Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009

Applies to: Windows Server 2008 Service Pack 2Windows Embedded POSReady 2009Windows Embedded Standard 2009

Summary


An update is available to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 Service Pack 2 (SP2), Windows Embedded POSReady 2009, and Windows Embedded Standard 2009.

How to get this update


Method 1: Windows Update

This update for Windows Server 2008 SP2, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009 is available through Windows Update.  For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Update Catalog

To get the stand-alone package for Windows Server 2008 SP2, for Windows Embedded POSReady 2009, and Windows Embedded Standard 2009 go to the Microsoft Update Catalog website.

Prerequisites

To install this update on Windows Server 2008, you must have Windows Server 2008 SP2 installed.
 
There are no prerequisites to install this update on Windows Embedded POSReady 2009 or Windows Embedded Standard 2009.
 

Registry information

To apply this update, you don’t have to make any changes to the registry. To benefit from the TLS 1.1 and TLS 1.2 support, you must set one or more of the registry subkeys as described in the "More Information" section.
 
 

Restart requirement

You must restart the computer after you apply this update.
 
 

Update replacement information

This update does not replace a previously released update.
 

More Information


How to enable TLS 1.1 and TLS 1.2

You can use the TLS 1.1 and TLS 1.2 subkeys to administer and troubleshoot the TLS protocol.

TLS 1.1

This subkey controls the use of TLS 1.1.

Note For TLS 1.1 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0

By default, this entry does not exist in the registry.

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

To disable the TLS 1.1 protocol,  you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1.

By default, this entry does not exist in the registry.


TLS 1.1 subkey table

Subkey

Description

Default

Client

Controls the use of TLS 1.1 on the client

Enabled

Server

Controls the use of TLS 1.1 on the server

Enabled

DisabledByDefault

Flag to disable TLS 1.1 by default

Enabled


 

TLS 1.2

This subkey controls the use of TLS 1.2.

Note For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0

By default, this entry does not exist in the registry.

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

To disable the TLS 1.2 protocol,  you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1.

By default, this entry does not exist in the registry.


TLS 1.2 subkey table

Subkey

Description

Default

Client

Controls the use of TLS 1.2 on the client

Enabled

Server

Controls the use of TLS 1.2 on the server

Enabled

DisabledByDefault

Flag to disable TLS 1.2 by default

Enabled


For more information, go to the following article in the Microsoft Knowledge Base:

245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

File Information


The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.


Windows Embedded POSReady 2009 and Windows Embedded Standard 2009


Windows Server 2008

References


Learn about the terminology that Microsoft uses to describe software updates.