Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
TLS Supported Groups in Windows 11 versions 24H2 and later
Note
With the addition of post-quantum key exchange algorithms, the TLS parameter previously referred to as "Elliptic Curves" has been renamed "Supported Groups" to be inclusive of non-EC algorithms. Reference: IANA TLS parameters.
Note
NEW post-quantum ML-KEM groups are now available in the latest Windows Insider Preview builds for Windows 11 client and Windows Server 2025. These groups are disabled by default, and must be enabled using one of the configuration methods linked at the end of this article. The minimum supported builds are 26100.8514 for Windows 11 24H2 and 25H2, 28000.2173 for Windows 11 26H2, and 29550 for Windows Server 2025.
For Windows 11, versions 24H2 and later, the following groups are enabled and in this priority order by default using the Microsoft Schannel Provider:
| Supported Group String | Supported Protocol Versions | Available in FIPS mode (legacy) |
|---|---|---|
| curve25519 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| nistP256 | TLS 1.0, 1.1, 1.2, 1.3 | Yes |
| nistP384 | TLS 1.0, 1.1, 1.2, 1.3 | Yes |
The following groups are supported by the Microsoft Schannel Provider, but are not enabled by default:
| Supported Group String | Supported Protocol Versions | Available in FIPS mode (legacy) |
|---|---|---|
| x25519_mlkem768 | TLS 1.3 | No |
| secp256r1_mlkem768 | TLS 1.3 | No |
| secp384r1_mlkem1024 | TLS 1.3 | No |
| brainpoolP256r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| brainpoolP384r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| brainpoolP512r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| nistP192 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| nistP224 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| nistP521 | TLS 1.0, 1.1, 1.2, 1.3 | Yes |
| secP160k1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP160r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP160r2 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP192k1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP192r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP224k1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP224r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP256k1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP256r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP384r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
| secP521r1 | TLS 1.0, 1.1, 1.2, 1.3 | No |
Note
The legacy FIPS mode setting is no longer recommended nor required to operate with FIPS approval. Using FIPS-approved algorithms is the only configuration needed.
Enabling Supported Groups
To add supported groups or change the default priority order, either deploy a group policy or use the TLS cmdlets:
To use group policy, configure ECC Curve Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all supported groups you want enabled.
To use PowerShell, see TLS cmdlets for a complete list of TLS cmdlet syntax and descriptions.
See Also
Configuring TLS ECC Curve Order
Feedback
Was this page helpful?