TLSCipherSuites Delete CSP Breaks Get-TlsCipherSuite Cmdlet

Question

Attempting to use the Cryptography/TLSCipherSuites CSP to configure the SSL cipher suite order. The Add CSP works and I am able to confirm the allowed cipher suites using the Get-TlsCipherSuite cmdlet in PowerShell. However, when I use the Delete command, the Get-TlsCipherSuite cmdlet appears to stop working and I can no longer communicate with the MDM server. I'm using VMware's Workspace ONE UEM Cloud to send the commands.

Here is my Add command:

8dea8bec-7164-46dc-9093-96c6de238f2c

./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites

chr
text/plain

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

And the Delete command:

8dea8bec-7164-46dc-9093-96c6de238f2c

./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites

chr
text/plain

And the error I get when using the Get-TlsCipherSuite only AFTER I send the Delete command and restart (the cmdlet works fine before and after the Add):

get-tlsciphersuite : Exception from HRESULT: 0xD000000D
At line:1 char:12

$ciphers = get-tlsciphersuite
~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Get-TlsCipherSuite], COMException
FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.WindowsAuthenticationProtocols.Commands.GetTlsCipherSuiteCommand

The only way I've found to recover from this state is to do a device reset. Is the Delete command not supported? It's not very clear on the CSP page for TLSCipherSuites (https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#cryptography-tlsciphersuites)

Share via

TLSCipherSuites Delete CSP Breaks Get-TlsCipherSuite Cmdlet

Your answer