I can have a script to check tls 1.2 enabled in registry in following locations.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled is present, value should be 1.

https://support.site24x7.com/portal/en/kb/articles/how-to-check-if-tls-1-2-is-enabled

$path = @(Get-ItemProperty HKLM:\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled)  -and @(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault)  -ErrorAction SilentlyContinue
if ($null -eq $path) {  # Always place $null on the LHS
  'not found' 
}

How can i check TLS 1.2 enabled in browser (not in registry) using powershell script?

CodePudding user response：

To check the schannel keys in your question, this works

$key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\'
if (Test-Path $key) {
  $TLS12 = Get-ItemProperty $key
  if ($TLS12.DisabledByDefault -ne 0 -or $TLS12.Enabled -eq 0) {
    Throw "TLS 1.2 Not Enabled"
  }
}

Note that most browsers also check the SecureProtocols value in Internet Settings, which can be set per-user or for the whole machine:

# User settings
Get-ItemProperty 'hkcu:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name SecureProtocols
# Machine settings
Get-ItemProperty 'hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -Name SecureProtocols

The Value is a little strange since it is a combination of the hex-values for each supported protocol. For example, TLS1.2 is 0x800 or 2048. Check out the Microsoft TLS 1.2 page for more details on all this information.

It is showing 280 tls 1.2 off,tls 1.2 a80 On in my laptop registry.