phbits/Set-SchannelProtocol.ps1

## Set-SchannelProtocol.ps1
Function Set-SchannelProtocol
{
    <#
        .SYNOPSIS

        Disables schannel protocols by default. Enable a protocol by using the -EnableProtocol switch.

        .DESCRIPTION

        Microsoft IIS uses schannel for implementing HTTPS. This function will enable/disable protocols for both the client and server.

        WARNING! These settings are system wide meaning they impact all process/services running on the system.
        BOTH Client and Server are configured. Client refers to outgoing connections such as browsers
        whereas Server refers to hosted process/services such as IIS.

        This function must be launched from an elevated admin prompt.

        .EXAMPLE

        Set-SchannelProtocol -Protocol 'SSL 2.0'

        .EXAMPLE

        $DisableProtocols = 'SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','DTLS 1.0','DTLS 1.2'
        $DisableProtocols | %{ Set-SchannelProtocol -Protocol $) }

        .EXAMPLE

        Set-SchannelProtocol -Protocol 'TLS 1.2' -EnableProtocol

        .NOTES

        Tested on Windows Server 2019 and PowerShell 5.1

        .LINK

        https://docs.microsoft.com/en-us/windows/win32/secauthn/secure-channel

        .LINK

        https://docs.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview
    #>

    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [ValidateSet('SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','TLS 1.2','DTLS 1.0','DTLS 1.2')]
    	  [ValidateNotNullOrEmpty()]
        [System.String]
        # Protocol
        $Protocol
        ,
        [Switch]
        # Enable Protocol
        $EnableProtocol
    )

    $i = 0

    $RegBase = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'

    $RegEnabledValue = 0

    if($EnableProtocol){ $RegEnabledValue = 1 }

    $RegDisabledByDefaultValue = 1

    if($EnableProtocol){ $RegDisabledByDefaultValue = 0 }

    do {

        $i++

        switch($i)
        {
            1 { # Create folders
                $ProtocolBase = Join-Path $RegBase -ChildPath $Protocol

                if($(Test-Path $ProtocolBase) -eq $false)
                {
                    New-Item -Path $RegBase -Name $Protocol | Out-Null
                }

                $ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'

                if($(Test-Path $ProtocolBaseServer) -eq $false)
                {
                    New-Item -Path $ProtocolBase -Name 'Server' | Out-Null
                }

                $ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'

                if($(Test-Path $ProtocolBaseClient) -eq $false)
                {
                    New-Item -Path $ProtocolBase -Name 'Client' | Out-Null
                }
            }

            2 { # Configure Client
                $ProtocolPath = Join-Path $RegBase -ChildPath $Protocol

                $ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'

                Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'Enabled' -Value $RegEnabledValue | Out-Null

                Write-Output $('{0} : Enabled={1}' -f $ProtocolBaseClient,$RegEnabledValue)

                Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue | Out-Null

                Write-Output $('{0} : DisabledByDefault={1}' -f $ProtocolBaseClient,$RegDisabledByDefaultValue)
            }

            3 { # Configure Server
                $ProtocolPath = Join-Path $RegBase -ChildPath $Protocol

                $ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'

                Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'Enabled' -Value $RegEnabledValue | Out-Null

                Write-Host $('{0} : Enabled={1}' -f $ProtocolBaseServer,$RegEnabledValue)

                Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue | Out-Null

                Write-Host $('{0} : DisabledByDefault={1}' -f $ProtocolBaseServer,$RegDisabledByDefaultValue)
            }

            default {

                Write-Host 'Reboot to make changes active.'

                $i = 0
            }
        }

    } while ($i -ne 0)

} # End function Set-SchannelProtocol
	Function Set-SchannelProtocol
	{
	<#
	.SYNOPSIS

	Disables schannel protocols by default. Enable a protocol by using the -EnableProtocol switch.

	.DESCRIPTION

	Microsoft IIS uses schannel for implementing HTTPS. This function will enable/disable protocols for both the client and server.

	WARNING! These settings are system wide meaning they impact all process/services running on the system.
	BOTH Client and Server are configured. Client refers to outgoing connections such as browsers
	whereas Server refers to hosted process/services such as IIS.

	This function must be launched from an elevated admin prompt.

	.EXAMPLE

	Set-SchannelProtocol -Protocol 'SSL 2.0'

	.EXAMPLE

	$DisableProtocols = 'SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','DTLS 1.0','DTLS 1.2'
	$DisableProtocols \| %{ Set-SchannelProtocol -Protocol $) }

	.EXAMPLE

	Set-SchannelProtocol -Protocol 'TLS 1.2' -EnableProtocol

	.NOTES

	Tested on Windows Server 2019 and PowerShell 5.1

	.LINK

	https://docs.microsoft.com/en-us/windows/win32/secauthn/secure-channel

	.LINK

	https://docs.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview
	#>

	[CmdletBinding()]
	param(
	[Parameter(Mandatory=$true)]
	[ValidateSet('SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','TLS 1.2','DTLS 1.0','DTLS 1.2')]
	[ValidateNotNullOrEmpty()]
	[System.String]
	# Protocol
	$Protocol
	,
	[Switch]
	# Enable Protocol
	$EnableProtocol
	)

	$i = 0

	$RegBase = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'

	$RegEnabledValue = 0

	if($EnableProtocol){ $RegEnabledValue = 1 }

	$RegDisabledByDefaultValue = 1

	if($EnableProtocol){ $RegDisabledByDefaultValue = 0 }

	do {

	$i++

	switch($i)
	{
	1 { # Create folders
	$ProtocolBase = Join-Path $RegBase -ChildPath $Protocol

	if($(Test-Path $ProtocolBase) -eq $false)
	{
	New-Item -Path $RegBase -Name $Protocol \| Out-Null
	}

	$ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'

	if($(Test-Path $ProtocolBaseServer) -eq $false)
	{
	New-Item -Path $ProtocolBase -Name 'Server' \| Out-Null
	}

	$ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'

	if($(Test-Path $ProtocolBaseClient) -eq $false)
	{
	New-Item -Path $ProtocolBase -Name 'Client' \| Out-Null
	}
	}

	2 { # Configure Client
	$ProtocolPath = Join-Path $RegBase -ChildPath $Protocol

	$ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'

	Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'Enabled' -Value $RegEnabledValue \| Out-Null

	Write-Output $('{0} : Enabled={1}' -f $ProtocolBaseClient,$RegEnabledValue)

	Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue \| Out-Null

	Write-Output $('{0} : DisabledByDefault={1}' -f $ProtocolBaseClient,$RegDisabledByDefaultValue)
	}

	3 { # Configure Server
	$ProtocolPath = Join-Path $RegBase -ChildPath $Protocol

	$ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'

	Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'Enabled' -Value $RegEnabledValue \| Out-Null

	Write-Host $('{0} : Enabled={1}' -f $ProtocolBaseServer,$RegEnabledValue)

	Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue \| Out-Null

	Write-Host $('{0} : DisabledByDefault={1}' -f $ProtocolBaseServer,$RegDisabledByDefaultValue)
	}

	default {

	Write-Host 'Reboot to make changes active.'

	$i = 0
	}
	}

	} while ($i -ne 0)

	} # End function Set-SchannelProtocol