How to fix Azure recomendation "Windows servers should be configured to use secure communication protocols"

Question

How to fix Azure recomendation "Windows servers should be configured to use secure communication protocols"

Mohammadmahdi Golmohammadi 25

Hi

I want to fix recomendation "Windows servers should be configured to use secure communication protocols" on Azure but the provided link in Defender for Cloud could not help me.

This the link -> https://free.blessedness.top/en-us/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry

Could you please help me to undersatnd the solution? what exactly should be changed and how it can be done? Where do I need to do this?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Susmitha T (INFOSYS LIMITED) 910 Microsoft External Staff

Hope you are doing good! Thank you for reaching out. Please find the answer below.

1.Manual Registry Method update: You’ll need to modify the Windows Registry to:

Disable insecure protocols: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Enable secure protocols: TLS 1.2 (and optionally TLS 1.3 if supported)

These changes are made under the Schannel settings in the Windows Registry. You can do this by following these steps:

Open the Registry Editor (regedit).
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\.
Check for keys related to your current protocols. You may need to create keys for TLS 1.2 if they don’t exist.
Here’s a reference for the necessary changes you would typically make:
- In the Protocols branch, create keys for TLS 1.2, and within that, create keys named Client and Server. Set the DWORD values for Enabled to 1 and DisabledByDefault to 0.

2. Reboot the server: After making these changes, restart your Windows server to apply the new settings.

3. Verify Settings: You can verify that the changes took effect by using tools like SSL Labs or performing a manual check with PowerShell commands to see which protocols are currently active.

SSL Labs: To check which protocols are supported.

PowerShell commands: To see currently active protocols.

4.Policy Compliance: After implementing these changes, re-evaluate your Azure policy compliance to see if it reflects positively on your security posture.

If issue still persist after following all the steps, we’ll be happy to assist further if needed." Kindly mark the answer as accepted if the issue resolved".

Mohammadmahdi Golmohammadi 25 Reputation points

2025-08-20T10:37:58.55+00:00

hi
thanks for your comment, it is really helpful.

Should I also do the same for .Net or it is not needed?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-08-20T12:20:02.8066667+00:00

If your Windows Server is running applications built on the .NET Framework (especially versions prior to .NET 4.7), then you should configure those registry keys to ensure they use secure TLS protocols like TLS 1.2 by default.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-08-25T05:42:21.7633333+00:00

Hope you're doing well; Please let us know if the issue persist or resolved, " Kindly mark the answer as accepted if the issue resolved".
Mohammadmahdi Golmohammadi 25 Reputation points

2025-08-25T10:28:51.9033333+00:00

Hi we are workink on that, I will update you here.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-08-25T12:04:19.4466667+00:00

Ok noted with thanks!
Gade Harika (INFOSYS LIMITED) 1,260 Reputation points Microsoft External Staff

2025-08-29T10:12:18.9266667+00:00

Hope you're doing well; Please let us know if the issue persist or resolved, " Kindly mark the answer as accepted if the issue resolved".
Mohammadmahdi Golmohammadi 25 Reputation points

2025-08-29T11:08:12.0833333+00:00

Hi
my team is working on that, I will reply here.
Gade Harika (INFOSYS LIMITED) 1,260 Reputation points Microsoft External Staff

2025-08-29T12:06:14.13+00:00

Please update here when the issue got resolved. Thanks for your update.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-09-05T09:45:02.4433333+00:00

Hope you're doing well; Please let us know if the issue persist or resolved, " Kindly mark the answer as accepted if the issue resolved".
Mohammadmahdi Golmohammadi 25 Reputation points

2025-09-05T12:28:17.1966667+00:00

Hi
once I have info, I will.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-09-08T04:08:56.4933333+00:00

Please update here when the issue got resolved. Thanks for your update.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-09-10T05:23:38.3166667+00:00

Since the thread has been open for a considerable time, we will proceed to close it for now. If the issue persists or reoccurs, please feel free to raise a new thread. We’ll be happy to assist you further.
Mohammadmahdi Golmohammadi 25 Reputation points

2025-09-10T07:36:36.9833333+00:00

Hi thanks a lot.
we have not implemented it yet, so I am not sure if it works or not, if the question will be open, I will update here.
Mohammadmahdi Golmohammadi 25 Reputation points

2025-10-24T12:22:10.64+00:00

hi MS team, wanted to confirm that I did these steps and solution worked. thanks
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-10-24T19:41:05.7466667+00:00

Good to hear!
Thank you for your valuable contribution!

Kindly mark the provided solution as "Accept Answer", so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-10-28T04:37:16.4666667+00:00

Kindly mark the provided solution as "Accept Answer", so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
Mohammadmahdi Golmohammadi 25 Reputation points

2025-10-28T08:26:48.81+00:00

in addition to the answer, I did the following as well:

Disable TLS 1.0, TLS 1.1 and Enable TLS1.2 only:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f

UseStrongCrypto for .NET applications:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f

Use TLS 1.2 for WinHTTP:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000800 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000800 /f
Susmitha T (INFOSYS LIMITED) 910 Reputation points Microsoft External Staff

2025-10-28T08:59:16.87+00:00

Thanks for the update!

Share via

How to fix Azure recomendation "Windows servers should be configured to use secure communication protocols"

0 additional answers

Your answer