Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

How to enable FIPS mode on Windows Server

Posted on 01/07/202524/06/2026 IT Expert By IT Expert No Comments on How to enable FIPS mode on Windows Server
  1. Home
  2. Oracle/MSSQL/MySQL
  3. How to enable FIPS mode on Windows Server
Enale FIPS compliance mode on Windows

In this article, I will show you how to enable FIPS mode on Windows Server when required. For example, here is a KB2733626 showing instructions for using SQL Server 2012 in the FIPS 140-2-compliant mode. Federal Information Processing Standard (FIPS) is a standard developed by the “The National Institute of Standards and Technology (NIST) in the United States”, and “The Communications Security Establishment (CSE) in Canada”. Please, see How to Prevent Standard Users from Changing BitLocker Password, and How to Prevent Standard Users from Changing BitLocker Password.

Note: Windows includes a hidden setting that forces your system to use only FIPS-compliant (Federal Information Processing Standards) encryption. While this might appears to strengthen your Server security, it actually doesn’t improve protection for most users and can even cause problems. This is why, Microsoft recommends you not to enable this setting unless you are required to meet strict government security standards or need to test how software performs in federally regulated environments.

Therefore, FIPS standards are either recommended or mandated for use in federal-government-operated IT systems in the United States and Canada.

For everyday use, enabling FIPS mode can limit your system’s capabilities. This can break certain apps, and reduce compatibility without offering meaningful security benefits. An example of this is “When the FIPS mode in Windows enabled, in all areas where the user has a choice of whether to use encryption, SQL Server will either enable only FIPS 140-2 compliant encryption or will not enable any encryption at all”.

Also, see how to Get MBAM BitLocker Recovery Keys from Microsoft SQL Server, how to fix Unable to find my BitLocker Recovery Key in AD, and Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM].

FIPS mode is not supported available in Log

When troubleshooting the following issue “MSIEXEC returned 1602 (installation cancelled): Setup cannot use this account”. You might find the below in the installation log message. This does not mean you have to enable FIPS unless when mandated to do so. Again, this is not the fix for this issue.

Perty(C): FIPSNotSupportedError = FIPS mode is not supported on this operating system. Windows 2008 is required to install ePolicy Orchestrator in FIPS mode.
Property(C): NewerFoundError = A newer version of this application is already installed on this computer. If you want to install this version, you must first uninstall the newer version. Click on "OK" to close the wizard.
FIPS Mode

Even on modern systems like Windows Server 2022 and Windows Server 2025. This log entry may still appear during the Trellix ePolicy Orchestrator (ePO) installation. However, it can be safely ignored unless you are specifically required to operate in FIPS 140-2 compliance mode. In such cases, follow the documented prerequisites to ensure proper support for FIPS.

If you must install the Trellix ePO in FIPS mode, kindly take a look at this guide. Trellix ePolicy Orchestrator On-prem can operate in FIPS mode or Mixed mode. Note that the mode that a ePO On-prem server runs in is determined during installation or upgrade and can’t be changed.

Please, see “Why does MBAM not automatically re-encrypt MBAM or Bitlocker-protected devices“. Also, see how to shrink and create new partition on Windows Server.

Activate FIPS

Note: If you are using the Microsoft SQL Server database, you must enable FIPS mode before starting SQL Server, because SQL Server reads the FIPS setting at startup. Please, see the Microsoft guide embedded in the first paragraph.

By default, the FIPS mode is disabled on Windows System and must only be enabled when mandated for use in federal-government-operated IT systems in the United States and Canada.

To enable FIPS mode, launch the Local Security Policy by typing secpol.msc in the run dialog or windows search. This will open the Local Security Policy window as shown below. You may wan to lean about the differences between “Local Security Policy vs Local Group Policy“. Also, see All about Group Policies: Group Policy GPUpdate Commands.

Navigate to Local Policies and then Security Options. On the right side of the window, locate and double click on the policy: “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”.

FIPS mode disabled
FIPS defines certain specific encryption methods that can be used, as well as methods for generating encryption keys

Select Enabled, then click Apply and OK.

enable fips mode

Next to the Local security Settings is the Explain tab that discusses what this settings does in details. Below is the output of it.

A FIPS mode security policy must be enabled on the Windows client computers and the Windows servers to properly protect communications. The FIPS policy setting restricts the Windows components so that they can only use approved ciphers. Microsoft recertifies FIPS binaries for each version. These components are based on the validated module "Rsaenh.dll". If you are using the Microsoft SQL Server database, you must enable FIPS mode before starting SQL Server, because SQL Server reads the FIPS setting at startup.
System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms
For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.
For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.
Default: Disabled.
Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

As you can see below, we have successfully enabled the FIPS mode on this server. Do not forget to restart your server to ensure all services adopt the FIPS-compliant restrictions.

Enabled FIPS on Windows Server

Here is how to configure Windows Deployment Services on Windows Server 2019, and how to Fix long path names to files on SQL Server installation media error.

Enable via Windows Registry

By the way, you can also enable FIPS mode via Command Prompt or PowerShell with the command below and do not forget to restart your server.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" /v Enabled /t REG_DWORD /d 1 /f

When FIPS mode is enabled in Windows, it forces applications and system components to use only FIPS 140-validated cryptographic algorithms and implementations (e.g., AES, SHA-1, SHA-256, etc.), as approved by the U.S. government. It will therefore block newer algorithms not yet validated.

This will in turn reduce Compatibility and Performance. You can also read more on the behavior when FIPS mode is enabled for Paloalto system.

Confirm system-level FIPS is not enforced

You can do this by running the following command in PowerShell as an Administrator. If Enabled, the value will be 1 which means FIPS is on system-wide. But as you can see below, the value is 0 which shows it is not enabled.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy"
Is FIPS enabled system wide

If the value is 1, you can use the command below to have FIPS disabled.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled -Value 0

I hope you found this article very useful on How to enable FIPS mode on Windows Server. Please feel free to leave a comment below.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Oracle/MSSQL/MySQL, Windows Server Tags:disable FIPS mode Windows Server, enable FIPS group policy Windows, FIPS 140-2 Windows Server, FIPS compliant configuration Windows Server, FIPS mode compatibility issues, FIPS mode drawbacks Windows, FIPS mode performance impact, FIPS mode registry setting Windows, Microsoft Windows, risks of enabling FIPS mode, should I enable FIPS on Windows, turn on FIPS mode Windows, what is FIPS mode in Windows Server, Windows 2019, Windows FIPS mode explained, Windows Security, Windows Server 2016, Windows Server 2022, Windows Server 2025, Windows Server security hardening FIPS

Post navigation

Previous Post: How to shrink and create new partition on Windows Server
Next Post: Fix MSIEXEC returned 1602: Trellix Setup cannot use this account

Related Posts

  • wac
    Fix Windows Admin Center cannot be reached Windows
  • Screenshot 2021 02 01 at 12.25.27
    MySQL Workbench could not connect to MySQL server Oracle/MSSQL/MySQL
  • MDT Workbench Crashes when opening WinPE tab Properties
    Fix MDT Workbench Crashes when opening WinPE tab Properties Windows
  • WAMP errors
    Apache errors associated with WAMP installation for TeamPass Web Server
  • allthings.how how to download and install winget windows package manager windows 10 winget cli
    How to install Winget CLI on Windows Windows Server
  • fix this PC cannot run on Windows
    How to Fix “This PC Can’t Run Windows 11” on Hyper Windows

More Related Articles

wac Fix Windows Admin Center cannot be reached Windows
Screenshot 2021 02 01 at 12.25.27 MySQL Workbench could not connect to MySQL server Oracle/MSSQL/MySQL
MDT Workbench Crashes when opening WinPE tab Properties Fix MDT Workbench Crashes when opening WinPE tab Properties Windows
WAMP errors Apache errors associated with WAMP installation for TeamPass Web Server
allthings.how how to download and install winget windows package manager windows 10 winget cli How to install Winget CLI on Windows Windows Server
fix this PC cannot run on Windows How to Fix “This PC Can’t Run Windows 11” on Hyper Windows

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • mountedimagenotaccessible
    Unable to access the image: Make sure that the image path exist Windows
  • office365 1200x675 1
    How to prevent emails from going into a junk folder in Office365 Network | Monitoring
  • remove Windows PC from you iCloud Account completely
    How to remove Windows PC from your iCloud Account completely Mac
  • How to Disable TLS 1.0, TLS 1.1 and TLS 1   banner
    How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO Security | Vulnerability Scans and Assessment
  • mac456789oijh
    Turn off calls from iPhone: How to unlink FaceTime from Mac Mac
  • HiveNightmare
    Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11 Security | Vulnerability Scans and Assessment
  • Enable or Disable Siri
    How to enable Siri on Mac devices Mac
  • screenshot 2020 03 14 at 22.47.56
    How to block apps from running in Windows Windows

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,787 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.