RDP failed after disabling TLS1.0

I am working on a project which is to integrate PayPal Express Checkout and I’m using C# to implement the API calls, but after invoking the initial setExpresCheckout call I got the below error.


The error seems pretty obvious, so I started digging the SSL/TLS settings on the server and doing some googling and it became apparent that PayPal has updated its services to require TLS 1.2 for all HTTPS connections. So I enabled TLS 1.2 and disabled TLS 1.0 in the registry (again, I used powershell 🙂 ) and rebooted the server.


# Create Keys if not exist
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"

# Disable TLS 1.2 for client and server 
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -name "DisabledByDefault" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -name "DisabledByDefault" -value 1 -PropertyType "DWord"

# Create Keys if not exist
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"


Registry (complete change including disabling SSLv2, SSLv3, TLS1.0 and other Ciphers)


After made all these changes I rebooted the server (typical windows step), went for a tea and after 15 mins I tried RDP to the server but kept getting this message!!!




After about 10 retries I realised there is definitely something wrong as I couldn’t Remote Desktop to the server at all.

After some googling I found out that if the security layer is set to TLS1.0 and if you disable TLS1.0 RDP services won’t work. You can check this in Remote Desktop Host Configuration settings:

Luckily it’s a virtual server and thanks to my colleague Justin Marx who managed to get into the server and made the changes through VMWare portal.



Right-click on the connection name RDP-Tcp and click properties.

remote_host_config_3aa  remote_host_config_3a

Microsoft released a hotfix to provide support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1 for Remote Desktop Services (RDS). you can download it from https://support.microsoft.com/en-us/kb/3080079.

Panic OVER! 🙂


(I will post some more articles about the PayPal Express Checkout API soon).