3.5 | 18 Nov 1998 | Windows 3.1 | yes | no | no | no |
| 8 | 19 Apr 2005 | Windows 95 | yes | opt-in | no | no | |
| 9 | 20 Jun 2006 | Windows 95 | yes | yes | no | no | |
| 10 | 01 Sep 2009 | Windows 95 | yes | opt-in | opt-in | no | |
| 12.18 | 16 Feb 2016 | Windows XP SP2 | yes | yes | yes | no | |
| 41 | 25 Oct 2016 | Windows 7 | yes | yes | yes | opt-in | |
| 57 | 28 Nov 2018 | Windows 7 | yes | yes | yes | yes |
1 Disabled by default on Windows 7 and Server 2008 R2. Windows XP, Vista and Server 2008 require an update that adds support for TLS 1.1 and 1.2.
