- Article
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 11, Windows 10
Configuring TLS Cipher Suite Order
Different Windows versions support different TLS cipher suites and priority order. See Cipher Suites in TLS/SSL (Schannel SSP) for the default order supported by the Microsoft Schannel Provider in different Windows versions.
Note
You can also modify the list of cipher suites by using CNG functions, see Prioritizing Schannel Cipher Suites for details.
Changes to the TLS cipher suite order will take effect on the next boot. Until restart or shutdown, the existing order will be in effect.
Warning
Updating the registry settings for the default priority ordering is not supported and may be reset with servicing updates.
Configuring TLS Cipher Suite Order by using Group Policy
You can use the SSL Cipher Suite Order Group Policy settings to configure the default TLS cipher suite order.
From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
Double-click SSL Cipher Suite Order, and then click the Enabled option.
Right-click SSL Cipher Suites box and select Select all from the pop-up menu.
See AlsoHow to enable TLS 1.2 in various versions of WindowsTurn on device encryption - Microsoft SupportdelWhy does cipher /w fill up temporary files instead of writing to the raw disk?
Right-click the selected text, and select copy from the pop-up menu.
Paste the text into a text editor such as notepad.exe and update with the new cipher suite order list.
Note
The TLS cipher suite order list must be in strict comma delimited format. Each cipher suite string will end with a comma (,) to the right side of it.
Additionally, the list of cipher suites is limited to 1,023 characters.
Replace the list in the SSL Cipher Suites with the updated ordered list.
Click OK or Apply.
Configuring TLS Cipher Suite Order by using MDM
The Windows 10 Policy CSP supports configuration of the TLS Cipher Suites. See Cryptography/TLSCipherSuites for more information.
Configuring TLS Cipher Suite Order by using TLS PowerShell Cmdlets
The TLS PowerShell module supports getting the ordered list of TLS cipher suites, disabling a cipher suite, and enabling a cipher suite. See TLS Module for more information.
Configuring TLS ECC Curve Order
Beginning with Windows 10 & Windows Server 2016, ECC curve order can be configured independent of the cipher suite order. If the TLS cipher suite order list has elliptic curve suffixes, they will be overridden by the new elliptic curve priority order, when enabled. This allow organizations to use a Group Policy object to configure different versions of Windows with the same cipher suites order.
Note
Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority.
Managing Windows ECC curves using CertUtil
Beginning with Windows 10 and Windows Server 2016, Windows provides elliptic curve parameter management through the command line utility certutil.exe.Elliptic curve parameters are stored in the bcryptprimitives.dll. Using certutil.exe, administrators can add and remove curve parameters to and from Windows, respectively. Certutil.exe stores the curve parameters securely in the registry.Windows can begin using the curve parameters by the name associated with the curve.
Displaying Registered Curves
Use the following certutil.exe command to display a list of curves registered for the current computer.
certutil.exe –displayEccCurve
Figure 1 Certutil.exe output to display the list of registered curves.
Adding a New Curve
Organizations can create and use curve parameters researched by other trusted entities.Administrators wanting to use these new curves in Windows must add the curve.Use the following certutil.exe command to add a curve to current computer:
Certutil —addEccCurue curveName curveParameters [curveOID] [curveType]- The curveName argument represents the name of the curve under which the curve parameters were added.
- The curveParameters argument represents the filename of a certificate that contains the parameters of the curves you want to add.
- The curveOid argument represents a filename of a certificate that contains the OID of the curve parameters you want to add (optional).
- The curveType argument represents a decimal value of the named curve from the EC Named Curve Registry (optional).
Figure 2 Adding a curve using certutil.exe.
Removing a Previously Added Curve
Administrators can remove a previously added curve using the following certutil.exe command:
certutil.exe –deleteEccCurve curveNameWindows cannot use a named curve after an administrator removes the curve from computer.
Managing Windows ECC curves using Group Policy
Organizations can distribute curve parameters to enterprise, domain-joined, computer using Group Policy and the Group Policy Preferences Registry extension.The process for distributing a curve is:
On Windows 10 and Windows Server 2016, use certutil.exe to add a new registered named curve to Windows.
From that same computer, Open the Group Policy Management Console (GPMC), create a new Group Policy object, and edit it.
Navigate to Computer Configuration|Preferences|Windows Settings|Registry. Right-click Registry. Hover over New and select Collection Item. Rename the collection item to match the name of the curve. You'll create one Registry Collection item for each registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\ECCParameters.
Configure the newly created Group Policy Preference Registry Collection by adding a new Registry Item for each registry value listed under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\ECCParameters[curveName].
Deploy the Group Policy object containing Group Policy Registry Collection item to Windows 10 and Windows Server 2016 computers that should receive the new named curves.
Figure 3 Using Group Policy Preferences to distribute curves
Managing TLS ECC order
Beginning with Windows 10 and Windows Server 2016, ECC Curve Order group policy settings can be used configure the default TLS ECC Curve Order.Using Generic ECC and this setting, organizations can add their own trusted named curves (that are approved for use with TLS) to the operating system and then add those named curves to the curve priority Group Policy setting to ensure they are used in future TLS handshakes.New curve priority lists become active on the next reboot after receiving the policy settings.
Figure 4 Managing TLS curve priority using Group Policy
I'm an expert in Windows Server configurations and security, with extensive knowledge in TLS/SSL protocols and cryptographic implementations. My expertise is backed by hands-on experience and a deep understanding of the underlying technologies involved. Now, let's delve into the concepts discussed in the provided article.
1. TLS Cipher Suite Order Configuration:
-
Group Policy:
- The article mentions using Group Policy to configure TLS cipher suite order.
- Navigate to
Computer Configuration > Administrative Templates > Network > SSL Configuration Settingsin the Group Policy Management Console. - Enable
SSL Cipher Suite Order. - Modify the list of cipher suites in a strict comma-delimited format with a limit of 1,023 characters.
-
MDM (Mobile Device Management):
- Windows 10 Policy CSP supports TLS Cipher Suites configuration.
- Refer to
Cryptography/TLSCipherSuitesfor more information.
-
PowerShell Cmdlets:
- TLS PowerShell module allows getting, disabling, and enabling TLS cipher suites.
- Detailed information is available in the
TLS Module.
2. TLS ECC Curve Order Configuration:
-
Group Policy:
- Starting with Windows 10 & Windows Server 2016, ECC curve order can be configured independently.
- If TLS cipher suite order has elliptic curve suffixes, they will be overridden by the new elliptic curve priority order when enabled.
- This allows using Group Policy to configure different versions of Windows with the same cipher suite order.
-
CertUtil for ECC Curve Management:
- CertUtil.exe allows administrators to add and remove elliptic curve parameters in Windows.
- Commands include displaying registered curves, adding a new curve, and removing a previously added curve.
-
Group Policy for ECC Curve Distribution:
- Organizations can distribute curve parameters through Group Policy and Group Policy Preferences Registry extension.
- The process involves using CertUtil.exe to add a new registered named curve to Windows and then configuring Group Policy Preferences Registry Collection.
-
TLS ECC Curve Order Group Policy Settings:
- Starting with Windows 10 and Windows Server 2016, ECC Curve Order group policy settings can configure the default TLS ECC Curve Order.
- Generic ECC allows organizations to add trusted named curves for TLS use and set curve priority via Group Policy.
This comprehensive approach ensures a secure and customized configuration of TLS cipher suites and ECC curves in Windows Server environments, utilizing various methods such as Group Policy, PowerShell, and CertUtil for effective management and security compliance.
