Disabling TLS 1.0 on Windows Server 2016 Essentials without breaking client-to-server operations

  1. Enabling TLS 1.2 both for server and client on Windows Server 2016 Essentials itself (if not already enabled). You can also take this opportunity to audit and disable any older TLS versions.
  2. Setting two important registry keys for the .NET framework on the server and any client that’s connecting to Windows Server 2016 Essentials.
  3. Reboot your Windows Server and any client connected for these changes to be made.

Enabling TLS 1.2 and disabling older TLS versions on the server

Allowing the .NET Framework to use strong cryptography and the TLS configuration of the operating system

Summary

Additional notes

  • There is no TLS 1.3 support in Windows Server 2016 with SCHANNEL. Windows Server 2022 does support TLS 1.3 with SCHANNEL.
  • TLS 1.0 should not be outright disabled on older Windows Server versions as this will impact more then just client-to-server functionality.
  • Disabling TLS 1.0 on Windows Server 2016 Essentials can have some side effects on the Windows Server Essentials connector software being able to automatically discover the server, this may require manually providing the server hostname when adding a new client.
  • If you use a personalised Microsoft domain for anywhere/remote access, you may have to temporarily enable TLS 1.0 to allow communication to Microsoft for assigning the domain to your Microsoft account. If you use your own custom domain/SSL certificate, you should not have to do this.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James White

James White

I'm a web developer, but also like writing about technical networking and security related topics, because I'm a massive nerd!