TLS Elliptic Curves in Windows 10 version 1607 and later

For Windows 10, versions 1607 and later, the following elliptic curves are enabled and in this priority order by default using the Microsoft Schannel Provider:

Elliptic curve string Available in FIPS mode
curve25519 No
NistP256 Yes
NistP384 Yes

The following elliptic curves are supported by the Microsoft Schannel Provider, but not enabled by default:

Elliptic curve string Available in FIPS mode
brainpoolP256r1 No
brainpoolP384r1 No
brainpoolP512r1 No
nistP192 No
nistP224 No
nistP521 Yes
secP160k1 No
secP160r1 No
secP160r2 No
secP192k1 No
secP192r1 No
secP224k1 No
secP224r1 No
secP256k1 No
secP256r1 No
secP384r1 No
secP521r1 No

Enabling Elliptic Curves

To add elliptic curves, either deploy a group policy or use the TLS cmdlets:

  • To use group policy, configure ECC Curve Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all elliptic curves you want enabled.

  • To use PowerShell, see TLS cmdlets for a complete list of TLS cmdlet syntax and descriptions.


Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority. Windows 10 supports an elliptic curve priority order setting so the elliptic curve suffix is not required and is overridden by the new elliptic curve priority order, when provided, to allow organizations to use group policy to configure different versions of Windows with the same cipher suites.

See Also

Configuring TLS ECC Curve Order

Managing TLS ECC order

Managing Windows ECC curves using Group Policy

TLS cmdlets