Hi,
I was able to get the following from microsoft
On Windows 10/11, TLS settings and Cipher Suites configuration are important for network authentication such as EAP-TLS. Below are detailed instructions on how to modify these settings and answers to confirm that these registry entries work with EAP-TLS.
Confirming the role of registry entries
Here are the roles of the registry entries you mentioned and whether they affect EAP-TLS:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Purpose: Used to enable or disable specific TLS protocol versions (e.g. TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3).
Relevance to EAP-TLS: Yes, EAP-TLS relies on the SCHANNEL stack, so the settings in this registry entry affect the protocol version used by EAP-TLS.
How to configure.
The subsections Client and Server define the enabled state of the protocol.
Add the DWORD values Enabled and DisabledByDefault:
Enabled = 1 Enables the protocol.
DisabledByDefault = 1 to disable the protocol.
For example, to disable TLS 1.0:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
DWORD: DisabledByDefault = 1
DWORD: Enabled = 0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites
Function: Defines the list of cipher suites supported by SCHANNEL.
Is relevant for EAP-TLS: Yes, this controls the cipher suites used by EAP-TLS.
How to configure:
Windows does not include this registry entry by default. If you need to restrict ciphersuites, you can add it via Group Policy or manually.
The format is the name of the cipher suite (e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).
For example, to disable some cipher suites, you can manually add unneeded suites to this item and set the value to zero.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
Function: Used to enable or disable specific encryption algorithms (e.g. AES, DES, RC4).
Relevance to EAP-TLS: Yes, this item affects the choice of encryption algorithms for EAP-TLS.
How to configure:
Add a child (e.g. AES 256/128) and set the DWORD value Enabled = 0 or 1.
For example, to disable RC4 encryption:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
DWORD: Enabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
Purpose: Defines the cipher suite prioritization for TLS.
Relevance to EAP-TLS: Yes, this item is used to control cipher suite prioritization and affects EAP-TLS negotiation.
How to configure:
This is managed by Group Policy and may be overridden by manual editing.
The Functions value contains the cipher suite's priority order, separated by semicolons.
Example:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25
Disclaimer: Modifying the registry or workgroups is usually geared towards advanced users, administrators, and IT professionals, and it can help fix some problems, however, improper registry modifications can cause serious problems. Therefore, please make sure to strictly follow the steps below. For further protection, make a backup of the registry before modifying it. For more information on how to backup and restore the registry ref:
How to back up and restore the registry in Windows - Microsoft Support
