/build/static/layout/Breadcrumb_cap_w.png

Systems Management Question


Is there a way to turn off TLS 1.0 on al devices via SMA?

08/03/2020 116 views

Is there a way to turn off TLS 1.0 on al devices via SMA? 

1 Comment   [ + ] Show comment

Comments

  • You can use a powershell script to disable TLS 1.0. Perhaps the script on this page works for you after you modified it.

    https://stackoverflow.com/questions/55914397/enable-tls-and-disable-ssl-via-powershell-script
    • This should work or the op can use the SMA directly by creating a new Script that's for Windows machines. Then go in and create tasks to modify the registry as the post you provided gives. One benefit of this is getting results/feedback on success or failure for each iteration. Of course, could also split to multiple batch scripts and accomplish the same thing so half a dozen either way.

All Answers

0

In the SMA, go to Scripting -> Scripts -> Choose Action -> New

Fill in the fields and be sure to select Windows for the Operating System.  Also limit the devices to the scope you'd like to target.

Click "New Task" and under Verify, click "Add" and select Verify a registry value is not...

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Name: DisabledByDefault
Not Equal To: 1

Once you do that, click Add again under Verify (repeat this until you've created "Verify a registry value is not..." for all the below):

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Name: Enabled
Not Equal To: 0

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
Name: DisabledByDefault
Not Equal To: 1

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
Name: Enabled
Not Equal To: 0

So the above makes sure that this wasn't already done to save the effort from trying to modify the registry twice.

Next, you will want to go under Remediation and click Add.  Select "Set a registry value..."

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Name: DisabledByDefault
Type: REG_DWORD
Data: 1

As with the Verify, you need to repeat this process for all the below:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Name: Enabled
Type: REG_DWORD
Data: 0

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
Name: DisabledByDefault
Type: REG_DWORD
Data: 1

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
Name: Enabled
Type: REG_DWORD
Data: 0

You can save the task or elect to "Run Now."

Answered 08/07/2020 by: RyanTech
Senior Yellow Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ