If you see a “TLS Handshake Failed” error when trying to use Copilot in Microsoft 365 apps on an older Windows client, your connection is being blocked before Copilot can respond. This error means the secure communication channel between your device and Microsoft servers could not be established. The root cause is almost always an outdated TLS protocol version or a missing cipher suite on the client machine. This article explains why the error occurs and provides the exact steps to fix it on Windows 10 and Windows 11.
Key Takeaways: Fixing TLS Handshake Failed for Copilot
- Windows Registry > TLS 1.2 enabled: Ensures the client can negotiate the minimum TLS version required by Microsoft 365.
- Windows Update > KB update for TLS: Installs missing cipher suites and SCHANNEL fixes that Copilot needs.
- Group Policy > TLS cipher suite order: Prevents the client from offering weak or deprecated ciphers that cause the handshake to fail.
Why Copilot Shows TLS Handshake Failed on Older Clients
The TLS handshake is a cryptographic negotiation between your client and the Microsoft 365 service. Copilot requires TLS 1.2 or higher. Older Windows clients, especially Windows 10 versions before 1809 or Windows 11 builds before 22H2, may have TLS 1.2 disabled by default or may lack the necessary cipher suites such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. When the client offers only TLS 1.0 or 1.1, or when it presents a cipher suite that Microsoft servers no longer accept, the server terminates the handshake and returns the TLS Handshake Failed error.
SCHANNEL Registry Keys
The SCHANNEL component in Windows controls TLS protocol versions. If the registry keys for TLS 1.2 are missing or set to 0, the client cannot use TLS 1.2. Copilot will fail because the only common version between client and server is not available.
Cipher Suite Mismatch
Even if TLS 1.2 is enabled, the client may not have the specific cipher suites that Microsoft 365 requires. Windows 10 version 1607 and older, for example, lack TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Without this cipher, the handshake fails.
Steps to Enable TLS 1.2 and Fix the Copilot Handshake Error
Follow these steps in order. Each step addresses a specific cause of the handshake failure. Do not skip any step unless you have already verified that TLS 1.2 is enabled.
- Verify current TLS version in use
Open a Command Prompt as administrator. Runcertutil -urlcache https://www.microsoft.com test.txt. If the command returns a TLS error, your client is not using TLS 1.2. Check the SCHANNEL event log for event ID 36871 or 36874 to see the offered protocols. - Enable TLS 1.2 via Registry
Open Registry Editor. Navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client. If the path does not exist, create the key manually. Set the DWORD valueDisabledByDefaultto 0 andEnabledto 1. Repeat for the Server subkey under TLS 1.2. Restart the computer. - Install the latest Windows Update
Go to Settings > Update & Security > Windows Update and install all pending updates. For Windows 10 versions 1809 and earlier, you may need to install the update KB4054519 or a later monthly rollup that adds the missing cipher suites. For Windows 11 version 21H2, install the 2023-11 cumulative update or newer. Restart after installation. - Add missing cipher suites via Group Policy
Press Win + R, typegpedit.msc, and press Enter. Navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. Double-click SSL Cipher Suite Order. Set it to Enabled. In the SSL Cipher Suites box, paste the following cipher suite string at the beginning:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. Click OK. Restart the computer. - Test the connection
Open a web browser and navigate tohttps://ssltools.microsoft.com. The site will show your TLS version and cipher suite. If it reports TLS 1.2 or higher and a cipher suite from the list above, the fix is successful. Open Copilot in Word or Teams and verify the error no longer appears.
If Copilot Still Shows TLS Handshake Failed After the Fix
If the error persists, check these additional causes and their fixes.
Copilot Fails on Windows 10 Version 1507 or 1511
These versions do not support TLS 1.2 at all. Microsoft ended support for these builds. Upgrade to Windows 10 version 1809 or later, or to Windows 11. After the upgrade, enable TLS 1.2 using the registry steps above.
Copilot Fails Only in Microsoft 365 Apps but Works in Edge
This indicates that the Microsoft 365 apps are using a different SCHANNEL context or a proxy that strips TLS 1.2. Check your proxy or firewall settings. Ensure that the proxy does not force TLS 1.0 on the connection. In Microsoft 365 apps, go to File > Options > Trust Center > Trust Center Settings > Privacy Options and enable Allow the use of TLS 1.2 if the option exists.
Copilot Fails After a Recent Windows Update
Some updates reset SCHANNEL registry keys. Re-apply the registry changes from Step 2. Also check the event log for SCHANNEL errors. If the update removed cipher suites, re-apply the Group Policy cipher suite order from Step 4.
TLS 1.2 vs TLS 1.3 for Copilot: Key Differences
| Item | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Description | Minimum protocol version required by Microsoft 365 for Copilot | Optional protocol version supported on Windows 11 22H2 and newer |
| Windows support | Windows 7 with KB, Windows 8.1, Windows 10, Windows 11 | Windows 11 22H2 and later, Windows 10 20H2 with KB5014699 |
| Copilot compatibility | Fully supported | Supported but not required |
| Cipher suites needed | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or similar | TLS_AES_256_GCM_SHA384 only |
| Configuration method | Registry or Group Policy | Enabled by default on supported builds |
After completing the steps above, Copilot should connect successfully on your older client. If you manage multiple devices, apply the registry and Group Policy changes via a script or domain policy to prevent the error from recurring. Test the connection with the Microsoft SSL tools site before deploying to production.