PowerShell Script to Check TLS 1.2 and .NET Framework Version

This PowerShell script allows you to check if TLS 1.2 is enabled on both the client and server, and also verifies that strong cryptography is enabled for the .NET Framework. Additionally, the script checks for the latest installed .NET Framework version on the system.

Script Overview:

• It retrieves the TLS 1.2 settings from the Windows Registry.
• It checks and displays the values related to SystemDefaultTlsVersions and SchUseStrongCrypto for .NET Framework.
• It verifies if TLS 1.2 is enabled for both the Server and Client under the SCHANNEL Protocols.
• It identifies the latest installed .NET Framework version based on the system’s registry.

PowerShell Script:

# Define registry paths for .NET Framework 32-bit and 64-bit settings
$netRegKeys = @(
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319',
    'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
)

# Define values to check for strong cryptography and TLS default versions
$netRegValues = @('SystemDefaultTlsVersions', 'SchUseStrongCrypto')

# Collect registry values for .NET Framework settings
$regSettings = @()
foreach ($regKey in $netRegKeys) {
    foreach ($regValue in $netRegValues) {
        try {
            $regItem = Get-ItemProperty -Path $regKey -Name $regValue -ErrorAction Stop
            $regSettings += [PSCustomObject]@{
                Path  = $regKey
                Name  = $regValue
                Value = $regItem.$regValue
            }
        } catch {
            $regSettings += [PSCustomObject]@{
                Path  = $regKey
                Name  = $regValue
                Value = "Not Found"
            }
        }
    }
}

# Define registry paths for TLS 1.2 settings (Server and Client)
$schannelRegKeys = @(
    'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server',
    'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
)

# Define values for TLS 1.2 protocol status
$schannelRegValues = @('Enabled', 'DisabledByDefault')

# Collect registry values for TLS 1.2 settings
foreach ($regKey in $schannelRegKeys) {
    foreach ($regValue in $schannelRegValues) {
        try {
            $regItem = Get-ItemProperty -Path $regKey -Name $regValue -ErrorAction Stop
            $regSettings += [PSCustomObject]@{
                Path  = $regKey
                Name  = $regValue
                Value = $regItem.$regValue
            }
        } catch {
            $regSettings += [PSCustomObject]@{
                Path  = $regKey
                Name  = $regValue
                Value = "Not Found"
            }
        }
    }
}

# Display the TLS and .NET cryptography settings
$regSettings | Format-Table -AutoSize

# Check the latest installed .NET Framework version
$regPath = "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full"
try {
    $dotNetVersion = Get-ItemProperty -Path $regPath -Name Release -ErrorAction Stop
    $release = $dotNetVersion.Release

    # .NET Framework version mapping based on the Release value
    $versionMap = @{
        528040 = '4.8'
        461808 = '4.7.2'
        461308 = '4.7.1'
        460798 = '4.7'
        394802 = '4.6.2'
        394254 = '4.6.1'
        393295 = '4.6'
    }

    # Find the corresponding version or set "Unknown" if not found
    $latestVersion = $versionMap.Keys | Sort-Object -Descending | Where-Object { $_ -le $release } | Select-Object -First 1
    $dotNetFrameworkVersion = $versionMap[$latestVersion] -or "Unknown Version (Release: $release)"
} catch {
    $dotNetFrameworkVersion = "Not Found"
}

# Display the latest .NET Framework version
Write-Host "`nLatest Installed .NET Framework Version: $dotNetFrameworkVersion"

Explanation of the Script:

1. Retrieve .NET Framework Registry Settings:

• The script checks the registry for the keys related to SystemDefaultTlsVersions and SchUseStrongCrypto to verify whether the system uses strong cryptography and the default system TLS versions.
• It performs this check for both 32-bit and 64-bit .NET Framework installations by looking at:
  • HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 (for 32-bit systems)
  • HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 (for 64-bit systems)

2. Check TLS 1.2 Settings for Client and Server:

• The script checks if TLS 1.2 is enabled for both Server and Client using the following registry paths:
  • HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
  • HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
• It checks if TLS 1.2 is enabled (Enabled = 1) and not disabled by default (DisabledByDefault = 0).

3. Check the Latest Installed .NET Framework Version:

• The script retrieves the Release value from the registry under the path:
  • HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
• Based on the Release value, it maps it to a known .NET Framework version. For example, a release value of 528040 corresponds to .NET Framework 4.8.

How to Use the Script:

1. Copy the entire script and paste it into a PowerShell window or save it as a .ps1 file.
2. Run the script as an administrator to ensure it has permission to access the registry.
3. The output will show the status of the TLS 1.2 and .NET Framework cryptography settings, and the latest installed .NET Framework version.

This script is helpful when verifying whether TLS 1.2 and strong cryptography are enabled in your system and ensuring that the latest .NET Framework version is installed.