Enable strong RSA key requirement (breaks Hyper-V VMs)

Apply Now

Works with Windows 10 and 11Works with Windows Vista, XP, 7, 8, 10, 11, and Windows Server 2008 or newer.

• Windows onlyThis script improves your privacy on Windows
• Single actionThis page belongs to a script, containing basic changes to achieve a task.
• Impact: Medium

  System Functionality / Data Loss Risk: Moderate

  This action improves privacy with minimal impact when you run the recommended script.

  This action improves privacy with some impact when you run the recommended script.
• Batch (batchfile)These changes use Windows system commands to update your settings.
• Administrator rights requiredThis script requires privilege access to do the system changes
• Fully reversible

  You can fully restore this action (revert back to the original behavior) using this website.

  The restore/revert methods provided here can help you fix issues.

Overview

This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (PKCS ^{1 2}). RSA encryption keys play a crucial role in securing communications over the internet. The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption. Using keys that are too weak can expose your data to unauthorized access.

This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection.

From Windows 10, version 1507, and Windows Server 2016 onwards, the default RSA key size is 1024 bits ². However, this script raises the client-side minimum to 2048 bits, aligning with modern security standards. Server-side RSA key strength relies on the server certificate ².

Since 2013, internet standards and regulatory bodies have banned 1024-bit RSA keys due to security vulnerabilities ³. These entities, including the Federal Office for Information Security (BSI) in Germany ² and the National Institute of Standards and Technology (NIST) in the USA ^{4 5}, now recommend the use of keys that are 2048 bits or longer. RSA key exchanges of 2048 bits or are widely accepted.

In 2012, Microsoft deprecated 1024-bit RSA keys for their applications ^{5 6} and will end support for them in Windows by March 2024 ³.

While 2048-bit keys balances security with efficiency ⁷, a shift towards stronger 4096-bit RSA keys is emerging. Projects like Debian ⁸, Fedora ⁹, and CaCert.org ¹⁰ use larger keys for long-term tasks.

However, this script disrupts connections to Hyper-V virtual machines, which still require 1024-bit keys ¹¹. It does not affect other virtual environments such as Docker, WSL, or Windows Sandbox ¹¹.

Caution

• The script prevents access to Hyper-V VMs.
• Using bigger keys increases security but may not work with some old or less secure apps.
• This can make your device slower and drain the battery faster.

Use with Caution

This script is only recommended if you understand its implications.

Some non-critical or features may no longer function correctly after running this script.

This script can be fully reversed to restore changes if something goes wrong.

Sources

PrivacyLearn.com maintains strict sourcing standards for accuracy, integrity and up-to-date content. Our content relies on authoritative sources including vendor documentation, industry standards, and verified research. Learn more about our verification process and quality standards in our editorial standards page.

• Transport Layer Security (TLS) registry settings. Microsoft Learn. learn.microsoft.com. (2024).
  Original: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
  Archived: https://web.archive.org/web/20240403064025/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=rsa
• Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10. Bundesamt für Sicherheit in der Informationstechnik. bsi.bund.de. (2024).
  Original: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf
  Archived: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2
• Deprecated features in the Windows client - What's new in Windows. Microsoft Learn. learn.microsoft.com. (2024).
  Original: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
  Archived: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
• NIST Special Publication 800-131A Revision 2. Transitioning the Use of Cryptographic Algorithms and Key Lengths. nvlpubs.nist.gov. (2024).
  Original: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  Archived: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
• request by bricedobson. undergroundwires/privacy.sexy. GitHub.com. (2024).
  Original: https://github.com/undergroundwires/privacy.sexy/pull/165
  Archived: https://web.archive.org/web/20240403064107/https://github.com/undergroundwires/privacy.sexy/pull/165
• RSA keys under 1024 bits are blocked - Microsoft Community Hub. techcommunity.microsoft.com. (2024).
  Original: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997
  Archived: https://web.archive.org/web/20240403064204/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997
• RSA Key Sizes: 2048 or 4096 bits?. danielpocock.com. (2024).
  Original: https://danielpocock.com/rsa-key-sizes-2048-or-4096-bits
  Archived: https://web.archive.org/web/20240402113046/https://danielpocock.com/rsa-key-sizes-2048-or-4096-bits/
• Keysigning - Debian Wiki. wiki.debian.org. (2024).
  Original: https://wiki.debian.org/Keysigning
  Archived: https://web.archive.org/web/20240402105239/https://wiki.debian.org/Keysigning#Step_1:_Create_a_RSA_keypair
• Fedora keeps you safe. The Fedora Project. fedoraproject.org. (2024).
  Original: https://fedoraproject.org/security
  Archived: https://web.archive.org/web/20240402105244/https://fedoraproject.org/security/
• Certification Practice Statement (CPS). cacert.org. (2024).
  Original: http://www.cacert.org/policy/CertificationPracticeStatement.html
  Archived: https://web.archive.org/web/20240402112840/http://www.cacert.org/policy/CertificationPracticeStatement.html#p6.1.5
• github.com. (2024).
  Original: https://github.com/undergroundwires/privacy.sexy/issues/363
  Archived: https://web.archive.org/web/20240519131322/https://github.com/undergroundwires/privacy.sexy/issues/363

Apply Now

Choose one of three ways to apply:

Download script

Download and run the script directly

• No app needed
• Offline usage
• Easy-to-apply
• Free
• Open-source

Apply protection

Undo protection

Help

How to apply or restore "Enable strong RSA key requirement (breaks Hyper-V VMs)" using script

• ≈ 2 min to complete
• Tools: Web Browser
• Difficulty: Simple
• ≈ 5 instructions

1. 1

   Download

   Download the script file by clicking on the   Apply protection  button above.
   Use   Undo protection button above to restore changes.
2. 2

   Keep the file

   If warned by your browser, keep the file.
3. 3

   Open

   Open the downloaded file.
4. 4

   Exit

   Once it's done, press any key to exit the window.
5. 5

   Restart

   Restart your computer for all changes to take effect.

Apply with privacy.sexy

Guided, automated application with safety checks

• Recommended for most users
• Includes safety checks
• Free
• Open-source
• Popular
• Offline/Online usage

Open privacy.sexy

Help

How to apply or restore "Enable strong RSA key requirement (breaks Hyper-V VMs)" using privacy.sexy

• ≈ 3 min to complete
• Tools: privacy.sexy
• Difficulty: Simple
• ≈ 4 instructions

privacy.sexy is free and open-source application that lets securely apply this action easily with more advanced options.

1. 1

   Open or download

   Open or download the desktop application
2. 2

   Choose script

   1. Search for the script name: Enable strong RSA key requirement (breaks Hyper-V VMs)
   2. Check the script by clicking on the checkbox.
3. 3

   Run

   Click on ▶️ Run button at the bottom of the page.

   This button only appears on desktop version (recommended). On browser, use 💾 Save button.

Run commands

Copy and run commands manually Requires technical knowledge

Apply

Apply changes

:: Require "PKCS" key exchange algorithm to have at "2048" least bits keys for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ServerMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS'; $data = '2048'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ServerMinKeyBitLength' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ClientMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS'; $data = '2048'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ClientMinKeyBitLength' /t 'REG_DWORD' /d "^""$data"^"" /f"

Revert

Restore changes

Ijo6IFJlc3RvcmUga2V5IHNpemUgcmVxdWlyZW1lbnQgZm9yIFwiUEtDU1wiIGZvciBUTFMvU1NMIGNvbm5lY3Rpb25zXG46OiBEZWxldGUgdGhlIHJlZ2lzdHJ5IHZhbHVlIFwiSEtMTVxcU1lTVEVNXFxDdXJyZW50Q29udHJvbFNldFxcQ29udHJvbFxcU2VjdXJpdHlQcm92aWRlcnNcXFNDSEFOTkVMXFxLZXlFeGNoYW5nZUFsZ29yaXRobXNcXFBLQ1MhU2VydmVyTWluS2V5Qml0TGVuZ3RoXCJcblBvd2VyU2hlbGwgLUV4ZWN1dGlvblBvbGljeSBVbnJlc3RyaWN0ZWQgLUNvbW1hbmQgXCJyZWcgZGVsZXRlICdIS0xNXFxTWVNURU1cXEN1cnJlbnRDb250cm9sU2V0XFxDb250cm9sXFxTZWN1cml0eVByb3ZpZGVyc1xcU0NIQU5ORUxcXEtleUV4Y2hhbmdlQWxnb3JpdGhtc1xcUEtDUycgL3YgJ1NlcnZlck1pbktleUJpdExlbmd0aCcgL2YgMj4kbnVsbFwiXG46OiBEZWxldGUgdGhlIHJlZ2lzdHJ5IHZhbHVlIFwiSEtMTVxcU1lTVEVNXFxDdXJyZW50Q29udHJvbFNldFxcQ29udHJvbFxcU2VjdXJpdHlQcm92aWRlcnNcXFNDSEFOTkVMXFxLZXlFeGNoYW5nZUFsZ29yaXRobXNcXFBLQ1MhQ2xpZW50TWluS2V5Qml0TGVuZ3RoXCJcblBvd2VyU2hlbGwgLUV4ZWN1dGlvblBvbGljeSBVbnJlc3RyaWN0ZWQgLUNvbW1hbmQgXCJyZWcgZGVsZXRlICdIS0xNXFxTWVNURU1cXEN1cnJlbnRDb250cm9sU2V0XFxDb250cm9sXFxTZWN1cml0eVByb3ZpZGVyc1xcU0NIQU5ORUxcXEtleUV4Y2hhbmdlQWxnb3JpdGhtc1xcUEtDUycgL3YgJ0NsaWVudE1pbktleUJpdExlbmd0aCcgL2YgMj4kbnVsbFwiIg==

Help

How to apply or restore "Enable strong RSA key requirement (breaks Hyper-V VMs)" using commands

• ≈ 2 min to complete
• Tools: Command Prompt
• Difficulty: Medium
• ≈ 3 instructions

View step-by-step guide with screenshots

---

1. 1

   Open Command Prompt

   Open Command Prompt as Administrator.
2. 2

   Copy code

   Copy the code:

   Copy Apply Code Copy Revert Code
3. 3

   Paste & run

   Paste the commands into Command Prompt and press Enter to run.

   Some changes require a system restart to take effect

Similar Guides

Wider Goal

Guides below includes this guide to achieve a wider goal.

See other more general settings that includes this one as one of its actions.

These plans combine multiple privacy settings, including this one, for stronger protection.

Enable strong secret key requirements

This category contains scripts that enhance system security by implementing stronger encryption key lengths. Stronger keys help prevent unauthorized data access an...

Visit category page

Improve network security

This category is dedicated to improving network security. It aims to minimize vulnerabilities by offering various settings that improve the integrity and confident...

Visit category page

Security improvements

This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your ...

Visit category page

Same Goal

Another guide in Enable strong secret key requirements 

See settings that are in the same category as this guide.

Using other actions in the same category may help you achieve your goal better.

Enable strong Diffie-Hellman key requirement

---

About the Creators

These people have authored this documentation and written its scripts:

• 

  undergroundwires

  • Certified security professional
  • 7+ years experience securing banks
  • Open-source developer since 2005
  • EU advisor, Public Speaker, Moderator
• Open-Source Contributors

  • Hundreds across the globe
  • Testers, reviewers, developers
  • Companies, military agencies
  • Community since 2017

About Us

Reviewed By

This guide has undergone comprehensive auditing and peer review:

• Expert review by undergroundwires

  • Verified technical accuracy and editorial standards
  • Assessed system impact and user privacy risks

• Public review by large community

  • Privacy enthusiasts and professionals peer-reviewed
  • Millions of end-users tested across different environments

History

We continually monitor our guides, their impact and all other privacy options. We update our guides when new information becomes available. On every update, we publicly store who made the change, what has been changed, why the change was made and when the change was made.

Review Change History Our Change Process