How to Enable TLS 1.2 on Windows Server

Learn how to enable TLS 1.2 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 on Windows Server 2016/2019.

Table of contents

What is Transport Layer Security?

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Windows Server TLS best practice

Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.

Windows Server 2019 and lower

Only activate TLS 1.2 for the best security on Windows Server 2019 and lower versions. Disable all other protocols.

ProtocolStatusEnableDisable
TLS 1.3ActiveX
TLS 1.2Active
TLS 1.1Deprecated
TLS 1.0Deprecated
SSL 3Deprecated
SSL 2Deprecated

Windows Server 2022 and higher

Only activate TLS 1.2 and TLS 1.3 for the best security on Windows Server 2022 and newer versions. Disable all other protocols.

ProtocolStatusEnableDisable
TLS 1.3Active
TLS 1.2Active
TLS 1.1Deprecated
TLS 1.0Deprecated
SSL 3Deprecated
SSL 2Deprecated

How do you know if TLS 1.2 is enabled on Windows Server?

Go to the website Qualys SSL Labs and fill in the domain you want to check. For example, the external URL of your Windows Server. In our example, the Exchange Server domain is added. Wait a couple of minutes for the report.

How to Enable TLS 1.2 on Windows Server SSL labs before

Scroll down to Configuration. You can see which TLS and SSL versions are enabled/disabled. The protocol TLS 1.2 is already enabled, which is excellent. The protocols TLS 1.1 and TLS 1.0 are also enabled; that’s not good. What you should see is that only TLS 1.2 is enabled.

How to Enable TLS 1.2 on Windows Server SSL labs protocols before

How to enable TLS 1.2 on Windows Server?

Download IIS Crypto GUI from Nartac Software. It’s a portable version, and you don’t have to run the setup.

Start the application, and in the main window (Schannel), you can see which options are checked/unchecked.

How to enable TLS 1.2 on Windows Server IIS Crypto before

Click on Templates. Here you can find the built-in templates. Click on the templates and read the description.

How to enable TLS 1.2 on Windows Server IIS Crypto templates

We recommend you load the template PCI 3.2. Check the checkbox Reboot, and click the Apply button.

Note: The Windows Server will reboot immediately.

How to enable TLS 1.2 on Windows Server IIS Crypto PCI 3.2 template

Verify if TLS 1.2 is enabled on Window Server

Go to Qualys SSL Labs and fill in the domain to get the report. This time it’s showing us an overall rating A.

How to Enable TLS 1.2 on Windows Server SSL labs after

Scroll down to Configuration and check the Protocols. Only the protocol TLS 1.2 is enabled.

How to Enable TLS 1.2 on Windows Server SSL labs protocols after

Start IIS Crypto, and you can see that only TLS 1.2 checkbox is selected in Server Protocols and Client protocols.

An alternative method is to run the Get-TLS.ps1 PowerShell script, which will display the TLS configuration. Read more in the article Check TLS settings on Windows Server with PowerShell script.

Everything looks great! Did the article enable TLS 1.2 on Windows Server help you?

Keep reading: Unable to install NuGet provider for PowerShell »

Conclusion

You learned how to Enable TLS 1.2 on Windows Server 2016/2019. You also learned how to disable the deprecated protocols. Check the domain in SSL Labs and look at the SSL report. If only TLS 1.2 is enabled, everything is OK. If it’s not, follow the steps shown in the article to enable only TLS 1.2. Don’t forget to rerun the SSL report at SSL Labs and verify that everything looks great.

Did you enjoy this article? You may also like SIGRed patch fails in Windows Server 2008 R2. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

TwitterLinkedIn

What Others Are Reading

This Post Has 4 Comments

  1. I can see lot of following error:

    A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    Event ID: 36871

    Protocols

    TLS 1.2Yes

    TLS 1.1Yes

    TLS 1.0Yes

    SSL 3No

    SSL 2No

    The site has A rating

    Reply

    1. IIS Crypto updates the registry using the same settings from this article by Microsoft. It also updates the cipher suite order in the same way that the Group Policy Editor (gpedit.msc) does.

      Additionally IIS Crypto lets you create custom templates that can be saved for use on multiple servers. The command line version contains the same built-in templates as the GUI version and can also be used with your own custom templates. IIS Crypto has been tested on Windows Server 2008, 2008 R2 and 2012, 2012 R2, 2016 and 2019.

      For more information, visit IIS Crypto.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *