Configure the Rules to Require Encryption on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.

Administrative credentials

To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To modify an authentication request rule to also require encryption

  1. Open the Group Policy Management Console to Windows Firewall with Advanced Security.

  2. In the navigation pane, click Connection Security Rules.

  3. In the details pane, double-click the connection security rule you want to modify.

  4. On the Name page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click OK.

  5. In the navigation pane, right-click Windows Firewall with Advanced Security – LDAP://CN={guid}, and then click Properties.

  6. Click the IPsec Settings tab.

  7. Under IPsec defaults, click Customize.

  8. Under Data protection (Quick Mode), click Advanced, and then click Customize.

  9. Click Require encryption for all connection security rules that use these settings.

    This disables the data integrity rules section. Make sure the Data integrity and encryption list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone.

  10. If you need to add an algorithm combination, click Add, and then select the combination of encryption and integrity algorithms. The options are described in Configure Data Protection (Quick Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2.


Not all of the algorithms available in Windows 7 or Windows Server 2008 R2 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you must use the Netsh command-line tool.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you must create or modify the rules by using the Netsh command-line tool.
For more information, see the Netsh Technical Reference (

  1. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating computers select the most secure combination that they can jointly support.

  2. Click OK three times to save your changes.