skip to Main Content

How to Enable TLS 1.2 on Windows Server

Learn how to enable TLS 1.2 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 on Windows Server 2016.

What is Transport Layer Security?

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

At the moment of writing, only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is not available to enable in Windows Server. It means that it will show as disabled if you are going to generate a report. To have the Windows Server’s best security, activate only TLS 1.2 and disable all other protocols.

To make it easier to read, have a look at the table. We recommend the following protocols to be enabled/disabled:

Protocol Status Enable Disable
TLS 1.3 Not available
TLS 1.2 Active
TLS 1.1 Deprecated
TLS 1.0 Deprecated
SSL 3 Deprecated
SSL 2 Deprecated

How do you know if TLS 1.2 is enabled on Windows Server?

Go to the website Qualys SSL Labs and fill in the domain that you want to check. For example, the external URL of your Windows Server. In our example, the Exchange Server domain is added. Wait a couple of minutes for the report.

How to Enable TLS 1.2 on Windows Server SSL labs before

Scroll down to Configuration. You can see which TLS and SSL versions are enabled/disabled. The protocol TLS 1.2 is already enabled, that’s great. The protocols TLS 1.1 and TLS 1.0 are enabled as well; that’s not good. What you should see is that only TLS 1.2 is enabled.

How to Enable TLS 1.2 on Windows Server SSL labs protocols before

How to enable TLS 1.2 on Windows Server?

Download IIS Crypto GUI from Nartac Software. It’s a portable version, and you don’t have to run the setup.

Start the application, and in the main window (Schannel), you can see which options are checked/unchecked.

How to enable TLS 1.2 on Windows Server IIS Crypto before

Click on Templates. Here you can find the built-in templates. Click on the templates and read the description.

How to enable TLS 1.2 on Windows Server IIS Crypto templates

We recommend you to load the template PCI 3.2. Check the checkbox Reboot, and click the Apply button. Note that the Windows Server will reboot immediately!

How to enable TLS 1.2 on Windows Server IIS Crypto PCI 3.2 template

Verify if TLS 1.2 is enabled on Window Server

Go to Qualys SSL Labs and fill in the domain to get the report. This time it’s showing us an overall rating A.

How to Enable TLS 1.2 on Windows Server SSL labs after

Scroll down to Configuration and check the Protocols. Only the protocol TLS 1.2 is enabled.

How to Enable TLS 1.2 on Windows Server SSL labs protocols after

Start IIS Crypto, and you can see that only TLS 1.2 checkbox is selected in Server Protocols and Client protocols.

Everything is looking great! Did the article enable TLS 1.2 on Windows Server help you?

Keep reading: Unable to install NuGet provider for PowerShell »

Conclusion

In this article, you learned how to Enable TLS 1.2 on Windows Server 2016. You also learned how to disable the deprecated protocols. Check the domain in SSL Labs and have a look at the SSL report. If only TLS 1.2 is enabled, everything is OK. If it’s not, follow the steps shown in the article to enable only TLS 1.2. Don’t forget to rerun the SSL report at SSL Labs and verify if everything is looking great!

Did you enjoy this article? You may also like SIGRed patch fails in Windows Server 2008 R2. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Connect with ALI TAJRAN on social media. Read more »

This Post Has 2 Comments

    1. IIS Crypto updates the registry using the same settings from this article by Microsoft. It also updates the cipher suite order in the same way that the Group Policy Editor (gpedit.msc) does. Additionally IIS Crypto lets you create custom templates that can be saved for use on multiple servers. The command line version contains the same built-in templates as the GUI version and can also be used with your own custom templates. IIS Crypto has been tested on Windows Server 2008, 2008 R2 and 2012, 2012 R2, 2016 and 2019.

      For more information, visit IIS Crypto.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top