This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) If you disable or do not configure this policy setting, the default ECC curve order is used. Default Curve Order ============ NistP256 NistP384 To See all the curves supported on the system, Use the following command: CertUtil.exe -DisplayEccCurve Countermeasure: Enable this policy setting and set the priority order of the ECC curves. Potential Impact: Enabling this policy setting means the default ECC curve order is not used or is supported by the device.

[curve25519 NistP256 NistP384]

(1) GPO: Computer Configuration\Administrative Templates\Network\SSL Configuration Settings\ECC Curve Order (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!EccCurves