Jul 30, 2018 - Select. Create a DWORD value called DisabledByDefault. Repeat Steps 4 - 5 for the client key under TLS 1.2. Restart the machine and launch Outlook, which should now connect to a server running only TLS 1.1 or 1.2. Outlook is unable to use TLS 1.1/1.2 despite the fact that the protocol is supported in Schannel under Windows 7 and that it can be used for other applications such as IE11 and RDP. Disabling TLS 1.0 on the server will break any Outlook client using Windows 7.
Version 1.0 of the TLS protocol is not secure. As such it needs to be disabled on servers which want to have a PCI compliance. Our GoGeek servers are PCI compliant by default, which is why we have disabled TLS 1.0 on them.
On Windows 7 and Windows 8.0 computers, the applications built on WinHTTP (Windows HTTP Services) such as Outlook, Word, etc. only support TLS 1.0. As a result of this, if you try to establish a secure connection from your Outlook client to a GoGeek server, Outlook will throw an error message 'your server does not support the connection encryption type you have specified'.
![Outlook 2010 and tls 1.0 Outlook 2010 and tls 1.0](/uploads/1/2/5/3/125301292/380535700.png)
In order to resolve this and allow your Outlook to communicate securely to the GoGeek server using TLS 1.1 and TLS 1.2, you have to do the following:
- Install the Windows update KB3140245, either through Windows Update where it is available as an Optional Update, or download it from the Microsoft Update Catalog (http://www.catalog.update.microsoft.com/search.aspx?q=kb3140245).
- Download the file MicrosoftEasyFix51044.msi from the following page and install it on your computer:
The file is available for download in the section labeled Easy fix on the above mentioned page. If the easy fix option is not suitable for you and you prefer to edit the registry of your computer manually, the article also provides that information in section 'How the DefaultSecureProtocols registry entry works'.
You find this article useful? Click here to learn more about SiteGround web hosting experts and what else we can do for you!
-->As of October 31, 2018, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated for the Office 365 service. The effect for end-users is expected to be minimal. This change was publicized for almost two years, with the first public announcement made in December 2017. This article is only intended to cover the Office 365 local client in relation to the Office 365 service but can also apply to on-premises TLS issues with Office, Office Online Server/Office Web Apps, and SharePoint.
Note This article also applies to the following:
- Office 365 ProPlus
- Office 365 Business
- Office 365 Personal
Office and TLS overview
The Office client relies on the Windows web service (WINHTTP) to send and receive traffic over TLS protocols. The Office client can use TLS 1.2 if the web service of the local computer can use TLS 1.2. All Office clients can use TLS protocols, as TLS and SSL protocols are part of the operating system and not specific to the Office client.
![2016 2016](/uploads/1/2/5/3/125301292/121046262.png)
On Windows 8 and later versions
By default, the TLS 1.2 and 1.1 protocols are available if no network devices are configured to reject TLS 1.2 traffic.
On Windows 7
TLS 1.1 and 1.2 protocols are not available without the KB 3140245 update. The update addresses this issue and adds the following registry sub key:
Note Windows 7 users who do not have this update are affected as of October 31, 2018. KB 3140245 has details about how to change WINHTTP settings to enable TLS protocols.
More information
The value of the DefaultSecureProtocols registry key that the KB article describes determines which network protocols can be used:
DefaultSecureProtocols Value | Protocol enabled |
---|---|
0x00000008 | Enable SSL 2.0 by default |
0x00000020 | Enable SSL 3.0 by default |
0x00000080 | Enable TLS 1.0 by default |
0x00000200 | Enable TLS 1.1 by default |
0x00000800 | Enable TLS 1.2 by default |
Office clients and TLS registry keys
You can refer to KB 4057306 Preparing for the mandatory use of TLS 1.2 in Office 365. This is a general article for IT administrators, and it's official documentation about the TLS 1.2 change.
The following table shows the appropriate registry key values in Office 365 clients after October 31, 2018.
Enabled protocols for Office 365 service after October 31, 2018 | Hexadecimal value |
---|---|
TLS 1.0 + 1.1 + 1.2 | 0x00000A80 |
TLS 1.1 + 1.2 | 0x00000A00 |
TLS 1.0 + 1.2 | 0x00000880 |
TLS 1.2 | 0x00000800 |
Important We don't recommend that you use the SSL 2.0 and 3.0 protocols, which can also be set by using the DefaultSecureProtocols key. SSL 2.0 and 3.0 are considered deprecated protocols. The best practice is to end the use of SSL 2.0 and SSL 3.0, although the decision to do this ultimately depends on what best meets your product needs. For more information about SSL 3.0 vulnerabilities, refer to KB 3009008.
You can use the default Windows Calculator in Programmer mode to set up the same reference registry key values. For more information, see KB 3140245 Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows.
Regardless if the Windows 7 update (KB 3140245) is installed or not, the DefaultSecureProtocols registry sub key isn't present and must be added manually or through a group policy object (GPO). That is, unless you have to customize what secure protocols are enabled or restricted, this key is not required. You only need the Windows 7 SP1 (KB 3140245) update.