How to disable TLS 1.0 and TLS 1.1 using Powershell on Windows 11

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

Similar other Blog posts:

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.

Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.

To run Powershell code on Windows 11 computer. Please use below steps:

  • Login on a Windows 11 PC as administrator.
  • Open Powershell Console as an administrator.
  • Run below piece of powershell code to enable / disable SSL / TLS Protocols.

Powershell code to disable SSL 2.0

 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  

Copy

Powershell code to disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force                                       
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'    

Copy

Powershell code to Enable TLS 1.3

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'-name 'Enabled'            -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 11

Please follow below steps to verify if SSL / TLS protocols are disabled or enabled.

  1. Login on Windows 11 PC as an administrator.
  2. Click on Windows Icon / Start Menu -> Search for Registry Editor.
  3. Launch Registry Editor.
  4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

You should find below registry keys / registry entries:

Disable TLS 1.0 and TLS 1.1 registry key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

Registry Keys to check if SSL 2.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if SSL 3.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.1 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.2 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.3 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

Conclusion

In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. Its highly recommended to disable old unsupported protocols to reduce the security risk on your computer.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-using-powershell-on-windows-11/

How to disable TLS 1.0 and TLS 1.1 using Powershell on Windows 10

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

Similar other Blog posts:

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.

Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.

To run Powershell code on Windows 10 computer. Please use below steps:

  • Login on a Windows 10 PC as administrator.
  • Open Powershell Console as an administrator.
  • Run below piece of powershell code to enable / disable SSL / TLS Protocols.

Powershell code to disable SSL 2.0

 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  

Copy

Powershell code to disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force                                       
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'    

Copy

Powershell code to Enable TLS 1.3

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'-name 'Enabled'            -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 10

Please follow below steps to verify if SSL / TLS protocols are disabled or enabled.

  1. Login on Windows 10 PC as an administrator.
  2. Click on Windows Icon / Start Menu -> Search for Registry Editor.
  3. Launch Registry Editor.
  4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

You should find below registry keys / registry entries:

Disable TLS 1.0 and TLS 1.1 registry key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

Registry Keys to check if SSL 2.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if SSL 3.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.1 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.2 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.3 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

Conclusion

In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. It’s highly recommended to disable old unsupported protocols to reduce the security risk on your computer.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-using-powershell-on-windows-10/

Disable Modern Standby in Windows 10

There are two power models in Windows 10, S3 and S0 Low Power idle (Modern Standby). Modern Standby in Windows 10 provides Instant On/Off Experience like smartphones.

Modern Standby enables S0 low power idle power plan which keeps your laptop or desktop in lowest power mode and also allow apps to receive the latest content such as incoming email, VoIP calls, Windows updates etc.

The system will enter Modern Standby when the user take any of below actions:

  • Presses the system power button.
  • Closes the lid of the laptop / desktop / tablet.
  • Selects Sleep from the power button from the Windows Start menu.
  • Waits for the system to idle and enter sleep automatically, according to the Power and sleep settings.

The amount of battery saving in Modern Standby is calculated by knowing how much time the system was in DRIPS (Deepest run-time idle platform state). DRIPS occurs when the system is consuming the lowest amount of power possible. If there is any background task (like receiving of email, windows update etc.) consumes power, the system is not considered to be in DRIPS mode.

Total Modern Standby session time = DRIPS time + non-DRIPS time

How to disable Modern Standby in Windows 10

There could be a scenario where you do not want to enable Modern Standby on windows 10 and want to use another available and supported power plan for example S3. In that case, you can simply disable Modern standby by following below steps. The steps given requires changes in the registry of the system which will require administrator rights.

  1. Login on the Windows 10 device.
  2. Click on Start and search for Registry Editor.
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
  4. Right click on the right hand side pane and click on New -> DWORD (32-bit) Value
Create DWORD Reg Key modern standby
  1. Provide the name of registry entry PlatformAoAcOverride and set its value to 0.
  2. As this registry change is in HKEY_LOCAL_MACHINE, A restart of the PC would be required.
PlatformAoAcOverride registry entry to disable Modern Standby

Disable Modern Standby on Windows 10 using Command line

In the previous section we have seen how to disable Modern standby using GUI Interface of registry editor. If you do not prefer GUI and want to use a command to disable Modern Standby then you can follow below steps:

  1. Login on Windows 10 device.
  2. Go to Start and search for Command prompt.
  3. Right-click on Command prompt and click Run as administrator.
  4. Type below command and press enter.
  5. After this command is executed successfully, Restart your device.

reg add HKLM\System\CurrentControlSet\Control\Power /v PlatformAoAcOverride /t REG_DWORD /d 0​

Disable Modern Standby on Windows 10 using Command line

How to check If Modern Standby is supported in Windows 10

Not all devices support Modern standby but the number of systems which support Modern standby are increasing. I have been using Microsoft Surface Pro 4 laptop which supports Modern standby. Here’s how you can check if your device supports Modern Standby.

  1. Login on Windows 10 device.
  2. Click on Start and search for Command Prompt.
  3. Launch Command Prompt.
  4. Type command powercfg -a to check if Modern standby is supported.

Powercfg -a lists the sleep states available on your computer.

In below screenshot, you can see that this Windows 10 device is on Standby (S0 Low Power Idle) Network Connected State which means that Modern Standby is supported and enabled on this device.

If you run powercfg -a command on your system and it shows that S0 Low power idle is not supported then this could be a a limitaton by system’s hardware to support Modern standby. There is nothing you can do to enable it. The alternative is to keep using Standby S3 or any other supported power plan.

powercfg -a to check if modern standby is supported

Modern Standby (S0 Low power idle) can be in Network Connected mode or Network Disconnected mode.

  • Standby (S0 Low Power Idle) Network Connected: This means that Modern standby with network connectivity in sleep mode.
  • Standby (S0 Low Power Idle) Network Disconnected: This means that Modern standby without network connectivity while in sleep mode and the system spends most of the time in DRIPS.

FAQs on Modern Standby

Below are some of the frequently asked questions on Modern Standby:

1. Which versions of Windows supports Modern Standby ?

Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 11 Operating system.

2. How to Re-enable Modern Standby after creating PlatformAoAcOverride reg entry ?

If your device supports Modern Standby and you have created PlatformAoAcOverride reg entry under HKLM\System\CurrentControlSet\Control\Power reg key. Simply delete this registry entry and restart your device to enable Modern Standby again.

You can delete PlatformAoAcOverride registry entry manually by using registry editor or launch powershell console as an administrator and run below command to delete it.

Remove-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Power' -Name PlatformAoAcOverride

3. Does my computer support Modern Standby ?

You can easily check this by running a command powercfg -a on the command prompt. If it says Standby (S0 Low Power Idle) Network Connected or Standby (S0 Low Power Idle) Network Disconnected then Modern Standby is supported and Enabled.

4. How to Identify and diagnose issues during a Modern Standby session ?

You can Identify and diagnose any issues related to Modern standby by running Powercfg /sleepstudy command on an elevated command prompt. You can then analyse the report which will be generated and saved at C:\WINDOWS\system32\sleepstudy-report.html location.

Please make sure to open command prompt as an administrator and then run powercfg /sleepstudy

powercfg /sleepstudy

5. How to find all the switches of powercfg command ?

To check the switches of powercfg command, you can run powercfg /? on the command prompt. This will list all available options with detailed information. I have run this command on my device which lists all the switches which can be used with powercfg command:

powercfg /?

C:\WINDOWS\system32>powercfg /?

POWERCFG /COMMAND [ARGUMENTS]

Description:
  Enables users to control power settings on a local system.

  For detailed command and option information, run "POWERCFG /? <COMMAND>"

Command List:
  /LIST, /L          Lists all power schemes.

  /QUERY, /Q         Displays the contents of a power scheme.

  /CHANGE, /X        Modifies a setting value in the current power scheme.

  /CHANGENAME        Modifies the name and description of a power scheme.

  /DUPLICATESCHEME   Duplicates a power scheme.

  /DELETE, /D        Deletes a power scheme.

  /DELETESETTING     Deletes a power setting.

  /SETACTIVE, /S     Makes a power scheme active on the system.

  /GETACTIVESCHEME   Retrieves the currently active power scheme.

  /SETACVALUEINDEX   Sets the value associated with a power setting
                     while the system is powered by AC power.

  /SETDCVALUEINDEX   Sets the value associated with a power setting
                     while the system is powered by DC power.

  /IMPORT            Imports all power settings from a file.

  /EXPORT            Exports a power scheme to a file.

  /ALIASES           Displays all aliases and their corresponding GUIDs.

  /GETSECURITYDESCRIPTOR
                     Gets a security descriptor associated with a specified
                     power setting, power scheme, or action.

  /SETSECURITYDESCRIPTOR
                     Sets a security descriptor associated with a
                     power setting, power scheme, or action.

  /HIBERNATE, /H     Enables and disables the hibernate feature.

  /AVAILABLESLEEPSTATES, /A
                     Reports the sleep states available on the system.

  /DEVICEQUERY       Returns a list of devices that meet specified criteria.

  /DEVICEENABLEWAKE  Enables a device to wake the system from a sleep state.

  /DEVICEDISABLEWAKE Disables a device from waking the system from a sleep
                     state.

  /LASTWAKE          Reports information about what woke the system from the
                     last sleep transition.

  /WAKETIMERS        Enumerates active wake timers.

  /REQUESTS          Enumerates application and driver Power Requests.

  /REQUESTSOVERRIDE  Sets a Power Request override for a particular Process,
                     Service, or Driver.

  /ENERGY            Analyzes the system for common energy-efficiency and
                     battery life problems.

  /BATTERYREPORT     Generates a report of battery usage.

  /SLEEPSTUDY        Generates a diagnostic system power transition report.

  /SRUMUTIL          Dumps Energy Estimation data from System Resource Usage
                     Monitor (SRUM).

  /SYSTEMSLEEPDIAGNOSTICS
                     The system sleep diagnostics report has been deprecated and
                     replaced with the system power report. Please use the command
                     "powercfg /systempowerreport" instead.

  /SYSTEMPOWERREPORT Generates a diagnostic system power transition report.

  /POWERTHROTTLING   Control power throttling for an application.

  /PROVISIONINGXML, /PXML    Generate an XML file containing power setting overrides.

Copy

Conclusion

Modern standby saves your laptop’s or desktop’s battery and keep your device active for longer. If you use your device intermittently or away from your device a lot then this can save a lot of energy. However, there could be a scenario where you do not want to enable Modern standby. In that case you can use the steps given in this blog post to create a registry entry and disable Modern standby.

Source :
https://techpress.net/disable-modern-standby-in-windows-10/

How to troubleshoot Volume shadow Copies on Windows

Vssadmin command

A quite useful built-in command which you can use as a starting point while troubleshooting the Shadow Copies is Vssadmin. Lets run this command with different parameters and check the results.

There are different switches / commands which can be used with vssadmin. To show / list the different commands, Open Powershell as Administrator or Command prompt as an Administrator and type vssadmin

VSSadmin
Vssadmin /? command
CommandDescriptionAvailability
Vssadmin add shadowstorageAdds a volume shadow copy storage association.Server only
Vssadmin create shadowCreates a new volume shadow copy.Server only
Vssadmin delete shadowsDeletes volume shadow copies.Client and Server
Vssadmin delete shadowstorageDeletes volume shadow copy storage associations.Server only
Vssadmin list providersLists registered volume shadow copy providers.Client and Server
Vssadmin list shadowsLists existing volume shadow copies.Client and Server
Vssadmin list shadowstorageLists all shadow copy storage associations on the system.Client and Server
Vssadmin list volumesLists volumes that are eligible for shadow copies.Client and Server
Vssadmin list writersLists all subscribed volume shadow copy writers on the system.Client and Server
Vssadmin resize shadowstorageResizes the maximum size for a shadow copy storage association.Client and Server
Source:Microsoft

Vssadmin commands

Ensure that the VSS writers are in Stable State

Run the Command vssadmin list writers and make sure that all the VSS writers are in [1] stable state. you may see different vss writers depending upon application server you are running this command e.g. If you are running this command on Microsoft Exchange Server, you will see [Writer name: ‘Microsoft Exchange Writerin addition to the other vss writers. If Microsoft Exchange Writer status is not stable, Restart the Microsoft Exchange Information Store Service or restart Exchange Server and check the writer state again before re-starting the backup job.

Vssadmin list writers
Vssadmin list writers

Ensure that you can see Registered Shadow Copy Providers

To list the currently registered shadow copy providers, Run the command vssadmin list providers

vssadmin list providers
vssadmin list providers

If you do not see providers listed after running the above command it could be OS related issue or the Volume Shadow Copy Service is not running.

List existing Volume Shadow Copies

To list existing shadow Copies use the command vssadmin list shadows

vssadmin list shadows
vssadmin list shadows

Lists all shadow copy storage associations on the system.

Run below command to see all storage associations for the existing shadow copies. The default storage allocates 10% of the volume to the shadow copies.

vssadmin list shadowstorage
vssadmin list shadowstorage

You can also check the Shadow Copy Storage Association on the volume using GUI Method by Right Clicking the Volume -> Properties -> click Shadow Copies Tab.

Shadow Copies
Shadow Copies

Run the command vssadmin list shadowstorage /? to get more parameters which you can use with this command. For example you can use /for parameter to list all associations for a specified volume.

vssadmin list shadowstorage /?
vssadmin list shadowstorage /?

Delete Shadow Copies using command line

There are few options or commands you can use to delete the shadow copies. Shadow Copies data is stored in a folder called System Volume information which is a hidden system folder. If you see that the System volume information folder is quite big in size and consuming a lot of space then you can check if you got any stale shadow copies which might be stored in this system folder and which you may want to delete to free up the space. If you decided to get rid of shadow copies from the volume then follow below command line options to complete your task.

wmic command

Use wmic command to delete the shadow copies. When you run this command, you will be on the wmic:\root\cli> prompt. Type shadowcopy delete to delete the the shadow copies one by one. type Y to delete the shadow copy or N to skip to next shadow copy.

Note: To find the shadow copy ID use the command vssadmin list shadows. After using wmic command if you find that the shadow copies are not deleted or you get an error message as shown in the below screenshot, you can either use Vssadmin delete shadows command or Diskshadow command as shown in the next sections.

wmic
wmic command example

Vssadmin delete shadows

vssadmin delete shadows command can be used to delete all shadow copies or specific shadow copies from the volume. Use the /? in the end of the command to list parameters which you can use with this command. To delete all shadow copies using vssadmin delete shadows command, you can use below command.

Vssadmin delete shadows /all

diskshadow Command

You can also use diskshadow command to delete all the shadow copies from the system. Open command prompt as administrator -> Type diskshadow -> then on the DISKSHADOW> prompt type delete shadows all to delete / remove all shadow copies from the server.

Diskshadow command reference

diskshadow
diskshadow command

Best Practices

Best Practice when configuring the Shadow Copy is to use a disk which will not be shadow copied and have enough free space to store the shadow copies as per the configuration. You get below message when setting it up which suggest the same.

Enable Shadow Copies
Enable Shadow Copies

More Information

Volume Shadow Copy Service | Microsoft Docs

Conclusion

In this blog post, we have seen how you can troubleshoot issues related to shadow copies. Vssadmin command is very handy to use on windows devices when you are working on windows devices. You can also find examples of the commands with screenshots.

Source :
https://techpress.net/how-to-troubleshoot-volume-shadow-copies-on-windows/