amit-g/EnableDisable-TLS.ps1

## EnableDisable-TLS.ps1
###Test
(New-Object System.Net.WebClient).DownloadString("https://www.google.com")

###View configured protocols
dir 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse

###Disable TLS1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null


###Disable TLS1.1
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null


###Enable TLS1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

### View .NET defaults
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
dir 'HKLM:\SOFTWARE\Microsoft\.NETFramework'
dir 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework'
[Net.ServicePointManager]::SecurityProtocol

### Update .NET defaults
$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD

### Update WinHttp
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
New-Item -path $RegPath
New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800
$RegPath = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
New-Item -path $RegPath
New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800

###Reference
# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
	###Test
	(New-Object System.Net.WebClient).DownloadString("https://www.google.com")

	###View configured protocols
	dir 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse

	###Disable TLS1.0
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force \| Out-Null
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force \| Out-Null


	###Disable TLS1.1
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force \| Out-Null
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force \| Out-Null


	###Enable TLS1.2
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force \| Out-Null
	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force \| Out-Null
	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force \| Out-Null

	### View .NET defaults
	Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
	Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
	dir 'HKLM:\SOFTWARE\Microsoft\.NETFramework'
	dir 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework'
	[Net.ServicePointManager]::SecurityProtocol

	### Update .NET defaults
	$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727"
	New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
	New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
	$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727"
	New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
	New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
	$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
	New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
	New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
	$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
	New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
	New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD

	### Update WinHttp
	$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
	New-Item -path $RegPath
	New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
	# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800
	$RegPath = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
	New-Item -path $RegPath
	New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
	# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800

	###Reference
	# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client