Windows Server 2019 disable legacy TLS in IIS via certificate binding is unavailable

Copper Contributor



When we read about "TLS version enforcement capabilities now available per certificate binding on Windows Server 2019", it sounded perfect.  However we cannot get it to work?  We are on OS Build 17763.914 and when we go to the site binding the screenshot below is all we get.  According to we should also have a disable Legacy TLS checkbox. 



The version of windows server/iis we have is latest as per windows update and is after the version mentioned in the article.  We have also tried to do via "netsh http add sslcert ...", but when we add the argument disablelegacytls=enable it fails, even though it is listed in the help as an argument.

Does something need turning on or setting?  Tried a couple of things, but no luck.

Any hints or assistance much appreciated.







3 Replies

This actually looks like Microsoft never ended up implementing it, unless there's is some undocumented setting or requirement?  Does anybody know anything about this?  Thanks.



It is now March 2021, and the situation is still the same! Azure Security Center complains.

It's now October 2021, and Disable Legacy TLS is still not implemented in Windows Server 2019 IIS UI

(but it is implemented on Windows 10 IIS version 10.0.19041.1)