Enable a TLS 1.3 security feature for local trust anchors.

This policy controls a security feature in TLS 1.3 which protects connections against downgrade attacks. It is backwards-compatible and will not affect connections to compliant TLS 1.2 servers or proxies. However, older versions of some TLS-intercepting proxies have an implementation flaw which causes them to be incompatible.

If this policy is set to True or not set, Google Chrome will enable these security protections for all connections.

If this policy is set to False, Google Chrome will disable these security protections for connections authenticated with locally-installed CA certificates. These protections are always enabled for connections authenticated with publicly-trusted CA certificates.

The default value for this policy was changed in Google Chrome 81 from false to true. Affected proxies are expected to fail connections with an error code of ERR_TLS13_DOWNGRADE_DETECTED. Administrators who need more time to upgrade affected proxies may use this policy to temporarily disable this security feature. This policy will be removed after version 85.

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Registry PathSoftware\Policies\Google\Chrome
Value NameTLS13HardeningForLocalAnchorsEnabled
Enabled Value1
Disabled Value0


Administrative Templates (Computers)

Administrative Templates (Users)