Enable FIPS 140-2 on Win2012r2 and verify compliance using powershell

Question

I'm trying to enable FIPS 140-2 on one of the test windows 2012r2 server and was wondering if there are any other settings that I need to modify within group policy other than the one listed below to enable FIPS 140-2 and also how can I verify the compliance from powershell?

1. Click Start, click Run, type gpedit.msc, and then press ENTER.
2. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
3. Under the Security Settings node, double-click Local Policies, and then click Security Options.
4. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
5. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
6. Close the Local Group Policy Editor.

or

In order to do it manually, simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1

Answer 1

No, there are no other settings required to enable Windows Server's FIPS-validated cryptography.

You can test in Powershell with, e.g.,:

if ([System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms) {
  Write-Host("Use FIPS-compliant algorithms for encryption, hashing, and signing ... IS ON");
}