Powershell Script to Enable TLS 1.2 for Server and Client in the registry

What the Script Does:

1. Enable TLS 1.2 for the Server Side

• The script first defines the registry path for TLS 1.2 on the server side (HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server).
• It checks if this registry key exists using Test-Path. If the key doesn’t exist, it creates the key using New-Item.
• Two registry values are set:
  • Enabled: Set to 1, meaning that TLS 1.2 is enabled for the server.
  • DisabledByDefault: Set to 0, meaning that TLS 1.2 is not disabled by default.

2. Enable TLS 1.2 for the Client Side

• The script follows the same steps for enabling TLS 1.2 on the client side by working with the registry key located at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client.
• Just like the server settings, it ensures that TLS 1.2 is enabled for the client by setting:
  • Enabled: Set to 1, which enables TLS 1.2.
  • DisabledByDefault: Set to 0, which prevents it from being disabled by default.

3. Enable Strong Cryptography for .NET Framework

• The next part of the script enables strong cryptography for the .NET Framework. This is important because many applications that use .NET need this setting to ensure that TLS 1.2 is used by default.
• The script updates two separate registry paths:
  1. For 64-bit systems: The key is located at HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
  2. For 32-bit systems: The key is located at HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.
• Two values are set in each registry path:
  • SchUseStrongCrypto: Set to 1, enabling strong cryptography in .NET Framework (ensuring that TLS 1.2 and strong ciphers are used).
  • SystemDefaultTlsVersions: Set to 1, ensuring that .NET applications use the system’s default TLS version (which is now TLS 1.2).

4. Output Confirmation

• Finally, the script outputs a message to the console, confirming that TLS 1.2 and strong cryptography settings have been enabled.

Explanation of Registry Values:

• Enabled: A value of 1 means that the protocol (TLS 1.2) is enabled.
• DisabledByDefault: A value of 0 means that the protocol is not disabled by default, so it will be active.
• SchUseStrongCrypto: A value of 1 ensures that .NET uses strong cryptography, including TLS 1.2 and stronger ciphers.
• SystemDefaultTlsVersions: A value of 1 ensures that the .NET Framework uses the system’s default TLS version (which will now include TLS 1.2 if enabled).

# Enable TLS 1.2 for Server and Client in the registry

# Define the registry path for TLS 1.2 Server settings
$TLS12ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"

# Create the Server key if it doesn't exist
If (-Not (Test-Path $TLS12ServerKey)) { 
    New-Item -Path $TLS12ServerKey -Force 
}

# Set 'Enabled' to 1 (which means TLS 1.2 is enabled)
Set-ItemProperty -Path $TLS12ServerKey -Name "Enabled" -Value 1 -Type DWord

# Set 'DisabledByDefault' to 0 (which means TLS 1.2 is not disabled by default)
Set-ItemProperty -Path $TLS12ServerKey -Name "DisabledByDefault" -Value 0 -Type DWord


# Define the registry path for TLS 1.2 Client settings
$TLS12ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Create the Client key if it doesn't exist
If (-Not (Test-Path $TLS12ClientKey)) { 
    New-Item -Path $TLS12ClientKey -Force 
}

# Set 'Enabled' to 1 (enable TLS 1.2 for Client)
Set-ItemProperty -Path $TLS12ClientKey -Name "Enabled" -Value 1 -Type DWord

# Set 'DisabledByDefault' to 0 (don't disable TLS 1.2 for Client by default)
Set-ItemProperty -Path $TLS12ClientKey -Name "DisabledByDefault" -Value 0 -Type DWord


# Enable strong cryptography for .NET Framework

# Define the registry path for .NET Framework on 64-bit systems
$netFrameworkKey64 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"

# Set strong cryptography in .NET Framework by setting 'SchUseStrongCrypto' to 1
Set-ItemProperty -Path $netFrameworkKey64 -Name "SchUseStrongCrypto" -Value 1 -Type DWord

# Ensure .NET Framework uses the system's default TLS version by setting 'SystemDefaultTlsVersions' to 1
Set-ItemProperty -Path $netFrameworkKey64 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord


# Define the registry path for .NET Framework on 32-bit systems
$netFrameworkKey32 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"

# Set strong cryptography in .NET Framework by setting 'SchUseStrongCrypto' to 1
Set-ItemProperty -Path $netFrameworkKey32 -Name "SchUseStrongCrypto" -Value 1 -Type DWord

# Ensure .NET Framework uses the system's default TLS version by setting 'SystemDefaultTlsVersions' to 1
Set-ItemProperty -Path $netFrameworkKey32 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord


# Output confirmation message to the console
Write-Host "TLS 1.2 and strong cryptography for .NET Framework have been enabled."

Conclusion:

This script ensures that TLS 1.2 is enabled for both the client and server roles in Windows and configures the .NET Framework to use strong cryptography and the system’s default TLS versions. After running the script, TLS 1.2 should be fully enabled and available for use by applications and services on the system.