This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1.
About this update
Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections that use the WINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols. This is because the definition of this flag doesn't include these applications and services.
This update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used.
This can allow certain applications that were built to use the WinHTTP default flag to be able to leverage the newer TLS 1.2 or TLS 1.1 protocols natively without any need for updates to the application.
This is the case for some Microsoft Office applications when they open documents from a SharePoint library or a Web Folder, IP-HTTPS tunnels for DirectAccess connectivity, and other applications by using technologies such as WebClient by using WebDav, WinRM, and others.
This update requires that the Secure Channel (Schannel) component in Windows 7 be configured to support TLS 1.1 and 1.2. As these protocol versions are not enabled by default in Windows 7, you must configure the registry settings to ensure Office applications can successfully use TLS 1.1 and 1.2.
This update will not change the behavior of applications that are manually setting the secure protocols instead of passing the default flag.
How to get this update
Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Method 1: Windows Update
This update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.
Method 2: Microsoft Update Catalog
To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Update detail information
Prerequisites
To apply this update, you must install Service Pack 1 for Windows 7 or Windows Server 2008 R2.
There's no prerequisite to apply this update in Windows Server 2012.
Registry information
To apply this update, the DefaultSecureProtocols registry subkey must be added.
Note To do this, you can add the registry subkey manually or install the "Easy fix" to populate the registry subkey.
Restart requirement
You may have to restart the computer after you apply this update.
Update replacement information
This update doesn't replace a previously released update.
More Information
Payment Card Industry (PCI) requires TLS 1.1 or TLS 1.2 for compliance.
For more information about the WINHTTP_OPTION_SECURE_PROTOCOLS flag, see Option Flags.
How the DefaultSecureProtocols registry entry works
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
When an application specifies WINHTTP_OPTION_SECURE_PROTOCOLS, the system will check for the DefaultSecureProtocols registry entry and if present override the default protocols specified by WINHTTP_OPTION_SECURE_PROTOCOLS with the protocols specified in the registry entry. If the registry entry is not present, WinHTTP will use the existing operating system defaults for Win WINHTTP_OPTION_SECURE_PROTOCOLS HTTP. These WinHTTP defaults follow the existing precedence rules and are overruled by SCHANNEL disabled protocols and protocols set per application by WinHttpSetOption.
Note The hotfix installer doesn't add the DefaultSecureProtocols value. The administrator must manually add the entry after determining the override protocols. Or, you can install the "Easy fix" to add the entry automatically.
The DefaultSecureProtocols registry entry can be added in the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.
| DefaultSecureProtocols Value | Protocol enabled |
|---|---|
| 0x00000008 | Enable SSL 2.0 by default |
| 0x00000020 | Enable SSL 3.0 by default |
| 0x00000080 | Enable TLS 1.0 by default |
| 0x00000200 | Enable TLS 1.1 by default |
| 0x00000800 | Enable TLS 1.2 by default |
For example:
The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.
Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800), then add them together in calculator (in programmer mode), and the resulting registry value would be 0x00000A00.
Easy fix
To add the DefaultSecureProtocols registry subkey automatically, click here. In the File Download dialog box, click Run or Open, and then follow the steps in the easy fix wizard.
Notes
-
This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
-
If you are not on the computer that has the problem, save the easy fix solution to a flash drive or a CD and then run it on the computer that has the problem.
Note In addition to the DefaultSecureProtocols registry subkey, the Easy fix also adds the SecureProtocols at the following location to help enable TLS 1.1 and 1.2 for Internet Explorer.
The SecureProtocols registry entry that has value 0xA80 for enabling TLS 1.1 and 1.2 will be added in the following paths:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Enable TLS 1.1 and 1.2 on Windows 7 at the SChannel component level
Per the TLS-SSL Settings article, for TLS 1.1 and 1.2 to be enabled and negotiated on Windows 7, you MUST create the "DisabledByDefault" entry in the appropriate subkey (Client) and set it to "0". These subkeys will not be created in the registry since these protocols are disabled by default.
Create the necessary subkeys for TLS 1.1 and 1.2; create the DisabledByDefault DWORD values and set it to 0 in the following locations:
For TLS 1.1
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
DWORD name: DisabledByDefault
DWORD value: 0
For TLS 1.2
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD name: DisabledByDefault
DWORD value: 0
File Information
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.
Notes
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Version
Product
Milestone
Service branch
6.1.760 1.23 xxx
Windows 7 or Windows Server 2008 R2
SP1
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
x86 Windows 7
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Webio.dll | 6.1.7601.23375 | 316,416 | 09-Mar-2016 | 18:40 | x86 |
| Winhttp.dll | 6.1.7601.23375 | 351,744 | 09-Mar-2016 | 18:40 | x86 |
ia64 Windows Server 2008 R2
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Webio.dll | 6.1.7601.23375 | 695,808 | 09-Mar-2016 | 17:57 | IA-64 |
| Winhttp.dll | 6.1.7601.23375 | 811,520 | 09-Mar-2016 | 17:57 | IA-64 |
| Webio.dll | 6.1.7601.23375 | 316,416 | 09-Mar-2016 | 18:40 | x86 |
| Winhttp.dll | 6.1.7601.23375 | 351,744 | 09-Mar-2016 | 18:40 | x86 |
x64 Windows 7 and Windows Server 2008 R2
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Webio.dll | 6.1.7601.23375 | 396,800 | 09-Mar-2016 | 19:00 | x64 |
| Winhttp.dll | 6.1.7601.23375 | 444,416 | 09-Mar-2016 | 19:00 | x64 |
| Webio.dll | 6.1.7601.23375 | 316,416 | 09-Mar-2016 | 18:40 | x86 |
| Winhttp.dll | 6.1.7601.23375 | 351,744 | 09-Mar-2016 | 18:40 | x86 |
Notes
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Version
Product
Milestone
Service branch
6.2.920 0.21 xxx
Windows Server 2012
RTM
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
x64 Windows Server 2012
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Webio.dll | 6.2.9200.21797 | 587,776 | 08-Mar-2016 | 15:40 | x64 |
| Winhttp.dll | 6.2.9200.21797 | 711,680 | 08-Mar-2016 | 15:40 | x64 |
| Webio.dll | 6.2.9200.21797 | 416,768 | 08-Mar-2016 | 16:04 | x86 |
| Winhttp.dll | 6.2.9200.21797 | 516,096 | 08-Mar-2016 | 16:04 | x86 |
x86 Windows 7
| File property | Value |
|---|---|
| File name | Update.mum |
| File version | Not applicable |
| File size | 2,138 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | X86_431cdab002fb5e83e17b846b04fcaf65_31bf3856ad364e35_6.1.7601.23375_none_43266eeed47e442d.manifest |
| File version | Not applicable |
| File size | 693 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | X86_74b492584f59e56bd20ffc14c5e5ba0f_31bf3856ad364e35_5.1.7601.23375_none_3e7a009385a3da4d.manifest |
| File version | Not applicable |
| File size | 695 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | X86_microsoft-windows-webio_31bf3856ad364e35_6.1.7601.23375_none_5f3b2e545642f01b.manifest |
| File version | Not applicable |
| File size | 2,484 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 19:23 |
| Platform | Not applicable |
| File name | X86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.23375_none_5ef020609ae7c078.manifest |
| File version | Not applicable |
| File size | 50,395 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 19:21 |
| Platform | Not applicable |
ia64 Windows Server 2008 R2
| File property | Value |
|---|---|
| File name | Ia64_4d2eee3faf61ec5f12517a4957f4537f_31bf3856ad364e35_6.1.7601.23375_none_2a392926b32c8fac.manifest |
| File version | Not applicable |
| File size | 1,034 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:57 |
| Platform | Not applicable |
| File name | Ia64_a7157a3864eb3625c6f2570464d8d82e_31bf3856ad364e35_5.1.7601.23375_none_cc5980c8656c3813.manifest |
| File version | Not applicable |
| File size | 1,038 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:57 |
| Platform | Not applicable |
| File name | Ia64_microsoft-windows-webio_31bf3856ad364e35_6.1.7601.23375_none_5f3cd24a5640f917.manifest |
| File version | Not applicable |
| File size | 2,486 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 18:59 |
| Platform | Not applicable |
| File name | Ia64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.23375_none_5ef1c4569ae5c974.manifest |
| File version | Not applicable |
| File size | 50,400 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 19:00 |
| Platform | Not applicable |
| File name | Update.mum |
| File version | Not applicable |
| File size | 1,447 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:57 |
| Platform | Not applicable |
| File name | Wow64_microsoft-windows-webio_31bf3856ad364e35_6.1.7601.23375_none_c5ae742a4301234c.manifest |
| File version | Not applicable |
| File size | 2,486 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 18:56 |
| Platform | Not applicable |
| File name | Wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.23375_none_c563663687a5f3a9.manifest |
| File version | Not applicable |
| File size | 48,208 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 18:57 |
| Platform | Not applicable |
x64 Windows Server 2012
| File property | Value |
|---|---|
| File name | Amd64_9958f97250c31c67f643ef2fb115082b_31bf3856ad364e35_5.1.9200.21797_none_f923d4febdcecc46.manifest |
| File version | Not applicable |
| File size | 699 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 17:46 |
| Platform | Not applicable |
| File name | Amd64_d36ca06f7655111911d5d7858096c818_31bf3856ad364e35_5.1.9200.21797_none_a2ac544257eab672.manifest |
| File version | Not applicable |
| File size | 699 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 17:46 |
| Platform | Not applicable |
| File name | Amd64_f087a62cc82b760ae1e9fd7c56543a7b_31bf3856ad364e35_6.2.9200.21797_none_41ca502c248372a3.manifest |
| File version | Not applicable |
| File size | 697 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 17:46 |
| Platform | Not applicable |
| File name | Amd64_f42986041442c9e99c4c4c4ae61a8e52_31bf3856ad364e35_6.2.9200.21797_none_d0b7a18b852fef62.manifest |
| File version | Not applicable |
| File size | 697 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 17:46 |
| Platform | Not applicable |
| File name | Amd64_microsoft-windows-webio_31bf3856ad364e35_6.2.9200.21797_none_b6359e29819a8949.manifest |
| File version | Not applicable |
| File size | 2,527 |
| Date (UTC) | 08-Mar-2016 |
| Time (UTC) | 17:49 |
| Platform | Not applicable |
| File name | Amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.9200.21797_none_edbbc2f127740085.manifest |
| File version | Not applicable |
| File size | 51,759 |
| Date (UTC) | 08-Mar-2016 |
| Time (UTC) | 17:49 |
| Platform | Not applicable |
| File name | Update.mum |
| File version | Not applicable |
| File size | 1,795 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 17:46 |
| Platform | Not applicable |
| File name | Wow64_microsoft-windows-webio_31bf3856ad364e35_6.2.9200.21797_none_c08a487bb5fb4b44.manifest |
| File version | Not applicable |
| File size | 2,525 |
| Date (UTC) | 08-Mar-2016 |
| Time (UTC) | 16:28 |
| Platform | Not applicable |
| File name | Wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.9200.21797_none_f8106d435bd4c280.manifest |
| File version | Not applicable |
| File size | 49,547 |
| Date (UTC) | 08-Mar-2016 |
| Time (UTC) | 16:28 |
| Platform | Not applicable |
x64 Windows 7 and Windows Server 2008 R2
| File property | Value |
|---|---|
| File name | Amd64_6f902e1f26c1d885023f2728be29b310_31bf3856ad364e35_6.1.7601.23375_none_4011a397f4e0c754.manifest |
| File version | Not applicable |
| File size | 697 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Amd64_80b3c903f951066b9a3317caef015722_31bf3856ad364e35_5.1.7601.23375_none_f4346c5570187f00.manifest |
| File version | Not applicable |
| File size | 1,040 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Amd64_c2062bbf6a689a3048e6f61793b61cdd_31bf3856ad364e35_6.1.7601.23375_none_5e1a5c9308b3bb64.manifest |
| File version | Not applicable |
| File size | 1,036 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Amd64_d19a822d9b98f35a9157bafd2ad0441b_31bf3856ad364e35_5.1.7601.23375_none_6f3e7f9a649df87a.manifest |
| File version | Not applicable |
| File size | 699 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Amd64_ef2ea44ccf005d132e8a752d1e218e84_31bf3856ad364e35_6.1.7601.23375_none_23e107a24a3a80ce.manifest |
| File version | Not applicable |
| File size | 697 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Amd64_microsoft-windows-webio_31bf3856ad364e35_6.1.7601.23375_none_bb59c9d80ea06151.manifest |
| File version | Not applicable |
| File size | 2,488 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 20:04 |
| Platform | Not applicable |
| File name | Amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.23375_none_bb0ebbe4534531ae.manifest |
| File version | Not applicable |
| File size | 50,407 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 20:03 |
| Platform | Not applicable |
| File name | Update.mum |
| File version | Not applicable |
| File size | 2,774 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 21:58 |
| Platform | Not applicable |
| File name | Wow64_microsoft-windows-webio_31bf3856ad364e35_6.1.7601.23375_none_c5ae742a4301234c.manifest |
| File version | Not applicable |
| File size | 2,486 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 18:56 |
| Platform | Not applicable |
| File name | Wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.23375_none_c563663687a5f3a9.manifest |
| File version | Not applicable |
| File size | 48,208 |
| Date (UTC) | 09-Mar-2016 |
| Time (UTC) | 18:57 |
| Platform | Not applicable |
References
Learn about the terminology that Microsoft uses to describe software updates.
