Windows Server 2019 TLS 1.3 Support: Implementation Guide and Registry Configuration


2 views

While Windows Server 2019 includes Schannel support for TLS 1.3, it's not enabled by default. The documentation omission in Microsoft's official matrix is likely because full TLS 1.3 support was backported after the initial release.

To enable TLS 1.3, you'll need to modify the Windows Registry. Here's the PowerShell script to configure it:


# Enable TLS 1.3 client and server protocols
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force

After making these changes, verify the configuration with a test HTTPS server. Here's a basic C# example using .NET Core 3.1+:


using System;
using System.Net;
using System.Security.Authentication;

class Program {
    static void Main() {
        var listener = new HttpListener();
        listener.Prefixes.Add("https://localhost:5001/");
        listener.Start();
        
        var context = listener.GetContext();
        var sslStream = new System.Net.Security.SslStream(context.Response.OutputStream);
        sslStream.AuthenticateAsServer(certificate, false, SslProtocols.Tls13, false);
        
        // Response handling here
    }
}

Windows Server 2019 supports these TLS 1.3 cipher suites by default:

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256

If TLS 1.3 isn't working after configuration:

  • Ensure all Windows updates are installed (KB5005039 or later is required)
  • Verify no group policies are overriding your registry settings
  • Check that both client and server applications support TLS 1.3

Microsoft's documentation is surprisingly silent about TLS 1.3 support in Windows Server 2019. While the official protocol matrix lists support for Windows 10 and Windows Server 2022, Server 2019 is conspicuously absent. Through testing and community reports, we've confirmed that TLS 1.3 is not natively supported in the initial release of Windows Server 2019.

While not officially documented, there are methods to enable partial TLS 1.3 functionality:

# PowerShell command to check available TLS protocols
Get-TlsCipherSuite | Format-Table Name, Protocols

For a full implementation, you'll need to:

  1. Install the latest cumulative update (KB5005039 or later)
  2. Manually enable through registry edits (not recommended for production)

When testing TLS 1.3 between Server 2019 and modern clients:

# Nmap command to verify TLS 1.3 support
nmap --script ssl-enum-ciphers -p 443 yourserver.com

For production environments requiring full TLS 1.3 support, consider:

  • Upgrading to Windows Server 2022
  • Implementing a reverse proxy with TLS termination
  • Using third-party TLS libraries like OpenSSL

Early benchmarks show TLS 1.3 can improve connection establishment by 30-50% compared to TLS 1.2, making the upgrade worthwhile for high-traffic servers.