Disable TLS 1.0 and TLS 1.1 for IE/EdgeHTML using Intune

TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not provide sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

This blog post is for legacy version of Internet Explorer and Microsoft Edge which was based on MSEdgeHTML. It’s recommended to use the latest Microsoft Edge browser which is based on Chromium like Google Chrome.

If you are using Microsoft Edge browser version 84 or later, TLS 1.0 and TLS 1.1 protocols are already disabled by default.

Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)
Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)

Create a Device Configuration Profile

To disable TLS 1.0 and TLS 1.1 using the Intune admin center for legacy web browsers such as Internet Explorer and Microsoft Edge (EdgeHTML), please follow these steps:

  • Login on Microsoft Intune Admin Center
  • Go to Devices Configuration profiles
  • Click on + Create Profile
  • Select Platform as Windows 10 and later
  • Select Profile Type as Settings catalog

Basics

Provide a Name and description of the Device configuration profile. For Example:

  • Name: Disable TLS1.0 and TLS1.1 for IE/Microsoft Edge
  • Description: This policy is to disable TLS1.0 and TLS1.1 for Legacy Web browsers

Configuration Settings

Click on the + Add settings link and search for turn off encryption support.

  • You will find the Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
  • Select Turn off encryption support
Turn off encryption support
Turn off encryption support
  • Toggle the switch to Enabled to Turn off encryption support and from the drop down of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Only use TLS 1.2
Only use TLS 1.2

Assignments

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.

Disable TLS 1.0 and TLS 1.1 disable profile assignment
Disable TLS 1.0 and TLS 1.1 disable profile assignment

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End-user Experience

To verify that TLS 1.0 and TLS 1.1 protocols have been successfully disabled for legacy browsers on the end user’s machine as per the device configuration profile, please follow these steps:

  • Press Win + R keys to open the Run dialog box
  • Type inetcpl.cpl and press Enter.
Internet Properties shortcut Inetcpl.cpl
Verify that TLS 1.0 and TLS 1.1 protocols
  • Click on Internet Options and go to the Advanced tab.
  • Scroll down in the settings to locate the TLS options.
  • As shown in the screenshot below, the only enabled option is “Use TLS 1.2“.
Disable TLS 1.0 and TLS 1.1 verification legacy browser
Verify that TLS 1.0 and TLS 1.1 protocols

Re-enable TLS 1.0 and TLS 1.1

There are two options to rollback the Device Configuration profile for disabling TLS 1.0 and TLS 1.1.

  1. If you face any problems after disabling TLS 1.0 and TLS 1.1, you can easily revert the change by unassigning the “Disable TLS 1.0 and TLS 1.1” Device Configuration profile from the device.
  1. Another option is to modify the Device Configuration profile created earlier and change the setting for “Turn off encryption support” > “Secure Protocol combinations” to “Use TLS 1.0, TLS 1.1, and TLS 1.2“.
Enable TLS 1.0 and TLS 1.1 back If there are any Issues
Enable TLS 1.0 and TLS 1.1 back If there are any Issues

Conclusion

In this blog post, we’ve learned how to disable TLS 1.0 and TLS 1.1 for legacy web browsers such as Internet Explorer and Microsoft Edge based on MSEdgeHTML. It’s important to disable TLS 1.0 and TLS 1.1, as these are considered weak protocols that should be deactivated not only at the browser level but also at the operating system level.

Leave a Comment