How to enable FIPS mode on Windows Server

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines security requirements for cryptographic modules. If your organization operates under compliance frameworks like CJIS, HIPAA, or FedRAMP, enabling FIPS mode on Windows Server might be a requirement.

This guide walks you through what FIPS mode does, why you might enable it, and how to turn it on in Windows Server.

What Is FIPS Mode?

FIPS mode tells Windows to use only FIPS-validated cryptographic algorithms for encryption, hashing, and signing.
When enabled:

• Only approved algorithms (e.g., AES, SHA-256) are used.
• Applications relying on Windows crypto APIs automatically follow FIPS rules.
• Non-compliant algorithms like MD5 or RC4 are blocked by default.

⚠ Note: Enabling FIPS mode can cause compatibility issues with older software or services that use non-FIPS algorithms. Always test in a staging environment first.

How to Enable FIPS Mode via Group Policy

If you manage your servers in a domain or want to make the change through the UI:

1. Open Group Policy Editor
   Press Windows Key + R, type gpedit.msc, and hit Enter.
2. Navigate to the FIPS Policy
   Computer Configuration
→ Windows Settings
→ Security Settings
→ Local Policies
→ Security Options
3. Enable the Setting
   • Find: “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”
   • Double-click it and set it to Enabled.
   • Click OK.
4. Apply Changes
   Run:
   gpupdate /force
   Or restart the server.

How to Enable FIPS Mode via Registry

For automation, scripting, or applying via a configuration tool:

1. Open Registry Editor
   Press Windows Key + R, type regedit, and hit Enter.
2. Navigate to the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
3. Set the Enabled Value
   • Find the Enabled DWORD.
   • Change its value to 1.
   • If it doesn’t exist, create a new DWORD (32-bit) value named Enabled and set it to 1.
4. Restart the Server
   Changes take effect after a reboot.

How to Check If FIPS Mode Is Enabled

You can confirm with PowerShell:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" | Select-Object Enabled

If the value is 1, FIPS mode is active.

When Not to Enable FIPS Mode

• If your applications require legacy cryptographic algorithms.
• If you use third-party software that doesn’t support FIPS-compliant crypto.
• If you’re enabling it solely for “extra security” without a compliance requirement—Microsoft recommends against enabling FIPS mode in this case because it can reduce compatibility without significantly improving modern security.

Final Thoughts

Enabling FIPS mode on Windows Server is straightforward but should be done with care. It’s essential for certain regulated environments but can cause issues in others.
Always test before deploying to production systems, and make sure all your applications are FIPS-compliant.

Mark Vincent

Tech enthusiast and content creator passionate about making technology simple for everyone. I share practical tips, guides, and reviews on the latest in computers, software, and gadgets. Let’s explore the digital world together!