Disable TLS 1.0 and TLS 1.1 for IE/EdgeHTML using Intune

TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not provide sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

This blog post is for legacy version of Internet Explorer and Microsoft Edge which was based on MSEdgeHTML. It’s recommended to use the latest Microsoft Edge browser which is based on Chromium like Google Chrome. First Microsoft Edge chromium based browser was released on January 15, 2020.

If you are using Microsoft Edge browser version 84 or later, TLS 1.0 and TLS 1.1 protocols are already disabled by default.

Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)
Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)

Steps to disable TLS 1.0 and TLS 1.1 using Intune admin center

Please follow below steps to disable TLS 1.0 and TLS 1.1 using Intune admin center for legacy web browsers like Internet Explorer and Microsoft Edge (EdgeHTML).

  • Login on Microsoft Intune Admin Center
  • Go to Devices Configuration profiles
  • Click on + Create Profile
  • Select Platform as Windows 10 and later
  • Select Profile Type as Settings catalog

Basics

Provide Name and description of the Device configuration profile.

  • Name: Disable TLS1.0 and TLS1.1 for IE/Microsoft Edge
  • Description: This policy is to disable TLS1.0 and TLS1.1 for Legacy Web browsers

Configuration Settings

Click on + Add settings link and search for turn off encryption support.

  • You will find Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
  • Select Turn off encryption support
Turn off encryption support setting on Intune admin center
Turn off encryption support setting on Intune admin center
  • Toggle the switch to Enabled for Turn off encryption support and from the drop down of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Only use TLS 1.2 setting in Settings Catalog on Intune admin center
Only use TLS 1.2 setting in Settings Catalog on Intune admin center

Assignments

Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. If you prefer a more controlled deployment to specific devices only, then make sure to target only devices via Azure AD group. Once your testing is successful and you want to deploy this script on all Organization devices, you can click on + Add all devices.

Disable TLS 1.0 and TLS 1.1 disable profile assignment on Intune
Disable TLS 1.0 and TLS 1.1 disable profile assignment on Intune

Review + Create

Review the Device configuration profile and then click on Create button to create this policy.

Intune Policy Refresh Cycle

The Device will Sync / Check in to start the deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the configuration process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.

End User Experience

Let’s check what happens at end user machine after this policy is applied. We want to make sure TLS 1.0 and TLS 1.1 is disabled as per device configuration profile. To check and confirm if TLS 1.0 and TLS 1.1 protocols are disabled for legacy browsers, please follow below steps:

  • Press Windows + R to open Run dialog box
  • Type inetcpl.cpl and press enter
Internet Properties shortcut Inetcpl.cpl
Internet Properties shortcut Inetcpl.cpl
  • Click on Internet Options and go to Advanced tab.
  • Scroll down on the Settings to find TLS options.
  • As you can seen from below screenshot, Only option enabled is “Use TLS 1.2″.
Disable TLS 1.0 and TLS 1.1 verification legacy browser
Disable TLS 1.0 and TLS 1.1 verification legacy browser

How to Enable TLS 1.0 and TLS 1.1 using Intune admin center

If you are facing any issues after disabling TLS 1.0 and TLS 1.1, you can easily roll back the change by unassigning the Disable TLS 1.0 and TLS 1.1 Device configuration profile from device.

You can also use the modify the Device configuration profile created earlier and change the setting Turn off encryption support > Secure Protocol combinations to Use TLS1.0, TLS 1.1 and TLS1.2.

Enable TLS 1.0 and TLS 1.1 using Intune admin center
Enable TLS 1.0 and TLS 1.1 using Intune admin center

Conclusion

In this blog post we have seen how to disable TLS 1.0 and TLS 1.1 for legacy web browsers like Internet Explorer and Microsoft Edge based on MSEdgeHTML. TLS 1.0 and TLS 1.1 are weak protocols which should be disabled not only on the browser level but on operating system level as well.

READ NEXT