Forced TLS 1.3

After I installed Avira Free Securirty I couldn't connect to eduroam Wi-Fi at my University. I investigated and I found (when I compared dumped registry database with an earlyer dump) that after installing the product, in the registry DB was created here some new registry keys which belongs to TLS settings:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

(With Windows 10 out of the box only this registry key is here, the "Protocols", and there are no other keys under it.)

In default case in a clean installed Windows 10 is empty, only the "Protocols" key exists. After installed Avira Free Security there were so keys here:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Backup TLS 1.0]

(...)

(...)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

etc. etc.

I deleted these lines (I leaved only the "Protocols" key, this is only the existing key on an out of box Windows 10 here, and there are no keys under it), and I was able to connect to eduroam Wi-Fi again (it's a RADIUS autentication WLAN, internationally with the same SSID in the EU).

After Avira was updated or after a time (some restart) the registry keys was recreated above. I finally uninstalled on Friday (23. October 2022.) the product and explained and sent (at the uninstaller front-end GUI message box) this reason in 180 characters...

Also this settings was tampered:

(These are on the inetcpl.cpl or other name "Internet settings" on classic Control panel's "Special" tab and mainly belongs to Internet Explorer operation.)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"SecureProtocols"=dword:00000a80 (this is the default: 2688 decimally)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PrefetchPrerender]
"Enabled"=dword:00000001 (this changes to 00000000 and this disables the "Load sites and content in the background to optimize performance"; these settings founded at InternetSettings or other name inetcpl.cpl Special tab as a checkbox)

These settings don't affect the eduroam or other Wi-Fi connection which uses for e.g TLS 1.2. The [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] is the most important in the case of "Cannot connect this network." message with surely correctly typed username and password for eduroam or other WLAN network which uses similar authentication as eduroam (WPA2 Enterprise + certification or other ActiveDirectory/LDAP/FreeRADIUS authenticated WLAN networks etc. with TLS 1.2 security).

The biggest problem was that when I uninstalled the product, this didn't change back the default settings, so I had to invastigate the concrete reason and registry differences on a clean installed computer (before installed Avira & after installed Avira), and after found that readable above.

There isn't any GUI settings for TLS versions in the Avira, and there is nothing warning that the Avira Free Security tampers this.

The eduroam FreeRADIUS uses often 1.2 TLS version yet, because some old devices for e.g. Android etc. cannot connect with TLS 1.3.

Important in this case, that the Avira doesn't disable TLS 1.2, but the operating system not normally handle the changing between 1.2 & 1.3. If 1.0/1.1/1.2 versions are enabled as by default in Windows 10, there is nothing problem with connection. It's sure, that this FreeRADIUS uses 1.2 version TLS at this University, I inquired after this. If I enable TLS 1.3 but don't disable 1.2, the connection fails.