Disabling TLS 1.0 using Powershell in Intune

Question

Disabling TLS 1.0 using Powershell in Intune

hyugai 31

Hi All,

I want to disable TLS 1.0 and other depreciated encryption.
So i create this powershell script and put it under Scripts in All Service - Devices blade.

Below is my scripts.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 128/128' -value '0' -Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 40/128'  -Value '0' -Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 56/128'  -Value '0' -Type 'DWORD'  
  
<#Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Client' -name 'Enabled'           -value '0' –Type 'DWORD'  
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Server' -name 'Enabled'           -value '0' –Type 'DWORD'  
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'#>  
  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force      
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force    
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                              
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
                                                                                                                                                                                   
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                   
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  
                                                                                                                                                         
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force                                           
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'  
  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Everything is working when i test it with my testing group.
However, i realize when user (who has local admin) delete the registry key (for example like HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client),
it doesnt re-create the key (so it seems the script only run one time? - even after i tried to sync account).
How do i make it so that even if the user delete the registry key, the script will periodically run and re-create the registry key again?

3 answers

Your answer

Answer 1

Lu Dai-MSFT 28,496

@hyugai Thanks for posting in our Q&A. From your description, did you mean that you want to forcus the PS script to run again? If there is anything misunderstanding, please correct me.

Please understand that the intune management extension agent checks after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the script or policy.

If you want to enforc the PS script to run again, it is suggested to change the registry key and restart the Microsoft Intune Management Extension Service. Then the script will rerun again on the target device. For more details, please refer to the following link:
https://oliverkieselbach.com/2018/02/12/part-2-deep-dive-microsoft-intune-management-extension-powershell-scripts/
Note: Non-Microsoft link, just for the reference.

Or it is suggested to try to re-add this script file into the script policy and check if this script will run again.

Hope it will help.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

hyugai 31 Reputation points

2022-04-27T03:13:38.987+00:00

thank you for your reply.
I just basically want so that if my end user (who has local admin) change the value of the registry key, intune will re-sync after couple hours and force back to change the value of the registry to the value i set in my powershell script.

From your reply, i assume with Intune Powershell script - it will only run once for the end user computer.
Lu Dai-MSFT 28,496 Reputation points

2022-04-27T05:59:30.423+00:00

@hyugai After changing the value of the registry key manually, Intune can't force back to change the value of the registry to the value you set in the powershell script. This powershell script deployed by intune only runs once.
hyugai 31 Reputation points

2022-04-27T07:36:24.203+00:00

In that case what would be the best way to force this registry value?

I tried to use configuration profiles (Settings catalog) but i dont see any option in there where i can deep dive to change the value of this exact registry key
Lu Dai-MSFT 28,496 Reputation points

2022-04-27T08:27:46.207+00:00

@hyugai Based on my research, I find that a setting "Turn off encryption support" in Administrative Templates. For more details, please read the following article:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableencryptionsupport

Hope it is what you want.

Answer 2

Limitless Technology 39,921

Hello Hyugai,

The main idea would be to educate the users to not delete those registry keys, or to not interact with the registry unless there is a clear purpose and requirement. By default, Windows is not expected to recreate registry keys, as this could interfere with actual wanted changes in the systems done by administrators.

However, in the next article, there is an Easy Fix that will recreate this configurations, and in case needed, could be mapped as a "Run Once" or "Run at Login" to ensure that the settings are permanent:

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

--If the reply is helpful, please Upvote and Accept as answer--

hyugai 31 Reputation points

2022-04-28T17:31:31.237+00:00

Thank you for your reply LimitlessTechnology-2700.
The article you provide is for Windows 7 and Windows Server 2012. WIll Microsoft have any plan to roll out similar updates for Windows 10?

Answer 3

Navdeep Khaira 1

Hi Thanks for the script. The only issue I ran into is with the following. I coppied the line below from your code. The hyphen in front of the "value" works but the endash infront of Type doesn't. Not sure if you had it for purpose but thought I raise it with you.

-value '0' –Type 'DWORD'

Regards
Nav

Share via

Disabling TLS 1.0 using Powershell in Intune

3 answers

Your answer