TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not provide sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
This blog post is for legacy version of Internet Explorer and Microsoft Edge which was based on MSEdgeHTML. It’s recommended to use the latest Microsoft Edge browser which is based on Chromium like Google Chrome.
If you are using Microsoft Edge browser version 84 or later, TLS 1.0 and TLS 1.1 protocols are already disabled by default.
Table of Contents
Create a Device Configuration Profile
To disable TLS 1.0 and TLS 1.1 using the Intune admin center for legacy web browsers such as Internet Explorer and Microsoft Edge (EdgeHTML), please follow these steps:
- Login on Microsoft Intune Admin Center
- Go to Devices > Configuration profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Select Profile Type as Settings catalog
Provide a Name and description of the Device configuration profile. For Example:
- Name: Disable TLS1.0 and TLS1.1 for IE/Microsoft Edge
- Description: This policy is to disable TLS1.0 and TLS1.1 for Legacy Web browsers
Click on the + Add settings link and search for turn off encryption support.
- You will find the Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
- Select Turn off encryption support
- Toggle the switch to Enabled to Turn off encryption support and from the drop down of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
To verify that TLS 1.0 and TLS 1.1 protocols have been successfully disabled for legacy browsers on the end user’s machine as per the device configuration profile, please follow these steps:
- Press Win + R keys to open the Run dialog box
- Type inetcpl.cpl and press Enter.
- Click on Internet Options and go to the Advanced tab.
- Scroll down in the settings to locate the TLS options.
- As shown in the screenshot below, the only enabled option is “Use TLS 1.2“.
Re-enable TLS 1.0 and TLS 1.1
There are two options to rollback the Device Configuration profile for disabling TLS 1.0 and TLS 1.1.
- If you face any problems after disabling TLS 1.0 and TLS 1.1, you can easily revert the change by unassigning the “Disable TLS 1.0 and TLS 1.1” Device Configuration profile from the device.
- Another option is to modify the Device Configuration profile created earlier and change the setting for “Turn off encryption support” > “Secure Protocol combinations” to “Use TLS 1.0, TLS 1.1, and TLS 1.2“.
In this blog post, we’ve learned how to disable TLS 1.0 and TLS 1.1 for legacy web browsers such as Internet Explorer and Microsoft Edge based on MSEdgeHTML. It’s important to disable TLS 1.0 and TLS 1.1, as these are considered weak protocols that should be deactivated not only at the browser level but also at the operating system level.