Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Enable TLS 1.3 on Windows Server 2022?
January 26, 2024
|
6m

How to Enable TLS 1.3 on Windows Server 2022?


How To Enable Tls 1 3 On Windows Server 2022

Transport Layer Security (TLS) is a cryptographic protocol that provides communication security over the internet. It encrypts the communication between a client and server to prevent eavesdropping and tampering of data.

TLS 1.3 is the latest version of the TLS protocol and was standardized in 2018. It includes improved encryption algorithms, faster handshake, and better security than previous versions.

Windows Server 2022 fully supports TLS 1.3, but it is not enabled by default. Enabling TLS 1.3 will allow applications running on Windows Server 2022 to benefit from the improved security and performance of the latest TLS version.

In this blog post, we will walk through the steps to enable TLS 1.3 on Windows Server 2022.

Prerequisites to Enable TLS 1.3 on Windows Server 2022 or 2019?

Microsoft clearly said that it supports TLS 1.3 only on Windows Server 2022 and above operating systems. No support will be provided for TLS 1.3 below Windows Server 2022. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.

Note: Windows 2019 does not support TLS 1.3.  Windows Server 2019 is just rebranded version of 2016.

Windows OSTLS 1.0 ClientTLS 1.0 ServerTLS 1.1 ClientTLS 1.1 ServerTLS 1.2 ClientTLS 1.2 ServerTLS 1.3 ClientTLS 1.3 Server
Windows Server 2008EnabledEnabledNot supportedNot supportedNot supportedNot supportedNot supportedNot supported
Windows Server 2008 with Service Pack 2 (SP2)EnabledEnabledDisabledDisabledDisabledDisabledNot supportedNot supported
Windows Server 2008 R2EnabledEnabledDisabledDisabledDisabledDisabledNot supportedNot supported
Windows Server 2012EnabledEnabledEnabledEnabledEnabledEnabledNot supportedNot supported
Windows Server 2012 R2EnabledEnabledEnabledEnabledEnabledEnabledNot supportedNot supported
Windows Server 2016 StandardEnabledEnabledEnabledEnabledEnabledEnabledNot supportedNot supported
Windows Server 2019EnabledEnabledEnabledEnabledEnabledEnabledNot supportedNot supported
Windows Server 2022EnabledEnabledEnabledEnabledEnabledEnabledEnabledEnabled

How to Enable TLS 1.3 on Windows Server 2022?

Step 1 – Verify Current TLS Version

First, verify the current TLS version enabled on your Windows Server. There are several ways to check TLS version on Windows Server. However, using the IISCrypto tool to check the SSL/TLS protocols is the easiest way. Download and run IISCrypto and go to the Protocols tab.

If you don’t see TLS 1.3 in the enabled protocols list, you will need to enable it manually.

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016, 2019 and 2022.

Step 2 – Enable TLS 1.3 using Registry Editor

Well, IIS Crypto is the easiest way to enable TLS 1.3 on a Windows Server. IIS Crypto tool will also do the same registry settings backend. However, let’s see how to enable it using Registry key.

  1. Launch Registry Editor (regedit.exe).

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3

    • If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3.

  3. Under the TLS 1.3 key, create a new Key named Server.

  4. Under the Server key, create a new DWORD (32-bit) value named Enabled and set it to 1.

  5. Restart the Windows Server for changes to take effect.

Step 1: Launch Registry Editor (regedit.exe).

Step 2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3

  • If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3.

Step 3: Under the TLS 1.3 key, create a new Key named Server.

Step 4: Under the Server key, create a new DWORD (32-bit) value named Enabled and set it to 1.

Step 5:Restart the Windows Server for changes to take effect.

That’s it. TLS 1.3 is enabled on Windows Server 2022. To verify TLS 1.3 is enabled, you can use Wireshark to capture network traffic between a client and the server. Filter to show only SSL/TLS packets and look for the Server Hello packet. If TLS 1.3 is enabled, the protocol version should be 0x0304.

Alternatively, you can use the IIS Crypto tool to enable TLS 1.3 on Windows Server 2022.

This will enable TLS 1.3 on Windows Server 2022 globally for all applications.

Step 3 – Verify TLS 1.3 is Enabled

To verify that TLS 1.3 is enabled after the registry changes, you can again use IISCrypto and check if TLS 1.3 appears in the enabled protocols.

Alternatively, You can also use a tool like Wireshark to capture network traffic between a client and server and inspect the TLS handshake. If TLS 1.3 is enabled, you will see it in the protocol version of the Server Hello message.

Enable TLS 1.3 for Specific Application

The above registry change will enable TLS 1.3 on Windows Server 2022 globally. If you want to enable it only for specific applications like IIS, RDP, PowerShell, etc, you can use the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client: for client applications

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server: for server applications like IIS, RDP

Set the Enabled value to 1 under the desired application keys.

Bottom Line

Upgrading your Windows Server to use TLS 1.3 improves the security and performance of network communications. Applications can leverage the faster handshake, improved encryption algorithms, and other benefits offered by the latest TLS 1.3 protocol.

Simply enabling TLS 1.3 on Windows Server 2022 via the registry editor is an easy change to make your infrastructure more secure. Verify that clients and applications can successfully negotiate TLS 1.3, and enjoy the benefits!

If this post interesting to you, visit our website, thesecmaster.com, and social media pages on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

How To

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe