What is the difference between the DisabledByDefault and Enabled SSL/TLS registry keys on Microsoft Windows?
Microsoft provides best practices guidance for Transport Layer Security (TLS). This document describes registry keys that can enable or disable a specific protocol.
For example, to enable TLS 1.2, you can add the following registry keys.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:FFFFFFFF
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:FFFFFFFF
What is the difference between DisabledByDefault and Enabled? They seem redundant.
Answer
DisabledByDefault and Enabled are not redundant
When DisabledByDefault flag is set to 1, SSL / TLS version X is not used by default. If an SSPI app requests to use this version of SSL / TLS, it will be negotiated. In a nutshell, SSL is not disabled when you use DisabledByDefault flag.
When Enabled flag is set to 0, SSL / TLS version X is disabled and cannot be nagotiated by any SSPI app (even if DisabledByDefault flag is set to 0).
For more information, Microsoft documentation describes what SSL version is maintained or not, and how to disable it.