Link to home
Create AccountLog in
Avatar of Lev Kaytsner
Lev Kaytsner

asked on

RDP to Windows Server 2012 R2 after disabling TLS 1.0

I had to disable TLS 1.0 on Windows Server 2012 R2 due to  PCI Compliance requirements.
Now I can't connect to either server via RDP.
I have tried editing security to "negotiate" in Group Policy Editor.
Has anyone found a solution to this?

Thanks,
Lev
Avatar of J S
J S
Flag of United States of America image

Did you verify TLS 1.1 and 1.2 are enabled on the server? Check the following registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Avatar of Lev Kaytsner
Lev Kaytsner

ASKER

Yes, both TLS 1.1 and 1.2 are enabled.
This is what I have now with TLS1.0 enabled since I have no other way to get into it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
ASKER CERTIFIED SOLUTION
Avatar of Don
Don
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Have you tried using each of the Security Layers Terminal Service Config?   I would try SSL TLS 1.0 or RDP Security Layer and see if that works.  Another option might be enabling FIP Compliant cipher and setting the TSconfig to use them which really isnt recommended.
I am using Windows 7 and 10 to connect. I installed RDP 8.0 and it didn't help.
Updating RDP to 8.1 enabled access to Windows Server 2012 R2
Thank you all!