Update to enable TLS 1.1 and TLS 1.2 as secure protocols in WinHTTP on Windows Embedded POSReady 2009 and Windows Embedded Standard 2009

Applies to: Windows Embedded POSReady 2009Windows Embedded Standard 2009


Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections that use the WINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols.

This update enables the system administrator to specify TLS 1.1 or TLS 1.2 when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used on Windows Embedded POSReady 2009 and Windows Embedded Standard 2009.

How to obtain the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.


There are no prerequisites to install this update on Windows Embedded POSReady 2009 or Windows Embedded Standard 2009.

Registry information

After you apply this update, see the "More information" section about the changes you have to make to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows XP

More information

When an application specifies WINHTTP_OPTION_SECURE_PROTOCOLS, the system checks for the DefaultSecureProtocols registry entry. If the entry exists, the system overrides the default protocols that are specified by WINHTTP_OPTION_SECURE_PROTOCOLS by using the protocols that are specified in the registry entry. If the registry entry doesn't exist, WinHTTP uses the existing operating system defaults for WINHTTP_OPTION_SECURE_PROTOCOLS HTTP.

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. To determine the value to use, add the values that corresponds to the desired protocols. The following values are currently supported in this update.

DefaultSecureProtocols Value Protocol enabled
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default

For example, to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2, add the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800). The resulting registry value would be 0x00000A00.