Enable SCHANNEL Protocols in Windows Registry (Win7 & 2012R2) DisabledByDefault or Enabled?


I have enabled TLS 1.0/1.1/1.2 protocols on my local Win7 machine and 2012R2 server as well as disabled SSL 2.0/3.0 using the registry DWord value DisabledByDefault = 0 based on the following Microsoft support article: https://support.microsoft.com/en-us/kb/245030 (see SCHANNEL\Protocols subkey...)

But i noticed another TechNet article which seems to contradict this KB article by saying you should use set the Enabled DWORD value = 0xffffffff for each Protocols subkeys (Client or Server). https://technet.microsoft.com/en-us/library/dn786418.aspx

Which value should be used to properly enable the protocols and/or any of the other SCHANNEL settings like CipherSuites and Key Exchanges? Does one have more precedence over the other?

asked on Super User Oct 16, 2015 by xfitr2

1 Answer


To disable, use a value of 0, like this: enter image description here

To enable, use a value of, 0xffffffff like this: enter image description here

You can confirm which ciphers/protcols are enabled by using SSL Scan. enter image description here

answered on Super User Oct 16, 2015 by k1DBLITZ • edited Oct 16, 2015 by k1DBLITZ

User contributions licensed under CC BY-SA 3.0