Start a conversation

Why does IIS Crypto set the Protocols Enabled value to 0xffffffff

Originally IIS Crypto set the Protocols Enabled values to 0 or 1. However, we got a lot feedback that it broke some older software. Microsoft's own documentation states using 0xffffffff is the correct value:

https://support.microsoft.com/en-ca/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

However, Microsoft created a new document that contradicts the original one:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

Lately we have been getting feedback that 0xffffffff does not work with some other software. Specifically some versions of Active Directory, Exchange Server and Outlook Web Access expect Enabled set to 1. A new Override Enabled checkbox has been added to the Advanced tab. When checked and a Protocol is enabled, the value will be set to 1 instead of 0xffffffff.

New templates for overriding both the GUI and CLI versions are here:

Best Practices

PCI 3.2

FIPS

Strict

Choose files or drag and drop files