IIS Crypto requires a minimum of Windows Server 2008 and the .Net 4.0 framework or greater. Both GUI and command line versions are available.

IIS Crypto GUI

Version 3.3 (357 KB)


IIS Crypto CLI

Version 3.3 (263 KB)


Version 3.3 Build 17 - Released October 31, 2022

  • Added TLS 1.3 and new cipher suites for Windows Server 2022
  • Updated all templates to support TLS 1.3
  • PCI 4.0 template added which removes SHA1 and non forward secrecy cipher suites
  • Strict template removes CBC cipher suites on Windows 2016 and above
  • Removed a single instance check on startup

Version 3.2 Build 16 - Released April 11, 2020

  • Added override enabled feature to set Protocols Enabled to 1 instead of 0xffffffff
  • Only a single instance of IIS Crypto can be run

Version 3.1 Build 15 - Released December 19, 2019

  • Changed the target platform to AnyCPU
  • Updated code signing certificate
  • Crash on Windows Server 2008 R2 with older versions of .Net

Version 3.0 Build 14 - Released February 10, 2019

  • Advanced tab for additional registry settings
  • Backup current registry settings
  • Separate check list box for client side protocols
  • Simplified template file format
  • Strict template
  • List HTTPS sites from IIS for the Site Scanner
  • Reboot checkbox on the GUI
  • Windows Server 2019 support
  • TLS 1.1 and 1.2 in Windows 2008 Server first release
  • Best Practices and PCI 3.2 templates remove the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite
  • PCI template has been updated to PCI version 3.2
  • All templates disable the FIPS Algorithm Policy except for FIPS 140-2
  • Set DHE Minimum Server Length to 2048 for Best Practices, PCI 3.2 and Strict templates
  • Automatic upgrade of old template file format
  • Force TLS 1.2 connections when using Check for Updates
  • If the registry value type is incorrect, IIS Crypto changes it to the correct type
  • Invalid cast error when loading keys from the registry that are not the correct type
  • Saving templates do not include the version nor is the header copied
  • If a template is newer than the version expected, it reverts back to server defaults instead of just leaving the current settings
  • Spelling mistakes

Version 2.0 Build 11 - Released July 15, 2016

  • Full version information to About tab
  • Crash when run from a network share

Version 2.0 Build 10 - Released July 8, 2016

  • Complete application and GUI redesign
  • Built-in and custom templates support
  • Windows 10 and Windows Server 2016 support
  • Schannel client side protocols
  • Automatic and manual check for updates
  • All cipher suites are loaded from the OS list of defaults
  • Add your own cipher suites if they are not in the OS list of defaults
  • PCI 3.1 template
  • Custom templates in the same folder as IIS Crypto are added to the template list automatically
  • Reboot switch for the console application
  • Dropped support for Windows 2003 and lower
  • Changed cipher suite order for Best Practices template and now includes DSA certificates
  • UI is now resizable
  • Warning messages for disabling TLS 1.0 in Windows Server 2008 and 2008 R2 for RDP support
  • Executables are now dual signed with SHA1 and SHA256
  • Console application now takes built-in templates and external files as parameters
  • Triple DES 168/168 was renamed to Triple DES 168 for Windows Server 2008 and newer
  • Unchecking all cipher suites when none are specified caused all to be checked instead of unchecked

Version 1.6 Build 7 - Released November 17, 2014

  • Additional cipher suites for all platforms due to MS14-066
  • Triple DES 168/168 was changed to Triple DES 168 in Vista/2008 and newer
  • PCI button now disables SSL 3.0 and RC4 128/128
  • Missing cipher suites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Version 1.5 Build 6 - Released November 8, 2014

  • New cipher suites: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 for Windows 2012 R2
  • New hashes: SHA 256, SHA 384 and SHA 512
  • New key exchange: ECDH
  • Check all and uncheck all buttons for the cipher suite order
  • Best Practices has updated the cipher suite order to exclude RC4 encryption and DSA certificates
  • Disabled SSL 3.0 for Best Practices because of the POODLE attack
  • Hide TLS 1.1 and 1.2 for Windows 2008 (not R2) and lower
  • IIS Crypto now looks for both 0xffffffff and 0x1 for Enabled values in the registry
  • Warning message if TLS 1.0 is unchecked and Remote Desktop is set to use it
  • Cipher suite order for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521

Version 1.4 Build 5 - Released November 5, 2013

  • Best practices template and command line option
  • Help button with FAQ link
  • Qualys SSL server test
  • Cipher suites are no longer loaded from the registry as they are not all included
  • Cipher suites are listed in the best practices order if none have been selected
  • Cipher suites are only checked or unchecked when the checkbox is clicked
  • Reordered the template buttons
  • Removed the BEAST template button and command line option

Version 1.3 Build 4 - Released December 12, 2012

  • .Net 4.0 executables for Windows 2012
  • BEAST button and command line option to re-order the cipher suite to put RC4 at the top
  • Message for unsupported SSL Cipher Suite Order in Windows 2003
  • Minor GUI issues

Version 1.2 Build 3 - Released August 28, 2012

  • Invalid timestamp for executable signature
  • When running under a non-administrator account, IIS Crypto crashes with a System.Security.SecurityException

Version 1.1 Build 2 - Released February 26, 2012

  • A new command line version
  • License agreement dialog on first run
  • Warning dialog if the SSL Cipher Suite Order is changed
  • Default settings are now restored after the Apply button is clicked
  • DisabledByDefault is set for protocols, this will fix support for TLS 1.1 and TLS 1.2
  • SSL Cipher Suite Order not being displayed correctly

Version 1.0 Build 1 - Released May 6, 2011

  • Initial version