Policy CSP - Cryptography

  • Article

AllowFipsAlgorithmPolicy

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1607 [10.0.14393] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/AllowFipsAlgorithmPolicy

Allows or disallows the Federal Information Processing Standard (FIPS) policy.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Allow.
0 (Default) Block.

Group policy mapping:

Name Value
Name System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing
Path Windows Settings > Security Settings > Local Policies > Security Options

ConfigureEllipticCurveCryptography

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureEllipticCurveCryptography

This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.

  • If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line)

  • If you disable or don't configure this policy setting, the default ECC curve order is used.

Default Curve Order

curve25519 NistP256 NistP384

To See all the curves supported on the system, Use the following command:

CertUtil.exe -DisplayEccCurve.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name SSLCurveOrder
Friendly Name ECC Curve Order
Location Computer Configuration
Path Network > SSL Configuration Settings
Registry Key Name SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
ADMX File Name CipherSuiteOrder.admx

ConfigureSystemCryptographyForceStrongKeyProtection

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection

System cryptography: Force strong key protection for user keys stored on the computer. Last write wins.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 2

Allowed values:

Flag Description
8 An app container has accessed a medium key that isn't strongly protected. For example, a key that's for user consent only, or is password or fingerprint protected.
2 (Default) Force high protection.
1 Display the strong key user interface as needed.

OverrideMinimumEnabledDTLSVersionClient

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient

Override minimal enabled TLS version for client role. Last write wins.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

OverrideMinimumEnabledDTLSVersionServer

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer

Override minimal enabled TLS version for server role. Last write wins.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

OverrideMinimumEnabledTLSVersionClient

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionClient

Override minimal enabled TLS version for client role. Last write wins.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

OverrideMinimumEnabledTLSVersionServer

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionServer

Override minimal enabled TLS version for server role. Last write wins.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

TLSCipherSuites

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1607 [10.0.14393] and later 
./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites

This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).

  • If you enable this policy setting, SSL cipher suites are prioritized in the order specified.

  • If you disable or don't configure this policy setting, default cipher suite order is used.

Link for all the cipherSuites: https://go.microsoft.com/fwlink/?LinkId=517265

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name SSLCipherSuiteOrder
Friendly Name SSL Cipher Suite Order
Location Computer Configuration
Path Network > SSL Configuration Settings
Registry Key Name SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
ADMX File Name CipherSuiteOrder.admx

Policy configuration service provider