Last modified: December 2, 2022

Overview

This document explains how to configure your Microsoft Windows® 7 workstation and Microsoft Outlook® 2010 mail clients to use Transport Layer Security (TLS) protocol version 1.2.

Create registry keys

Install Windows update

You must download and install the KB3140245 Windows update from the Microsoft Update Catalog. This update will create the registry key paths in which you will create new registry keys. These registry keys will allow you to enable TLSv1.2 on your server.

After you download and install the update, you must restart your workstation for the changes to take effect.

Add a registry key for Windows HTTP services

To add a registry key for Windows HTTP services, perform the following steps:

1. From the Windows Start menu, enter regedit.exe in the Search text box.
2. Click regedit.exe to open the Registry Editor.
3. Navigate to the following registry path:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

4. Select the WinHttp key.
5. From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.
   Note:

   On 64-bit systems, click QWORD (64-bit) Value.

6. Enter DefaultSecureProtocols as the DWORD value’s name.
7. Right-click the file and select Modify from the Context menu.
8. Enter A00 in the Value Data text box and click OK.
   Important:

   If your workstation runs on a 64-bit system, you must also perform steps 5-8 for the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

Add a registry key for the TLS directories

To add registry keys for TLS versions 1.1 and 1.2, perform the following steps:

1. Navigate to the following registry path:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

2. Select the Client key.
3. From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.
   
   Remember:

   On 64-bit systems, click QWORD (64-bit) Value.

4. Enter DisabledByDefault as the DWORD value’s name.
5. Right-click the file and select Modify from the Context menu.
6. Enter 0 in the Value Data text box and click OK.
7. Navigate to the TLS1.2 registry path and open the Client key.
8. Repeat steps 2-6 and click OK.

Apply the settings.

After you modify your registry keys, you must restart your workstation to apply the registry settings. When your workstation restarts, create a test email account in Microsoft Outlook and configure the following settings in the Advanced section of Microsoft Outlook’s Internet E-Mail Settings interface:

• Enter 993 in the Incoming Server (IMAP) text box or 995 in the Incoming Server (POP3) text box.
• Enter 465 in the Outgoing Server (SMTP) text box. After you finish, click OK. Your Microsoft Outlook account will now successfully connect to your cPanel server’s mail services.

Installation scripts

We created two scripts that will automatically perform the actions that this document describes. To use these scripts, perform the following steps:

1. Open the Windows PowerShell application.

2. Navigate to the directory of you choice.

3. Create the install-kb.ps1 and tls-reg-edit.ps1 files.

4. Open the install-kb.ps1 file with a text editor and add the following information:

   Click to view...

   Note:

   This script downloads and installs the KB3140245 Windows update.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   Import-Module BitsTransfer $arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture If ($arch -eq "32-bit") { $kbUrl32 = "http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x86_cdafb409afbe28db07e2254f40047774a0654f18.msu" $kb32 = "windows6.1-kb3140245-x86_cdafb409afbe28db07e2254f40047774a0654f18.msu" Start-BitsTransfer -source $kbUrl32 wusa $kb32 /log:install.log } Else { $kbUrl64 = "http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu" $kb64 = "windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu" Start-BitsTransfer -source $kbUrl64 wusa $kb64 /log:install.log }

5. Open the tls-reg-edit.ps1 file with a text editor and add the following information:

   Click to view...

   Note:

   This script creates registry keys in the following files:

   1 2 3 4

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

   $arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture $reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" $reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" $regWinHttpDefault = "DefaultSecureProtocols" $regWinHttpValue = "0x00000a00" $regTLS11 = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" $regTLS12 = "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" $regTLSDefault = "DisabledByDefault" $regTLSValue = "0x00000000" Clear-Host Write-Output "Creating Registry Keys...`n" Write-Output "Creating registry key $reg32bWinHttp\$regWinHttpDefault with value $regWinHttpValue" IF(!(Test-Path $reg32bWinHttp)) { New-Item -Path $reg32bWinHttp -Force | Out-Null New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } IF($arch -eq "64-bit") { Write-Output "Creating registry key $reg64bWinHttp\$regWinHttpDefault with value $regWinHttpValue" IF(!(Test-Path $reg64bWinHttp)) { New-Item -Path $reg64bWinHttp -Force | Out-Null New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } } Write-Output "Creating registry key $regTLS11\$regTLSDefault with value $regTLSValue" IF(!(Test-Path $regTLS11)) { New-Item -Path $regTLS11 -Force | Out-Null New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } Write-Output "Creating registry key $regTLS12\$regTLSDefault with value $regTLSValue" IF(!(Test-Path $regTLS12)) { New-Item -Path $regTLS12 -Force | Out-Null New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } Write-Output "`nComplete!"

6. Run the scripts from the directory in which you saved the files, for example:

   1 2	Set-ExecutionPolicy Bypass -Scope Process ; .\install-kb.ps1 Set-ExecutionPolicy Bypass -Scope Process ; .\tls-reg-edit.ps1

7. Restart your workstation for the changes to take effect.