• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IE9: Last "Supported" Browser for Vista?

Vistaar

Vista Guru
Posts
526
#1
Browser support for Windows Vista is almost nonexistent now - or is it? If they wish to continue thumbing their noses at Microsoft, power users can turn IE9 into a veritable Stegosaurus: well-protected, but still a lumbering dinosaur. Three months after Microsoft ended support for Vista, they issued an Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2, the server version of Vista which is still under extended support until January 2020. Before long, an MSFN member with screen name VistaLover posted instructions on Enabling TLS 1.1/1.2 support in Vista's Internet Explorer 9. Of course every browser nowadays supports at least TLS 1.1 and 1.2, if not 1.3 - but versions old enough to work on Vista are no longer receiving security updates, whereas Microsoft is still issuing cumulative updates for IE9 for the benefit of Server 2008 users. Note: VistaLover suggests installing all updates intended for Server 2008 since support for Vista ended before you begin - an idea that I don't necessarily endorse - but probably all that is really necessary for this purpose is to install the latest Server 2008 cumulative update for IE9 from Microsoft Update Catalog.

For the second time in less than a year, MSFN was recently down for about a week. During that time, the thought occurred to me that if MSFN was indeed gone forever, VistaLover's instructions might also be lost - particularly the necessary registry edits. So with full credit to VistaLover, I will quote the instructions here:

1. Install then KB4019276

2. Reboot the Vista machine

3. After restart, launch the Registry Editor (regedit), preferably as Administrator.

4. Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1

5. Delete the "OSVersion"="3.6.1.0.0" subkey; BTW, I don't know which WinOS that string refers to (Win6.1=Win7)

6. Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2

7. Again, delete the "OSVersion"="3.6.1.0.0" subkey. Exit Registry Editor.
After that, you just need to change settings in Internet Options > Advanced tab under Security.

If the link to VistaLover's post at MSFN given above ever fails, the page is archived at Enabling TLS 1.1/1.2 support in Vista's Internet Explorer 9. I recommend that you familiarize yourself with it before attempting these instructions. Keep in mind that IE9 will still be a 7-year-old browser that is no longer supported by many websites. Good luck!
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

Vistaar

Vista Guru
Posts
526
#2
I do not endorse any of the unnecessary registry changes discussed below - only those recommended by VistaLover above.
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

wither 3

Vista Guru
Gold Member
Posts
2,241
#3
This wasn't as straight forward as it seems.

I did the installation of the 2008 file and the registry changes. I then rebooted. When I went to the IE settings, the TSL 1.1 and TSL 1.2 options weren't there. I only had the SSL options and TSL 1.0.

So, I went to the Microsoft help via the link provided. Since I didn't want TSL 1.1, I'll quote the help for TSL 1.2-

"TLS 1.2

This subkey controls the use of TLS 1.2.

Note For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

By default, this entry does not exist in the registry.

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1.

By default, this entry does not exist in the registry."

Kind of convoluted because it says that to enable or disable TSL 1.2, you must set the value to "0."

So I went to that entry and the only thing there was the SSL with a subkey of Client.

So I created a new entry for TSL 1.2 with the Client subkey and made the above changes (I used a value of "1.") When I then went to the IE settings, there was no TSL 1.2. I rebooted and it didn't change anything.

Since it says (Client, Server) above, I went back to the registry and edited the new TSL 1.2 entry to add the Server subkey to the Client subkey and put in the same values which were previously in Client. Same result in IE settings, even after rebooting.

I wondered why the TSL 1.0 was in the IE settings so I searched the registry for it and found this key-

HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

It said to Use TSL 1.0. so, I changed it to TSL 1.2. That deleted the TSL 1.0 setting from the IE settings and replaced it with TSL 1.2.

I don't know if I have to make any other changes. The thing that bothers me is that the Default Value in this key-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2

is set to (0).

The question I have is- Will Windows Update pick up new changes to the Server 2008 security settings?
 
Last edited:

My Computer

Vistaar

Vista Guru
Posts
526
#4
I did the installation of the 2008 file and the registry changes. I then rebooted. When I went to the IE settings, the TSL 1.1 and TSL 1.2 options weren't there. I only had the SSL options and TSL 1.0....

The question I have is- Will Windows Update pick up new changes to the Server 2008 security settings?
Hello wither 3, I'm glad somebody gave this a try. Before installing KB4019276 and editing the registry, did you update IE9 with the latest cumulative update intended for Server 2008 as I suggested in post #1?

Windows Update will never give Vista any updates intended for Server 2008, if that is your question.
 

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

wither 3

Vista Guru
Gold Member
Posts
2,241
#5
I didn't install anything before the KB4019276. I went looking at the first reference in your first post and, if you don't read carefully, you'll miss that it sends you to another site for installing other parts of 2008. It is super confusing. In all, it's stated that the 4019276 is the most important update (like the others don't really matter). I should note that my IE 9 version is 9.0.90 which is higher than the final update provided by Microsoft before ending support.

Now you got me thinking. I don't think I installed the the 11/10/2017 version of the above KB. Not sure if it matters. The last update I installed was the KB4230450.

Well, I had 2 questions. The first is about the default for the TSL 2 in the Crypto key.

You answered my second question. You're saying that I have to go to the Microsoft Catalog periodically and look for updates.

Update: I just tried to download the 11/10/2017 version of the KB and Vista insists on downloading it as a .ms file, rather than a .msu. Didn't have that problem with the others.
 
Last edited:

My Computer

wither 3

Vista Guru
Gold Member
Posts
2,241
#6
Still haven't figured this out. I have TLS1.2 enabled per the instructions. However, if I go to something like Pandora, it says my browser is out of date. I don't know if it uses TLS1.2.

I haven't been able to get TLS1.1 back in use (Only TLS1.0 was previously listed but, now it's gone, because I enable TLS1.2). I changed my registry settings similar to those in Win 7 for TLS1.1. What I can't do in the registry is make the change to "use TLS1.1." I tried to do it similar to what's in Win 7 but was unsuccessful.
 

My Computer

townsbg

~~тσωηsвg~~
Vista Guru
Gold Member
US of A

Posts
2,287
#7
Websites can be programed to recognize the browser version number and not just the TLS version.
 

My Computers

System One System Two

  • Operating System
    Windows 7 Pro x64
    Manufacturer/Model
    Mid 2010 iMac
    CPU
    Quad core 3.2 Ghz Intel I3
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5670 512 mb ram
    Screen Resolution
    1920x1080 and 1440x900
    Hard Drives
    1 TB
  • Operating System
    Windows 2008 R2 Enterprise
    Manufacturer/Model
    Compaq Presario SR5350F
    CPU
    Pentium 2.0 gHZ Dual core E2160
    Memory
    2 gb
    Screen Resolution
    1440 x 900
    Hard Drives
    300 GB

wither 3

Vista Guru
Gold Member
Posts
2,241
#8
Thanks, I always appreciate your input. However, how does that help? Seems that the MSFN website is always down so I can't create an account so that I can ask VistaLover about this whole thing. I've been very careful about not doing anything in the registry to mess this up. The Vista and Win 7 registries are almost identical, in regards to this. Only minor numbering differences in the C:\System32 folder. In the mean time, I've been using Opera except when I need to get to dropbox. I can get there now with IE 9 and Firefox. I can get to Pandora with Firefox but not IE 9. I can work with Accuradio in Opera and Firefox but, even though it loads, it won't function in IE 9.
 

My Computer