How to Enable TLS 1.3 on Windows Server 2022?

Transport Layer Security (TLS) is a cryptographic protocol that provides communication security over the internet. It encrypts the communication between a client and server to prevent eavesdropping and tampering of data.

TLS 1.3 is the latest version of the TLS protocol and was standardized in 2018. It includes improved encryption algorithms, faster handshake, and better security than previous versions.

Windows Server 2022 fully supports TLS 1.3, but it is not enabled by default. Enabling TLS 1.3 will allow applications running on Windows Server 2022 to benefit from the improved security and performance of the latest TLS version.

In this blog post, we will walk through the steps to enable TLS 1.3 on Windows Server 2022.

Prerequisites to Enable TLS 1.3 on Windows Server 2022 or 2019?

Microsoft clearly said that it supports TLS 1.3 only on Windows Server 2022 and above operating systems. No support will be provided for TLS 1.3 below Windows Server 2022. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.

Note: Windows 2019 does not support TLS 1.3.  Windows Server 2019 is just rebranded version of 2016.

Windows OS TLS 1.0 Client TLS 1.0 Server TLS 1.1 Client TLS 1.1 Server TLS 1.2 Client TLS 1.2 Server TLS 1.3 Client TLS 1.3 Server
Windows Server 2008 Enabled Enabled Not supported Not supported Not supported Not supported Not supported Not supported
Windows Server 2008 with Service Pack 2 (SP2) Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported
Windows Server 2008 R2 Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported
Windows Server 2012 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows Server 2012 R2 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows Server 2016 Standard Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows Server 2019 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows Server 2022 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

How to Enable TLS 1.3 on Windows Server 2022?

Step 1 – Verify Current TLS Version

First, verify the current TLS version enabled on your Windows Server. There are several ways to check TLS version on Windows Server. However, using the IISCrypto tool to check the SSL/TLS protocols is the easiest way. Download and run IISCrypto and go to the Protocols tab.

See also  Top Strategies for Effective Vendor Risk Management Programs

If you don’t see TLS 1.3 in the enabled protocols list, you will need to enable it manually.

Verify Current TLS Version on Windows server using IIS Crypto tool

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016, 2019 and 2022.

Step 2 – Enable TLS 1.3 using Registry Editor

Well, IIS Crypto is the easiest way to enable TLS 1.3 on a Windows Server. IIS Crypto tool will also do the same registry settings backend. However, let’s see how to enable it using Registry key.

  1. Launch Registry Editor (regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3
    • If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3.
  3. Under the TLS 1.3 key, create a new Key named Server.
  4. Under the Server key, create a new DWORD (32-bit) value named Enabled and set it to 1.
  5. Restart the Windows Server for changes to take effect.

Step 2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3

  • If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3.
Create new registry key
Created TLS 1.3 Key underneath Protocols in Windows Server 2022

Step 3: Under the TLS 1.3 key, create a new Key named Server.

Create new registry key under TLS 1.3
Create new registry key server under TLS 1.3

Step 4: Under the Server key, create a new DWORD (32-bit) value named Enabled and set it to 1.

Create new registry key DWORD under Server
Create a key Enabled under Server and set to 1

Step 5:Restart the Windows Server for changes to take effect.

Windows server 2022 is getting restarted

That’s it. TLS 1.3 is enabled on Windows Server 2022. To verify TLS 1.3 is enabled, you can use Wireshark to capture network traffic between a client and the server. Filter to show only SSL/TLS packets and look for the Server Hello packet. If TLS 1.3 is enabled, the protocol version should be 0x0304.

See also  How to Fix CVE-2023-20101- Static Credentials Vulnerability in Cisco Emergency Responder?

Alternatively, you can use the IIS Crypto tool to enable TLS 1.3 on Windows Server 2022.

enable TLS 1.3 on Windows Server 2022 using IIS Crypto tool

This will enable TLS 1.3 on Windows Server 2022 globally for all applications.

Step 3 – Verify TLS 1.3 is Enabled

To verify that TLS 1.3 is enabled after the registry changes, you can again use IISCrypto and check if TLS 1.3 appears in the enabled protocols.

Alternatively, You can also use a tool like Wireshark to capture network traffic between a client and server and inspect the TLS handshake. If TLS 1.3 is enabled, you will see it in the protocol version of the Server Hello message.

Enable TLS 1.3 for Specific Application

The above registry change will enable TLS 1.3 on Windows Server 2022 globally. If you want to enable it only for specific applications like IIS, RDP, PowerShell, etc, you can use the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client: for client applications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server: for server applications like IIS, RDP

Set the Enabled value to 1 under the desired application keys.

Bottom Line

Upgrading your Windows Server to use TLS 1.3 improves the security and performance of network communications. Applications can leverage the faster handshake, improved encryption algorithms, and other benefits offered by the latest TLS 1.3 protocol.

Simply enabling TLS 1.3 on Windows Server 2022 via the registry editor is an easy change to make your infrastructure more secure. Verify that clients and applications can successfully negotiate TLS 1.3, and enjoy the benefits!

Leave a Reply

Your email address will not be published. Required fields are marked *