How to enable FIPS mode on Windows Server

Posted on Christian By Christian No Comments on How to enable FIPS mode on Windows Server
Enale FIPS compliance mode on Windows

In this article, I will show you how to enable FIPS mode on Windows Server when required. For example, here is a KB2733626 showing instructions for using SQL Server 2012 in the FIPS 140-2-compliant mode. Federal Information Processing Standard (FIPS) is a standard developed by the “The National Institute of Standards and Technology (NIST) in the United States”, and “The Communications Security Establishment (CSE) in Canada”. Please, see How to Prevent Standard Users from Changing BitLocker Password, and How to Prevent Standard Users from Changing BitLocker Password.

Note: Windows includes a hidden setting that forces your system to use only FIPS-compliant (Federal Information Processing Standards) encryption. While this might appears to strengthen your Server security, it actually doesn’t improve protection for most users and can even cause problems. This is why, Microsoft recommends you not to enable this setting unless you are required to meet strict government security standards or need to test how software performs in federally regulated environments.

Therefore, FIPS standards are either recommended or mandated for use in federal-government-operated IT systems in the United States and Canada.

For everyday use, enabling FIPS mode can limit your system’s capabilities. This can break certain apps, and reduce compatibility without offering meaningful security benefits. An example of this is “When the FIPS mode in Windows enabled, in all areas where the user has a choice of whether to use encryption, SQL Server will either enable only FIPS 140-2 compliant encryption or will not enable any encryption at all”.

Also, see how to Get MBAM BitLocker Recovery Keys from Microsoft SQL Server, how to fix Unable to find my BitLocker Recovery Key in AD, and Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM].

FIPS mode is not supported available in Log

When troubleshooting the following issue “MSIEXEC returned 1602 (installation cancelled): Setup cannot use this account”. You might find the below in the installation log message. This does not mean you have to enable FIPS unless when mandated to do so. Again, this is not the fix for this issue. 

Perty(C): FIPSNotSupportedError = FIPS mode is not supported on this operating system.  Windows 2008 is required to install ePolicy Orchestrator in FIPS mode.
Property(C): NewerFoundError = A newer version of this application is already installed on this computer. If you want to install this version, you must first uninstall the newer version. Click on "OK" to close the wizard.
FIPS Mode

Even on modern systems like Windows Server 2022 and Windows Server 2025. This log entry may still appear during the Trellix ePolicy Orchestrator (ePO) installation. However, it can be safely ignored unless you are specifically required to operate in FIPS 140-2 compliance mode. In such cases, follow the documented prerequisites to ensure proper support for FIPS.

If you must install the Trellix ePO in FIPS mode, kindly take a look at this guide. Trellix ePolicy Orchestrator On-prem can operate in FIPS mode or Mixed mode. Note that the mode that a ePO On-prem server runs in is determined during installation or upgrade and can’t be changed.

Please, see “Why does MBAM not automatically re-encrypt MBAM or Bitlocker-protected devices“. Also, see how to shrink and create new partition on Windows Server.

Activate FIPS

Note: If you are using the Microsoft SQL Server database, you must enable FIPS mode before starting SQL Server, because SQL Server reads the FIPS setting at startup. Please, see the Microsoft guide embedded in the first paragraph.

By default, the FIPS mode is disabled on Windows System and must only be enabled when mandated for use in federal-government-operated IT systems in the United States and Canada.

To enable FIPS mode, launch the Local Security Policy by typing secpol.msc in the run dialog or windows search. This will open the Local Security Policy window as shown below. You may wan to lean about the differences between “Local Security Policy vs Local Group Policy“. Also, see All about Group Policies: Group Policy GPUpdate Commands.

Navigate to Local Policies and then Security Options. On the right side of the window, locate and double click on the policy: “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”.

FIPS mode disabled
FIPS defines certain specific encryption methods that can be used, as well as methods for generating encryption keys

Select Enabled, then click Apply and OK.

enable fips mode

Next to the Local security Settings is the Explain tab that discusses what this settings does in details. Below is the output of it.

A FIPS mode security policy must be enabled on the Windows client computers and the Windows servers to properly protect communications. The FIPS policy setting restricts the Windows components so that they can only use approved ciphers. Microsoft recertifies FIPS binaries for each version. These components are based on the validated module "Rsaenh.dll". If you are using the Microsoft SQL Server database, you must enable FIPS mode before starting SQL Server, because SQL Server reads the FIPS setting at startup.

System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.

For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication. 

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.

Default: Disabled.

Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

As you can see below, we have successfully enabled the FIPS mode on this server. Do not forget to restart your server to ensure all services adopt the FIPS-compliant restrictions.

Enabled FIPS on Windows Server

Here is how to configure Windows Deployment Services on Windows Server 2019, and how to Fix long path names to files on SQL Server installation media error.

Enable via Windows Registry

By the way, you can also enable FIPS mode via Command Prompt or PowerShell with the command below and do not forget to restart your server.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" /v Enabled /t REG_DWORD /d 1 /f

When FIPS mode is enabled in Windows, it forces applications and system components to use only FIPS 140-validated cryptographic algorithms and implementations (e.g., AES, SHA-1, SHA-256, etc.), as approved by the U.S. government. It will therefore block newer algorithms not yet validated.

This will in turn reduce Compatibility and Performance. You can also read more on the behavior when FIPS mode is enabled for Paloalto system.

Confirm system-level FIPS is not enforced

You can do this by running the following command in PowerShell as an Administrator. If Enabled, the value will be 1 which means FIPS is on system-wide. But as you can see below, the value is 0 which shows it is not enabled.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy"
Is FIPS enabled system wide

If the value is 1, you can use the command below to have FIPS disabled.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled -Value 0

I hope you found this article very useful on How to enable FIPS mode on Windows Server. Please feel free to leave a comment below.

5/5 - (1 vote)
Oracle/MSSQL/MySQL, Windows Server Tags:, , , , ,

Related Posts

More Related Articles

create a new Azure SQL Database How to create a new Azure SQL Database [PaaS] AWS/Azure/OpenShift
maxresdefault The following errors occurred attempting to join the domain: The specified domain either does not exist or could not be contacted Windows Server
Shared Folder How to access shared resources from two different domains Windows
windows 10 desktop 1 Active Directory Forest – Trees and Domain and Sites Windows Server
install ssl certificate Configure SSL connection for WSUS Upstream and Downstream Servers Windows Server
windows server How to backup and restore a Windows DHCP Server via the DHCP Manager and PowerShell Windows Server

Leave a Reply