Microsoft calls time on ancient TLS in Windows, breaking own stuff in the process

Microsoft has reminded users that TLS 1.0 and 1.1 will soon be disabled by default in Windows.

While home users of Windows are unlikely to notice many issues, Microsoft warned that choppy waters could lie ahead for enterprise administrators. It published a non-exhaustive list of applications that it said were "expected to be broken."

Top of the list is SQL Server. The 2014 and 2016 editions, both of which remain in support, could require updates. SQL Server 2012, which is currently in Extended Security Updates, is also on the list.

SQL Server 2008 R2 finally dropped out of Extended Security Updates in July, although Microsoft has published instructions for adding TLS 1.2 support.

The list of applications Microsoft expects to be broken also includes version 5.1.7 of Apple's Safari browser for Windows and, without a hint of irony, several security applications.

As Reg readers know, Transport Layer Security (TLS) is a protocol for encrypting communications between a client and server and dates back to the last century. The current standard, which has been used since 2018, is TLS 1.3. TLS 1.2 was published in 2008, and both represent significant improvements over their predecessors.

Microsoft's desire to dispense with deprecated versions of TLS has been well documented. However, the requirement to maintain backwards compatibility has prevented the company from pulling the plug on the technology until now.

The Redmond software giant said: "We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act."

Although the company may be acting in the coming weeks and months – Windows Insiders will be the first to have TLS 1.0 and 1.1 disabled by default from September, followed by future Windows releases – the option to re-enable the protocols will remain.

However, it won't be a straightforward job for administrators using that one old app that simply must use the deprecated standards. Microsoft warned that a registry setting would be needed to override the system default.

The company thundered: "Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort and as a temporary solution until incompatible applications can be updated or replaced. Support for these legacy TLS versions may be removed completely in the future."

• Microsoft admits slim staff and broken automation contributed to Azure outage
• Farewell WordPad, we hardly knew ye
• Official: Microsoft unbundles Teams in Europe
• After injecting pop-up ads for Bing into Windows, Microsoft now bends to Europe on links

Stamping out deprecated versions of TLS has been a goal of the industry for several years; the US National Security Agency (NSA) published guidance on eliminating the tech in 2021 and three years earlier, Apple, Microsoft, Google, and Mozilla announced plans to move on from the outdated protocols.

Microsoft's progress has moved in fits and starts since then. It had initially planned to disable TLS 1.0 and 1.1 by default in Edge and Internet Explorer 11 in the first half of 2020 but moved this back to 2021. It then set September 20, 2022 as the date for Internet Explorer and EdgeHTML. The protocols were disabled by default in Chromium Edge from version 84.

A year on, and the company is gearing up to disable by default the protocols in its flagship operating system. ®