TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not provide sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
This blog post is for legacy version of Internet Explorer and Microsoft Edge which was based on MSEdgeHTML. It’s recommended to use the latest Microsoft Edge browser which is based on Chromium like Google Chrome. First Microsoft Edge chromium based browser was released on January 15, 2020.
If you are using Microsoft Edge browser version 84 or later, TLS 1.0 and TLS 1.1 protocols are already disabled by default.
Steps to disable TLS 1.0 and TLS 1.1 using Intune admin center
Please follow below steps to disable TLS 1.0 and TLS 1.1 using Intune admin center for legacy web browsers like Internet Explorer and Microsoft Edge (EdgeHTML).
- Login on Microsoft Intune Admin Center
- Go to Devices > Configuration profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Select Profile Type as Settings catalog
Basics
Provide Name and description of the Device configuration profile.
- Name: Disable TLS1.0 and TLS1.1 for IE/Microsoft Edge
- Description: This policy is to disable TLS1.0 and TLS1.1 for Legacy Web browsers
Configuration Settings
Click on + Add settings link and search for turn off encryption support.
- You will find Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
- Select Turn off encryption support
- Toggle the switch to Enabled for Turn off encryption support and from the drop down of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Assignments
Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. If you prefer a more controlled deployment to specific devices only, then make sure to target only devices via Azure AD group. Once your testing is successful and you want to deploy this script on all Organization devices, you can click on + Add all devices.
Review + Create
Review the Device configuration profile and then click on Create button to create this policy.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the configuration process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.
End User Experience
Let’s check what happens at end user machine after this policy is applied. We want to make sure TLS 1.0 and TLS 1.1 is disabled as per device configuration profile. To check and confirm if TLS 1.0 and TLS 1.1 protocols are disabled for legacy browsers, please follow below steps:
- Press Windows + R to open Run dialog box
- Type inetcpl.cpl and press enter
- Click on Internet Options and go to Advanced tab.
- Scroll down on the Settings to find TLS options.
- As you can seen from below screenshot, Only option enabled is “Use TLS 1.2″.
How to Enable TLS 1.0 and TLS 1.1 using Intune admin center
If you are facing any issues after disabling TLS 1.0 and TLS 1.1, you can easily roll back the change by unassigning the Disable TLS 1.0 and TLS 1.1 Device configuration profile from device.
You can also use the modify the Device configuration profile created earlier and change the setting Turn off encryption support > Secure Protocol combinations to Use TLS1.0, TLS 1.1 and TLS1.2.
Conclusion
In this blog post we have seen how to disable TLS 1.0 and TLS 1.1 for legacy web browsers like Internet Explorer and Microsoft Edge based on MSEdgeHTML. TLS 1.0 and TLS 1.1 are weak protocols which should be disabled not only on the browser level but on operating system level as well.