How to Enable TLS 1.2 on Windows Server 2022?

How to enable TLS 1.2 on Windows Server 2022 today’s digital landscape, securing communications between servers, applications, and clients is more important than ever. (TLS) plays a critical role in protecting data in transport by encrypting communications. While how to enable TLS 1.2 on Windows Server 2022 has modern security defaults, there may be situations where you need to ensure TLS 1.2 is enabled — especially if you are supporting legacy applications that rely on specific TLS versions or you want to confirm hardened security settings.

In this guide, we’ll walk you through why TLS 1.2 matters, how to check if it’s enabled, and how to manually enable or enforce how to enable TLS 1.2 on Windows Server 2022 .

Why TLS 1.2 Matters

Transport Layer Security 1.2 has been the gold standard for secure communications for much years. While TLS 1.3 offers even better security and performance, TLS 1.2 remains widely used, especially in enterprise environments where some applications might not yet support TLS 1.3.

Key reasons to ensure TLS 1.2 is enabled:

• Compliance: Much regulatory standards (like PCI DSS, HIPAA) require disabling older protocols (SSL 2.0/3.0, TLS 1.0, & TLS 1.1) & impose the use of TLS 1.2 or higher.
• Security: Transport Layer Security 1.0 & 1.1 have known vulnerabilities that can be exploited in man-in-the-middle (MITM) attacks.
• Compatibility: Some legacy systems and applications might still only negotiate up to TLS 1.2.

Although how to enable TLS 1.2 on Windows Server 2022 by default, it also maintains backward compatibility with Transport Layer Security 1.2, depending on configuration.

How to Enable TLS 1.2 on Windows Server 2022? A Step-by-Step Guide

Step 1: Check Current TLS Settings

Before making any changes, it’s a good idea to check which protocols are currently enabled.

Using PowerShell
You can use PowerShell to check registry keys that control TLS protocols:

powershell  Copy  Edit

Get-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”

This command lists all the protocol settings. If you see folders like TLS 1.0, TLS 1.1, and TLS 1.2, it means the server has entries for those protocols.

Step 2: Enable TLS 1.2 via Registry Editor

Enabling or enforcing TLS 1.2 on Windows Server typically involves editing the Windows Registry.

Important Warning:

• Always back up your registry before making changes.
• Incorrect modifications can cause system instability.

Here’s how you can manually set it:

1. Open Registry Editor
Click Win + R, type-write regedit, & hit Enter.

2. Navigate to the SCHANNEL Protocols

plaintext  Copy Edit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

If the TLS 1.2 folder doesn’t subsist, you’ll need to cause it manually.

3. Create TLS 1.2 Keys and Values
Under “Protocols”:

• Right-press on Protocols, choosing New → Key, name it Transport Layer Security 1.2.
• Inside TLS 1.2, create two new keys:
  • Client
  •  Server

Inside each (Client and Server):

• Create two new DWORD (32-bit) Values:
  • Enabled → Set Value to 1
  • DisabledByDefault → Set Value to 0

Here’s a breakdown:

4. Restart the Server

After editing the registry, you will need to restart the server for the changes to take effect.

Step 3: Optional – Disable Older TLS Versions

If you want to force your server to use only TLS 1.2 (and TLS 1.3), you should disable older protocols.

Inside the same registry path, create keys for TLS 1.0 and TLS 1.1 (if they don’t exist), and set:

• Enabled → 0
• DisabledByDefault → 1

Example:

This ensures your server won’t negotiate insecure TLS versions.

Step 4: Verify TLS 1.2 is Working

After the reboot, it’s crucial to verify that the server is accepting and using TLS 1.2 connections.

1. Using IIS Crypto Tool

A free tool called IIS Crypto can help you view & handle TLS settings in a simple graphical interface. It also shows what protocols & ciphers are currently enabled.

You can download it from Nartac Software.

2. Using OpenSSL or PowerShell

You can run a test against your server:

bash  Copy Edit
openssl s_client -connect yourserver.com:443 -tls1_2

If the connection succeeds, TLS 1.2 is working.

Alternatively, PowerShell can be used for web request tests:

powershell  Copy Edit
Invoke-WebRequest -Uri “https://yourserver.com” -SslProtocol Tls12

Step 5: Configure .NET Applications (If Needed)

If you’re running any .NET applications, you may also need to make sure that the applications are explicitly using TLS 1.2.

In your application’s startup code (like in Global.asax for ASP.NET apps), add:

csharp  Copy Edit
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Or if using PowerShell scripts, force TLS 1.2:

powershell  Copy Edit
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This ensures outgoing requests from your applications use TLS 1.2 by default.

Conclusion

While how to enable TLS 1.2 on Windows Server 2022 is already comes with enabled by default in most cases, it’s always smart to explicitly check and enforce it, especially when hardening a server for production environments.

Quick Recap:

• Check your current protocol settings.
• Modify registry settings to enable TLS 1.2.
• Disable legacy protocols like TLS 1.0 and 1.1 if not needed.
• Reboot the server.
• Verify using tools or command-line tests.

By ensuring how to enable TLS 1.2 on Windows Server 2022 is enabled and properly configured, you protect your server communications against a wide range of attacks and meet compliance requirements.