We'll be disabling TLSv1.0 and TLSv1.1 on our domain controllers for security reasons. But before we do that, I want to check a list of computers and see which TLS versions they have enabled, to make sure they'll keep authenticating with the domain controllers after the legacy TLS versions are disabled.
I wrote a PowerShell script that loops through the list of computers and runs "Get-TlsCipherSuite", but most of the remote computers don't recognize the command, and I don't want to install it just for this query.
I also run a query on registry "HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" as per this Microsoft article, but the protocols registry key, does not contain any TLS entries
So basically I'm looking for the correct command or query, which Ideally I will loop through all the computers using PowerShell and get which TLS versions are supported.
CodePudding user response:
Perhaps something like this can help
$cred = Get-Credential -Message "Please enter your admin credentials"
$machines = 'DC01','DC02','DC03' # the list of computernames to check
$result = Invoke-Command -ComputerName $machines -Credential $cred -ScriptBlock {
$supported = [Net.ServicePointManager]::SecurityProtocol
# values from https://learn.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype
[PsCustomObject]@{
ComputerName = $env:COMPUTERNAME
SystemDefault = [bool]($supported -eq 0)
Ssl3 = [bool]($supported -band 48)
Tls = [bool]($supported -band 192)
Tls11 = [bool]($supported -band 768)
Tls12 = [bool]($supported -band 3072)
Tls13 = [bool]($supported -band 12288)
}
}
# remove the extra properties PowerShell
$result = $result | Select-Object * -ExcludeProperty PS*, RunspaceId
# save to file if you want
$result | Export-Csv -Path 'X:\Somewhere\SecurityProtocols.csv' -NoTypeInformation
# filter out machines supporting Tls1.0 and/or Tls1.1
$result | Where-Object {$_.Tls -eq $true -or $_.Tsl11 -eq $true}
#etc.