Transport Layer Security (TLS) is a cryptographic protocol that provides communication security over the internet. It encrypts the communication between a client and server to prevent eavesdropping and tampering of data.
TLS 1.3 is the latest version of the TLS protocol and was standardized in 2018. It includes improved encryption algorithms, faster handshake, and better security than previous versions.
Windows Server 2022 fully supports TLS 1.3, but it is not enabled by default. Enabling TLS 1.3 will allow applications running on Windows Server 2022 to benefit from the improved security and performance of the latest TLS version.
In this blog post, we will walk through the steps to enable TLS 1.3 on Windows Server 2022.
Prerequisites to Enable TLS 1.3 on Windows Server 2022 or 2019?
Microsoft clearly said that it supports TLS 1.3 only on Windows Server 2022 and above operating systems. No support will be provided for TLS 1.3 below Windows Server 2022. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.
Note: Windows 2019 does not support TLS 1.3. Windows Server 2019 is just rebranded version of 2016.
| Windows OS | TLS 1.0 Client | TLS 1.0 Server | TLS 1.1 Client | TLS 1.1 Server | TLS 1.2 Client | TLS 1.2 Server | TLS 1.3 Client | TLS 1.3 Server |
| Windows Server 2008 | Enabled | Enabled | Not supported | Not supported | Not supported | Not supported | Not supported | Not supported |
| Windows Server 2008 with Service Pack 2 (SP2) | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
| Windows Server 2008 R2 | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
| Windows Server 2012 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows Server 2012 R2 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows Server 2016 Standard | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows Server 2019 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows Server 2022 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
How to Enable TLS 1.3 on Windows Server 2022?
Step 1 – Verify Current TLS Version
First, verify the current TLS version enabled on your Windows Server. There are several ways to check TLS version on Windows Server. However, using the IISCrypto tool to check the SSL/TLS protocols is the easiest way. Download and run IISCrypto and go to the Protocols tab.
If you don’t see TLS 1.3 in the enabled protocols list, you will need to enable it manually.
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016, 2019 and 2022.
Step 2 – Enable TLS 1.3 using Registry Editor
Well, IIS Crypto is the easiest way to enable TLS 1.3 on a Windows Server. IIS Crypto tool will also do the same registry settings backend. However, let’s see how to enable it using Registry key.
- Launch Registry Editor (regedit.exe).
- Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3- If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it
TLS 1.3.
- If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it
- Under the TLS 1.3 key, create a new Key named
Server. - Under the Server key, create a new
DWORD (32-bit)value namedEnabledand set it to1. - Restart the Windows Server for changes to take effect.
Step 2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3
- If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it
TLS 1.3.
Step 3: Under the TLS 1.3 key, create a new Key named Server.
Step 4: Under the Server key, create a new DWORD (32-bit) value named Enabled and set it to 1.
Step 5:Restart the Windows Server for changes to take effect.
That’s it. TLS 1.3 is enabled on Windows Server 2022. To verify TLS 1.3 is enabled, you can use Wireshark to capture network traffic between a client and the server. Filter to show only SSL/TLS packets and look for the Server Hello packet. If TLS 1.3 is enabled, the protocol version should be 0x0304.
Alternatively, you can use the IIS Crypto tool to enable TLS 1.3 on Windows Server 2022.
This will enable TLS 1.3 on Windows Server 2022 globally for all applications.
Step 3 – Verify TLS 1.3 is Enabled
To verify that TLS 1.3 is enabled after the registry changes, you can again use IISCrypto and check if TLS 1.3 appears in the enabled protocols.
Alternatively, You can also use a tool like Wireshark to capture network traffic between a client and server and inspect the TLS handshake. If TLS 1.3 is enabled, you will see it in the protocol version of the Server Hello message.
Enable TLS 1.3 for Specific Application
The above registry change will enable TLS 1.3 on Windows Server 2022 globally. If you want to enable it only for specific applications like IIS, RDP, PowerShell, etc, you can use the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client: for client applicationsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server: for server applications like IIS, RDP
Set the Enabled value to 1 under the desired application keys.
Bottom Line
Upgrading your Windows Server to use TLS 1.3 improves the security and performance of network communications. Applications can leverage the faster handshake, improved encryption algorithms, and other benefits offered by the latest TLS 1.3 protocol.
Simply enabling TLS 1.3 on Windows Server 2022 via the registry editor is an easy change to make your infrastructure more secure. Verify that clients and applications can successfully negotiate TLS 1.3, and enjoy the benefits!
