Skip to content

Instantly share code, notes, and snippets.

@amit-g
Last active September 21, 2022 00:18
Show Gist options
  • Save amit-g/a24e18a60404ec77257b7fac76e3dbdc to your computer and use it in GitHub Desktop.
Save amit-g/a24e18a60404ec77257b7fac76e3dbdc to your computer and use it in GitHub Desktop.
Enable Disable TLS
###Test
(New-Object System.Net.WebClient).DownloadString("https://www.google.com")
###View configured protocols
dir 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse
###Disable TLS1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
###Disable TLS1.1
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
###Enable TLS1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
### View .NET defaults
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727' -name SystemDefaultTlsVersions
dir 'HKLM:\SOFTWARE\Microsoft\.NETFramework'
dir 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework'
[Net.ServicePointManager]::SecurityProtocol
### Update .NET defaults
$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
$RegPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -path $RegPath -name SystemDefaultTlsVersions -value 1 -PropertyType DWORD
New-ItemProperty -path $RegPath -name SchUseStrongCrypto -value 1 -PropertyType DWORD
### Update WinHttp
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
New-Item -path $RegPath
New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800
$RegPath = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
New-Item -path $RegPath
New-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0xAA0 -PropertyType DWORD
# Set-ItemProperty -path $RegPath -name DefaultSecureProtocols -value 0x800
###Reference
# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment