How to set TLS protocols as default after applying KB3140245?

3

2

This is about instructions to Windows update KB3140245 on a 64-bit Windows 7 machine.

Microsoft released this update some time ago that "allows users to change system-wide default protocols for WinHTTP and hardcodes Webio default protocols to include TLS 1.1 and TLS 1.2", as explained in the KB article.

Setting TLS as default would probably be useful to help mitigate security problems with SSL.

This question is about this part of the knowledge article:

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The following values can be used in any combination to enable multiple protocols by default:

...or more specifically, the parts of the instructions highlighted with red in below image:

Microsoft KB instructions

Firstly the instructions seem to imply that user can enter multiple DWORD-values of name DefaultSecureProtocols in combination, but that is not possible (the names of the values must be unique under a particular key).

Secondly the (hexadecimal) values displayed in the KB article are too long (it is not possible to enter them as given in the registry editor) as shown in below image:

Windows registry

So the question I would like to ask is:

Given the limitations of the DWORD registry values, how can the 3 values displayed for the TLS 1.0, TLS 1.1, and TLS 1.2 be entered in combination?

user100487

Posted 2016-05-24T13:36:45.183

Reputation: 524

1I guess you missed this part. "The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00." – Moab – 2016-05-25T17:34:45.297

1Then you would set hexidecimal value in the registry to A00 – Moab – 2016-05-25T17:42:48.013

Answers

3

Together with @Moab's suggestion (to get the DEC values) you can edit it in registry via a simple call to reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /V "DefaultSecureProtocols" /T REG_DWORD /D 2560 /F

For setting it to 0x00000A00.

KeyWeeUsr

Posted 2016-05-24T13:36:45.183

Reputation: 238

2

Just in case somebody else needs this.

Change the value to A80 if you need to enable TLS 1.0, 1.1 and 1.2.

You can work out the value using the default calculator included with Windows 10.

  1. Change the mode from Standard to Programmer
  2. Click on HEX
  3. 80 + 200 + 800 = A80

Check the first image on the original question to see the values you can add up if you need to enable other protocols.

SkeletorMonkey

Posted 2016-05-24T13:36:45.183

Reputation: 21

Asked: 2016-05-24T13:36:45.183

Viewed: 17 451 times

Active: 2019-08-15T21:44:28.940