Windows - Security - Disable TLS 1.1

What the TLS 1.1 Disabler does

This Automox Worklet™ disables TLS 1.1 on Windows endpoints by configuring the SCHANNEL registry settings that control cryptographic protocol behavior. The Worklet targets both Client and Server components within the Windows Secure Channel subsystem, verifying that TLS 1.1 cannot be negotiated for any network communication.

The Worklet sets four registry DWORD values under HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1: the Enabled value to 0 for both Server and Client, and DisabledByDefault to 1 for both components. This dual approach verifies that TLS 1.1 is both explicitly disabled and marked as non-default.

The Worklet handles registry key creation automatically if the paths do not exist, making it suitable for endpoints with non-standard initial configurations.

Why disable TLS 1.1 on your network

TLS 1.1 has known vulnerabilities and is considered deprecated by security organizations including NIST, PCI Council, and DISA. Most modern systems and services no longer support TLS 1.1, making its continued availability an unnecessary security risk. Endpoints that retain TLS 1.1 capability may be compromised if attackers downgrade the protocol negotiation or exploit protocol-specific weaknesses.

Disabling TLS 1.1 aligns with compliance frameworks including CIS Benchmarks, NIST SP 800-53 Section SC-7(8), PCI-DSS requirements, and DISA STIG guidelines. IT operations teams benefit from reduced vulnerability surface, simplified protocol management, and improved compatibility with modern security appliances and cloud services.

Automating this configuration through Worklets maintains consistent enforcement across your endpoint fleet without manual registry editing or administrative overhead.

How TLS 1.1 disablement works

1. Evaluation phase: The Worklet queries the SCHANNEL registry paths to verify that both Server and Client TLS 1.1 entries have Enabled set to 0 and DisabledByDefault set to 1. If any registry value is missing or does not match the desired state, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet creates the necessary registry key paths if they do not exist, then sets the four DWORD values to enforce TLS 1.1 disabled state. After remediation, a system reboot or service restart may be required for all applications and services to fully honor the new SCHANNEL configuration.

TLS 1.1 disablement requirements

• Windows 10, Windows 11, Windows Server 2016, or later versions

• Local Administrator privileges on the target endpoint

• Both Server and Client workstation types supported

• FixNow compatible for immediate deployment without scheduling

Expected TLS 1.1 disabled state

After the Worklet completes remediation, TLS 1.1 is fully disabled on the endpoint. Web browsers, mail clients, VPN applications, and other network services will no longer negotiate TLS 1.1 connections. Verify the configuration by checking the SCHANNEL registry keys using PowerShell or the Registry Editor, confirming that Enabled equals 0 and DisabledByDefault equals 1 for both Server and Client TLS 1.1 entries.

If your environment uses legacy applications that require TLS 1.1, coordinate with application owners before deploying this Worklet. Most modern applications use TLS 1.2 or TLS 1.3 exclusively and will not be affected by this change.

How to validate disable tls 1.1 changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable tls 1.1.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Test-Registry, Write-Verbose, Write-Output.

4. Validate remediation effects from script operations such as Test-Registry, Write-Verbose, Write-Error, then rerun evaluation for compliance.