Why do we need to use the import CSV (comma-separated values) delimiter in PowerShell? By…
How to Enable TLS 1.2/TLS 1.3 on Windows Server
Learn how to enable TLS 1.2 and TLS 1.3 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2/TLS 1.3 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 and TLS 1.3 on Windows Server.
Table of contents
What is Transport Layer Security?
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
Windows Server TLS best practice
Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.
Windows Server 2019 and lower
Only activate TLS 1.2 for the best security on Windows Server 2019 and lower versions. Disable all other protocols.
Protocol | Status | Enable | Disable |
---|---|---|---|
TLS 1.3 | Active | X | ✓ |
TLS 1.2 | Active | ✓ | ☓ |
TLS 1.1 | Deprecated | ☓ | ✓ |
TLS 1.0 | Deprecated | ☓ | ✓ |
SSL 3 | Deprecated | ☓ | ✓ |
SSL 2 | Deprecated | ☓ | ✓ |
Windows Server 2022 and higher
Only activate TLS 1.2 and TLS 1.3 for the best security on Windows Server 2022 and newer versions. Disable all other protocols.
Protocol | Status | Enable | Disable |
---|---|---|---|
TLS 1.3 | Active | ✓ | ☓ |
TLS 1.2 | Active | ✓ | ☓ |
TLS 1.1 | Deprecated | ☓ | ✓ |
TLS 1.0 | Deprecated | ☓ | ✓ |
SSL 3 | Deprecated | ☓ | ✓ |
SSL 2 | Deprecated | ☓ | ✓ |
Check TLS settings on Windows Server
Run the Get-TLS.ps1 PowerShell script, which will display the TLS configuration. Read more in the article Check TLS settings on Windows Server with PowerShell script.
After running the script on our Windows Server 2022, this is what the output looks like.
Path Name Value
---- ---- -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions Not Found
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault Not Found
How to enable TLS 1.2 on Windows Server
The Enable-TLS1.2 PowerShell script will set the best practice TLS settings for Windows Server:
- Enable TLS 1.2
- Enable TLS 1.2 for .NET 4.x
- Enable TLS 1.2 for .NET 3.5
- Disable TLS 1.0
- Disable TLS 1.1
- Disable TLS 1.3
Download the Enable-TLS1.2 PowerShell script and save it in the C:\scripts folder. Run PowerShell as administrator and run the PowerShell script.
C:\scripts\.\Enable-TLS1.2.ps1
How to enable TLS 1.3 on Windows Server
The Enable-TLS1.3 PowerShell script will set the best practice TLS settings for Windows Server:
- Enable TLS 1.3
- Enable TLS 1.2
- Enable TLS 1.2 for .NET 4.x
- Enable TLS 1.2 for .NET 3.5
- Disable TLS 1.0
- Disable TLS 1.1
Download the Enable-TLS1.3 PowerShell script and save it in the C:\scripts folder. Run PowerShell as administrator and run the PowerShell script.
C:\scripts\.\Enable-TLS1.3.ps1
Verify that TLS 1.2 is enabled on Window Server
Run the Get-TLS.ps1 PowerShell script to verify that only TLS 1.2 is enabled on Windows Server.
Path Name Value
---- ---- -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled 0
Verify that TLS 1.3 is enabled on Windows Server
Run the Get-TLS.ps1 PowerShell script to verify that only TLS 1.3 and TLS 1.2 are enabled on Windows Server.
Path Name Value
---- ---- -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions 1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled 0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault 1
Everything looks great!
Keep reading: Unable to install NuGet provider for PowerShell »
Conclusion
You learned how to Enable TLS 1.2 and TLS 1.3 on Windows Server. You also learned how to disable the deprecated protocols. Check the TLS settings with the PowerShell script before and after you apply the changes. If only TLS 1.2 or TLS 1.3 is enabled, everything is OK.
Did you enjoy this article? You may also like SIGRed patch fails in Windows Server 2008 R2. Don’t forget to follow us and share this article.
This Post Has 0 Comments