Using App-V for Legacy TLS

This post is titled 'Using App-V for Legacy TLS' but could be applied for various different Internet Explorer settings. I picked TLS because I was speaking with a former colleague who was approached by his management about needing to disable legacy versions of TLS right away, he was concerned that various web apps required it and they didn't have any workaround for those to continue to function.

One of the brightest App-V MVPs, Dan Gough posted about the ability to override GPO with App-V 5.1. Many aren't aware of the fact you can do this! In fact, you can even do this with some versions of 4.x too. I'm not interested in lifting from Dan's blogpost but you will want to follow his post to allow any settings in your App-V package to take precedence over what's set via Group Policy.

As this is a setting on the client side, this will take effect globally so keep that in mind for future apps.

Updated: As pointed out by Tim. I am referring to Group Policy Preferences here. I was too vague at the top when stating various different IE settings.

In this example, let's say we have a web app that requires TLS 1.1. My security baseline group policy which contains my IE preferences only enables 1.2. My web app requires 1.1, I could silo the app off to a separate RDSH farm and set the TLS 1.1 via GPO for that OU but it's a bloated expensive solution and one which is still very insecure.

Instead, I'm just going to spin up my App-V Sequencer VM which is not domain joined is running Windows 7 and has Internet Explorer 11 on it. Before sequencing, I launch Internet Explorer 11 and ensure the TLS 1.1 is NOT ENABLED.

Now during sequencing all I need to do during the sequencing is install whatever other components are required e.g. maybe a legacy version of Java is needed or if nothing else is required, I launch IE and just enable the TLS 1.1 setting. In the package I create a shortcut launching Internet Explorer with my URL as an argument\parameter.

Once deployed, I now have a shortcut that when launched opens IE to the site which requires TLS 1.1 and it has the TLS 1.1 setting. Now, if I just go to my local IE 11 on my server or desktop, I'll see my security baseline is still in effect and so TLS 1.1 is not enabled here.

I, of course suggest you use this sparingly and only as a workaround whilst getting your vendors to update their crapplication to use the more secure latest version.

Robert Hickerson


Rory Monaghan

Microsoft MVP in App-V.  Citrix CTA.  VMware vExpert.  Unidesk Certified Engineer.