Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,159 questions
Disable TLS 1.0/1.1 on Windows via GPO causes eventlog warning with 0x80004002 error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
windingo
1
Reputation point
Hi,
we are using GPO for some time to disable TLS 1.0 and 1.1 on all clients and servers. This was working until lately.
We use GPP registry settings to set those values:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled = 0 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault = 1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 0 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault = 1
Since some weeks (March patch day?) all systems report warnings in eventlog, when this GPO applies. Event 4106 from Group Policy Registry.
This includes Windows Server 2019, 2022 or Windows 11 23H2, all on patch level April 2024.
The computer 'DisabledByDefault' preference item in the 'Security Config All Systems {xxx}' Group Policy Object did not apply because its targeting item failed with error code '0x80004002 No such interface supported' This error was suppressed.
The computer 'Enabled' preference item in the 'Security Config All Systems {xxx}' Group Policy Object did not apply because its targeting item failed with error code '0x80004002 No such interface supported' This error was suppressed.
Also we have another error code on some machines:
The computer 'Enabled' preference item in the 'Security Config All Systems {xxx}' Group Policy Object did not apply because its targeting item failed with error code '0x8007203a The server is not operational.' This error was suppressed.
When I check the registry, the registry entries exist, since they were set successfully before.
If I delete them, they are not recreated by the GPO. But I can recreate them manually.
This only happens with the entries for TLS 1.0 and TLS 1.1. This does not happen for entries like SSL 3.0 or older protocols.
Any ideas? Can someone reproduce this?
Best regards,
Ingo