When you try to connect Copilot to a legacy endpoint, such as an on-premises SharePoint server or an older API gateway, you may see a connection error that reads “TLS 1.0 Disabled” or a similar security protocol failure. This error occurs because modern Microsoft 365 services and Copilot require at least Transport Layer Security 1.2 for all network connections. The root cause is that the legacy endpoint is still configured to use TLS 1.0, which Microsoft deprecated in 2020 due to security vulnerabilities. This article explains why the block happens, how to enable TLS 1.2 on your server or proxy, and what to do if you cannot upgrade the endpoint.
Key Takeaways: TLS 1.2 Upgrade for Copilot Connectivity
- Windows Registry tweak for TLS 1.2: Enables TLS 1.2 system-wide on legacy Windows Server 2012 R2 and 2016 installations.
- IIS or proxy server cipher configuration: Forces the server to accept only TLS 1.2 handshakes, removing the Copilot block.
- Application-level TLS override: Use the .NET Framework SchUseStrongCrypto setting to make Copilot client code negotiate TLS 1.2.
Why Copilot Blocks TLS 1.0 Connections
Microsoft 365 services, including Copilot, enforce a minimum TLS version of 1.2 at the network transport layer. TLS 1.0 and TLS 1.1 are considered insecure because they use weak cipher suites and are vulnerable to attacks such as POODLE and BEAST. When Copilot attempts to reach a legacy endpoint that only offers TLS 1.0, the Microsoft 365 gateway returns a handshake failure, which appears as a “TLS 1.0 Disabled” error to the user.
The block is not a Copilot bug. It is a security policy enforced by the Microsoft 365 platform. The fix requires updating the legacy endpoint to support TLS 1.2, either by upgrading the operating system or by manually enabling the protocol in the registry and in the web server configuration.
Where the Block Occurs
The error can appear in three common scenarios:
- Copilot in Microsoft 365 Chat queries an on-premises SharePoint farm that uses TLS 1.0
- A custom Copilot plugin calls a legacy REST API hosted on a Windows Server 2012 machine
- A proxy or load balancer between Copilot and the endpoint strips TLS 1.2 and falls back to TLS 1.0
Steps to Enable TLS 1.2 on Legacy Windows Servers
The following steps apply to Windows Server 2012 R2, Windows Server 2016, and Windows 10 or 11 machines that host legacy endpoints. Perform these steps on the server that runs the web server, API, or proxy that Copilot connects to.
Method 1: Enable TLS 1.2 via Registry
- Open Registry Editor
Press Windows key + R, typeregedit, and press Enter. Click Yes if User Account Control prompts you. - Navigate to the TLS 1.2 subkey
Go toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server. If the TLS 1.2 or Server keys do not exist, create them manually by right-clicking the Protocols key, selecting New > Key, and naming them exactly as shown. - Create a DWORD to enable TLS 1.2
Inside the Server key, right-click the empty area, select New > DWORD (32-bit) Value, and name itEnabled. Set its value data to1and click OK. - Create a DWORD to disable TLS 1.0
Navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server. Create a DWORD namedEnabledand set its value data to0. This step ensures the server refuses TLS 1.0 connections. - Restart the server
Reboot the machine for the registry changes to take effect. After the restart, any web server or API running on this machine will accept only TLS 1.2 connections.
Method 2: Enable TLS 1.2 in IIS
- Open IIS Manager
Press Windows key, typeInternet Information Services (IIS) Manager, and open it. - Select your site
In the Connections pane, expand the server node, expand Sites, and select the site that Copilot connects to. - Open SSL Settings
Double-click SSL Settings in the middle pane. - Require SSL and set client certificate policy
Check Require SSL and select Accept or Require for client certificates depending on your authentication model. Click Apply in the Actions pane. - Disable TLS 1.0 at the IIS level
IIS respects the Windows SCHANNEL registry settings. After you apply the registry changes from Method 1, IIS will automatically stop negotiating TLS 1.0. No separate IIS setting is needed.
Method 3: Enable TLS 1.2 in .NET Framework for Custom Copilot Plugins
If your Copilot plugin is written in C# or another .NET language and connects to a legacy endpoint, the .NET Framework may default to TLS 1.0 unless you set the SchUseStrongCrypto registry key.
- Open Registry Editor
Press Windows key + R, typeregedit, and press Enter. - Navigate to the .NET Framework key
Go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319. - Create SchUseStrongCrypto DWORD
Right-click the v4.0.30319 key, select New > DWORD (32-bit) Value, and name itSchUseStrongCrypto. Set its value data to1. - Repeat for 32-bit applications
If your plugin runs as a 32-bit process, also set the same DWORD underHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319. - Restart the application
Restart the application pool or the service hosting your Copilot plugin for the setting to take effect.
If the Legacy Endpoint Cannot Be Upgraded
Copilot Connector Still Shows TLS 1.0 Error
If you cannot modify the legacy endpoint because it is a third-party appliance or an unsupported system, you must place a TLS-terminating reverse proxy in front of it. Configure the proxy to accept TLS 1.2 from Copilot and then forward the request to the legacy endpoint using TLS 1.0 internally. Use a tool such as NGINX, HAProxy, or Microsoft Application Request Routing to perform this translation. Set the proxy’s frontend to require TLS 1.2 and the backend to accept TLS 1.0.
Copilot Plugin Times Out After Enabling TLS 1.2
If the connection succeeds but Copilot times out, the legacy endpoint may not support the cipher suites required by TLS 1.2. Add the following cipher suites to the Windows SCHANNEL configuration: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. You can set these in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. Enable the AES 128/128 and AES 256/256 keys.
Copilot Returns 403 Forbidden After TLS Upgrade
A 403 error after enabling TLS 1.2 usually indicates that the legacy endpoint’s certificate is not trusted by Microsoft 365. Ensure the server certificate is issued by a public Certificate Authority. Self-signed certificates are not trusted by Copilot. Replace the certificate with one from a trusted CA such as DigiCert, Let’s Encrypt, or Microsoft’s own CA if the endpoint is part of an Active Directory forest that publishes trusted root certificates.
Copilot TLS Requirements vs Legacy Endpoint Capabilities
| Item | Copilot Requirement | Legacy Endpoint Default |
|---|---|---|
| Minimum TLS version | TLS 1.2 | TLS 1.0 or TLS 1.1 |
| Supported cipher suites | AES-GCM, ECDHE | RC4, 3DES, or CBC-mode ciphers |
| Certificate trust | Public CA or enterprise CA in tenant’s trusted root store | Self-signed or private CA not published to tenant |
| SCHANNEL registry configuration | Enabled TLS 1.2, disabled TLS 1.0 and 1.1 | Default settings allow TLS 1.0 |
| .NET Framework version | 4.7 or later with SchUseStrongCrypto=1 | 4.5 or earlier without SchUseStrongCrypto |
You can now identify why Copilot blocks the legacy endpoint and apply the correct registry or proxy fix to enable TLS 1.2. Start with the SCHANNEL registry changes on the endpoint server, then verify that Copilot can connect using the Microsoft 365 admin center’s Connectivity Analyzer. If the endpoint is unchangeable, deploy a reverse proxy as an intermediary. For ongoing maintenance, monitor the server’s SCHANNEL logs for handshake failures to catch any future TLS mismatches early.