How to Enable TLS 1.2/TLS 1.3 on Windows Server

Learn how to enable TLS 1.2 and TLS 1.3 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2/TLS 1.3 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 and TLS 1.3 on Windows Server.

Table of contents

What is Transport Layer Security?

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Windows Server TLS best practice

Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.

Windows Server 2019 and lower

Only activate TLS 1.2 for the best security on Windows Server 2019 and lower versions. Disable all other protocols.

ProtocolStatusEnableDisable
TLS 1.3ActiveX
TLS 1.2Active
TLS 1.1Deprecated
TLS 1.0Deprecated
SSL 3Deprecated
SSL 2Deprecated

Windows Server 2022 and higher

Only activate TLS 1.2 and TLS 1.3 for the best security on Windows Server 2022 and newer versions. Disable all other protocols.

ProtocolStatusEnableDisable
TLS 1.3Active
TLS 1.2Active
TLS 1.1Deprecated
TLS 1.0Deprecated
SSL 3Deprecated
SSL 2Deprecated

Check TLS settings on Windows Server

Run the Get-TLS.ps1 PowerShell script, which will display the TLS configuration. Read more in the article Check TLS settings on Windows Server with PowerShell script.

After running the script on our Windows Server 2022, this is what the output looks like.

Path                                                                                       Name                     Value    
----                                                                                       ----                     -----    
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SchUseStrongCrypto       Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SchUseStrongCrypto       Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SchUseStrongCrypto       Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SchUseStrongCrypto       Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault        Not Found

How to enable TLS 1.2 on Windows Server

The Enable-TLS1.2 PowerShell script will set the best practice TLS settings for Windows Server:

  1. Enable TLS 1.2
  2. Enable TLS 1.2 for .NET 4.x
  3. Enable TLS 1.2 for .NET 3.5
  4. Disable TLS 1.0
  5. Disable TLS 1.1
  6. Disable TLS 1.3

Download the Enable-TLS1.2 PowerShell script and save it in the C:\scripts folder. Run PowerShell as administrator and run the PowerShell script.

C:\scripts\.\Enable-TLS1.2.ps1

How to enable TLS 1.3 on Windows Server

The Enable-TLS1.3 PowerShell script will set the best practice TLS settings for Windows Server:

  1. Enable TLS 1.3
  2. Enable TLS 1.2
  3. Enable TLS 1.2 for .NET 4.x
  4. Enable TLS 1.2 for .NET 3.5
  5. Disable TLS 1.0
  6. Disable TLS 1.1

Download the Enable-TLS1.3 PowerShell script and save it in the C:\scripts folder. Run PowerShell as administrator and run the PowerShell script.

C:\scripts\.\Enable-TLS1.3.ps1

Verify that TLS 1.2 is enabled on Window Server

Run the Get-TLS.ps1 PowerShell script to verify that only TLS 1.2 is enabled on Windows Server.

Path                                                                                       Name                     Value
----                                                                                       ----                     -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SchUseStrongCrypto           1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SchUseStrongCrypto           1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SchUseStrongCrypto           1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SchUseStrongCrypto           1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled                      0

Verify that TLS 1.3 is enabled on Windows Server

Run the Get-TLS.ps1 PowerShell script to verify that only TLS 1.3 and TLS 1.2 are enabled on Windows Server.

Path                                                                                       Name                     Value
----                                                                                       ----                     -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SchUseStrongCrypto           1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SchUseStrongCrypto           1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SchUseStrongCrypto           1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SystemDefaultTlsVersions     1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SchUseStrongCrypto           1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled                      1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault            0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault            1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled                      0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault            1

Everything looks great!

Keep reading: Unable to install NuGet provider for PowerShell »

Conclusion

You learned how to Enable TLS 1.2 and TLS 1.3 on Windows Server. You also learned how to disable the deprecated protocols. Check the TLS settings with the PowerShell script before and after you apply the changes. If only TLS 1.2 or TLS 1.3 is enabled, everything is OK.

Did you enjoy this article? You may also like SIGRed patch fails in Windows Server 2008 R2. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *