Disable TLS 1.0 and TLS 1.1 for IE/EdgeHTML using Intune

The TLS protocol provides privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols, but because SSL protocols do not provide a sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008, and TLS 1.3 was released in 2018.

If you are interested in learning more about these protocols, their differences, and security improvements, you can check Protocols RFCs (Request for Comments) at these links: TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC, and TLS 1.3 RFC. 

This blog post is for legacy version of Internet Explorer and Microsoft Edge which was based on MSEdgeHTML. It’s recommended to use the latest Microsoft Edge browser which is based on Chromium like Google Chrome.

If you are using Microsoft Edge browser version 84 or later, TLS 1.0 and TLS 1.1 protocols are already disabled by default.

Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)
Turn Off TLS 1.0 and TLS1.1 for Microsoft Edge version 84 or later (Default setting)

Create a Device Configuration Profile

To disable TLS 1.0 and TLS 1.1 using the Intune admin center for legacy web browsers such as Internet Explorer and Microsoft Edge (EdgeHTML), please follow these steps:

  • Sign in to the Intune Admin Center.
  • Go to Devices Configuration > Create > New Policy.
  • Select Platform as Windows 10 and later.
  • Select Profile Type as Settings catalog.

Basics

Provide a Name and description of the Device configuration profile. For Example:

  • Name: Disable TLS1.0 and TLS1.1 for IE/Microsoft Edge.
  • Description: This policy disables TLS1.0 and TLS1.1 for Legacy Web browsers.

Configuration Settings

Click on the + Add settings link and search for turn off encryption support.

  • You can find the Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
  • Select Turn off encryption support.
Turn off encryption support
Turn off encryption support
  • Toggle the switch to Enabled to Turn off encryption support. From the drop-down menu of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Only use TLS 1.2
Only use TLS 1.2

Assignments

Click on Add group to add an Entra security group containing users or devices. You can also click on Add all users or Add all devices.

Disable TLS 1.0 and TLS 1.1 disable profile assignment
Disable TLS 1.0 and TLS 1.1 disable profile assignment

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-user Experience

To verify that TLS 1.0 and TLS 1.1 protocols have been successfully disabled for legacy browsers on the end user’s machine as per the device configuration profile, please follow these steps:

  • Press the Win + R keys to open the Run dialog box
  • Type inetcpl.cpl and press Enter.
Internet Properties shortcut Inetcpl.cpl
Verify that TLS 1.0 and TLS 1.1 protocols
  • Click on Internet Options and go to the Advanced tab.
  • Scroll down in the settings to locate the TLS options.
  • The screenshot below shows that Use TLS 1.2 is the only enabled option.
Disable TLS 1.0 and TLS 1.1 verification legacy browser
Verify that TLS 1.0 and TLS 1.1 protocols

Re-enable TLS 1.0 and TLS 1.1

There are two options to rollback the Device Configuration profile for disabling TLS 1.0 and TLS 1.1.

  1. If you encounter problems after disabling TLS 1.0 and TLS 1.1, you can quickly reverse the change by unassigning the Disable TLS 1.0 and TLS 1.1 Device Configuration profile from the device.
  1. Another option is to modify the Device Configuration profile created earlier and change the setting for Turn off encryption support > Secure Protocol combinations to Use TLS 1.0, TLS 1.1, and TLS 1.2.
Enable TLS 1.0 and TLS 1.1 back If there are any Issues
Enable TLS 1.0 and TLS 1.1 back If there are any Issues

Conclusion

In this blog post, we’ve learned how to disable TLS 1.0 and TLS 1.1 for legacy web browsers such as Internet Explorer and Microsoft Edge based on MSEdgeHTML. It’s essential to disable TLS 1.0 and TLS 1.1, as these are considered weak protocols that should be deactivated at the browser and operating systems levels.

Leave a Comment