TLS Elliptic Curves in Windows 10 version 1607 and later
For Windows 10, versions 1607 and later, the following elliptic curves are enabled and in this priority order by default using the Microsoft Schannel Provider:
| Elliptic curve string | Available in FIPS mode |
|---|---|
| curve25519 | No |
| NistP256 | Yes |
| NistP384 | Yes |
The following elliptic curves are supported by the Microsoft Schannel Provider, but not enabled by default:
| Elliptic curve string | Available in FIPS mode |
|---|---|
| brainpoolP256r1 | No |
| brainpoolP384r1 | No |
| brainpoolP512r1 | No |
| nistP192 | No |
| nistP224 | No |
| nistP521 | Yes |
| secP160k1 | No |
| secP160r1 | No |
| secP160r2 | No |
| secP192k1 | No |
| secP192r1 | No |
| secP224k1 | No |
| secP224r1 | No |
| secP256k1 | No |
| secP256r1 | No |
| secP384r1 | No |
| secP521r1 | No |
Enabling Elliptic Curves
To add elliptic curves, either deploy a group policy or use the TLS cmdlets:
To use group policy, configure ECC Curve Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all elliptic curves you want enabled.
To use PowerShell, see TLS cmdlets for a complete list of TLS cmdlet syntax and descriptions.
Note
Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority. Windows 10 supports an elliptic curve priority order setting so the elliptic curve suffix is not required and is overridden by the new elliptic curve priority order, when provided, to allow organizations to use group policy to configure different versions of Windows with the same cipher suites.
See Also
Configuring TLS ECC Curve Order