Microsoft Takes a Bold Step Towards Enhanced Security: TLS 1.0 and 1.1 Retirement in Windows

In a groundbreaking move, Microsoft is set to bid farewell to outdated TLS versions, 1.0 and 1.1, in its Windows operating system. This significant transition, aimed at bolstering security, comes with a caveat for enterprise administrators who may encounter challenges as these protocols are phased out.

Transport Layer Security (TLS) is a critical protocol that encrypts communications between clients and servers, ensuring data privacy and security. However, TLS 1.0 and 1.1, which have been in use for decades, are now considered antiquated. Their replacements, TLS 1.2 and the more recent TLS 1.3, offer substantial improvements in security and performance.

For home users of Windows, this change is unlikely to cause noticeable disruptions. However, enterprise administrators should prepare for potential hiccups. Microsoft has compiled a list of applications that are "expected to be broken" by this transition. Notably, SQL Server 2014 and 2016 editions, both still under support, might require updates. SQL Server 2012, currently receiving Extended Security Updates, is also on the list.

It's worth noting that SQL Server 2008 R2 recently exited Extended Security Updates, but Microsoft has provided guidance on adding TLS 1.2 support for it.

Surprisingly, Microsoft's list of potentially affected applications includes version 5.1.7 of Apple's Safari browser for Windows, along with some security applications, adding a touch of irony to the situation.

Microsoft's desire to retire outdated TLS versions has been well-documented. However, the need to maintain backward compatibility has delayed this move until now. Microsoft has been monitoring TLS protocol usage for years and has determined that the adoption of TLS 1.0 and 1.1 has dwindled to a point where action is warranted.

In the coming weeks and months, Windows Insiders will be the first to experience the TLS 1.0 and 1.1 being disabled by default, starting in September, followed by subsequent Windows releases. Importantly, Microsoft is keeping the option to re-enable these protocols, albeit with a caveat – administrators may need to configure a registry setting to override the system default.

Microsoft emphasizes that re-enabling TLS 1.0 or 1.1 should be a last resort and a temporary solution. The company advises doing so only until incompatible applications can be updated or replaced. In the future, Microsoft may entirely remove support for these legacy TLS versions.

The move to retire outdated TLS versions aligns with industry-wide goals. In 2021, the US National Security Agency (NSA) published guidance on phasing out these protocols. As far back as 2018, tech giants like Apple, Microsoft, Google, and Mozilla announced their intentions to move beyond these outdated security standards.

Microsoft's journey to eliminate TLS 1.0 and 1.1 has seen delays, with initial plans to disable them in Edge and Internet Explorer 11 pushed back from 2020 to 2021. Subsequently, Microsoft set September 20, 2022, as the date for Internet Explorer and EdgeHTML. These protocols were finally disabled by default in Chromium Edge from version 84.

Now, a year later, Microsoft is gearing up to disable these protocols by default in its flagship operating system, a significant stride towards a more secure digital landscape.