TLS 1.0 and 1.1 deprecation for Office 365

As of October 31, 2018, the Office 365 service has disabled the support for the Transport Layer Security (TLS) 1.0 and 1.1 protocols. The effect for users is expected to be minimal. This change was publicized for almost two years, with the first public announcement made in December 2017. This article is intended to cover only the Office 365 local client in relation to the Office 365 service. However, it can also apply to on-premises TLS issues in Office, Office Online Server/Office Web Apps, and SharePoint.

Note This article also applies to the following:

  • Office 365 ProPlus

  • Office 365 Business

  • Office 365 Personal

Office and TLS overview

The Office client relies on the Windows web service (WINHTTP) to send and receive traffic over TLS protocols. The Office client can use TLS 1.2 if the web service of the local computer can use TLS 1.2. All Office clients can use TLS protocols, as TLS and SSL protocols are part of the operating system and not specific to the Office client.

On Windows 8 and later versions

By default, the TLS 1.2 and 1.1 protocols are available if no network devices are configured to reject TLS 1.2 traffic.

On Windows 7

TLS 1.1 and 1.2 protocols are not available without the KB 3140245 update. The update addresses this issue and adds the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

Note Windows 7 users who do not have this update installed are affected as of October 31, 2018. KB 3140245 includes details about how to change WINHTTP settings to enable TLS protocols. 

More information

The value of the DefaultSecureProtocols registry key that the KB article describes determines which network protocols can be used:

DefaultSecureProtocols Value

Protocol enabled


Enable SSL 2.0 by default


Enable SSL 3.0 by default


Enable TLS 1.0 by default


Enable TLS 1.1 by default


Enable TLS 1.2 by default

The “DefaultSecureProtocols” registry key determines which network protocols the Windows platform is allowed to use. If you want to have both protocols enabled (TLS 1.1 and 1.2), you have to add their respective hex values together, and change the DefaultSecureProtocols value to that sum.

Office clients and TLS registry keys

You can refer to KB 4057306 Preparing for the mandatory use of TLS 1.2 in Office 365. This is a general article for IT administrators, and it is the official documentation about the TLS 1.2 change.

The following table shows the appropriate registry key values in Office 365 clients after October 31, 2018.  

Enabled protocols for Office 365 service after October 31, 2018

Hexadecimal value

TLS 1.0 + 1.1 + 1.2


TLS 1.1 + 1.2


TLS 1.0 + 1.2


TLS 1.2


Important We recommend that you do not use the SSL 2.0 and 3.0 protocols, which can also be set by using the DefaultSecureProtocols key. SSL 2.0 and 3.0 are considered deprecated protocols. The best practice is to end the use of SSL 2.0 and SSL 3.0, although the decision to do this ultimately depends on what best meets your product needs. For more information about SSL 3.0 vulnerabilities, see KB 3009008.

You can use the default Windows Calculator in Programmer mode to set up the same reference registry key values. For more information, see KB 3140245 Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

Regardless of whether the Windows 7 update (KB 3140245) is installed, the DefaultSecureProtocols registry key isn't present and must be added manually or through a group policy object (GPO). That is, unless you have to customize which secure protocols are enabled or restricted, this key is not required. You need only the Windows 7 SP1 (KB 3140245) update. 

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.