VMware vRops Azure error

Posted by robd on February 23, 2022
vmware / No Comments

So we’ve been getting a very annoying error when trying to monitor Azure with vrops:

“Unable to establish a valid connection to the target system. javax.net.ssl.SSLHandshakeException: General SSLEngine problem”


vrops error

I found this article that states how to fix it, which gave me a clue but didnt actually fix the problem:


Basically the certs for Azure had expired so it couldn’t check the status.

The fix for me was to download all the new Azure Certs:


azure certs

Convert them to pem files:


Now upload the pem files to vrops:



Now ssh to vrops and get the keystore password:

cd /storage/vcops/user/conf/ssl/

keytool -list -keystore tcserver.truststore

and finally import your pem files:

cd /storage/vcops/user/conf/ssl/
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem -alias azure1 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem -alias azure2 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/D-TRUST_Root_Class_3_CA_2_2009.pem -alias azure3 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/BaltimoreCyberTrustRoot.pem -alias azure4 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootCA.pem -alias azure5 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootG2.pem -alias azure6 -keystore tcserver.truststore




Tags: , ,

ISATAP – Direct Access Manage Out

Posted by robd on January 14, 2022
Direct Access / No Comments

I was working with Direct Access recently and the manage out function. The idea is servers on premises can communicate with direct access clients on the internet who are using a IPv6 over IPv4 protocol.

For example, it’s great when you want to manage SCCM clients who are not in the office.

To do this you need an ISATAP server that sits in-between the Direct Access servers and the internal servers, I like to think of ISATAP as like a DHCP/DNS server that gives out IPv6 addresses to internal servers which then in turn allows them to query IPv6 clients.

I’m going to presume you’ve setup Direct Access and ISATAP and at some point it was all working (if anyone wants a guide on setup of ISATAP, just shout), now for what ever reason you can not resolve IPv6 clients!!

  • Logon to your Direct Access (DA) Server, pick a client and check you can ping it, it should return a IPv6 address.
  • ping
  • Logon to your ISATAP server and ping the same client, if it does then great the issue is not between DA and ISATAP, if not then it’s time to check your connectivity (firewall and routes) between the two servers.
  • Logon to a server that that using the ISATAP server and ping the same client, in my case this did not work.
  • So first check the interface on the server, ipconfig /all

This is bad.  If its fe80 it means windows has assigned a IP itself and not had a address assigned from ISATAP, bit like APIPA address.

  • You can disable and enable ISATAP on the server to check if it changes to fe70
netsh int ipv6 isatap set state disable

netsh int ipv6 isatap set state enable
  • Moving back to the ISATAP server, there basically two things to check, the interface and the routes
  • First check the interface and its idx number:
netsh Int ipv6 show int
  • In my case I know the interface I configured when I set up the server was IDX 6 where as below it shows IDX 9, this means that something has changed, potentially a VMWare hardware update.

  • As the interface has changed that means the interface settings have been lost and the static routes, so lets add them again:
    • First on the NIC, add forwarding:
netsh Int ipv6 set int 12 forwarding = enabled

    • Then on the ISATAP Interface
netsh Int ipv6 set int 9 advertise = enabled
netsh Int ipv6 set int 9 forwarding = enabled

  • Next check the routes for the interface, the magic route is mising
netsh int ipv6 show route

  • Add it back
netsh interface ipv6 add route fd07:4444:4444:1::/64 9 publish=yes

  • Finally check the server again

  • YAY!!!

Tags: , , ,

Firmware Update Cisco SG350

Posted by robd on January 12, 2022
Cisco / 1 Comment

I had to update a Cisco SG350 recently, which should have been really easy but ended up being a bit of a pain.

Here’s how I’d do it again:

  • Download the firmware:


  • Ignore the GUI, pretend it never existed, as best I can work out it just doesn’t work well.
  • Download a tftp software, I suggest tftpd64 as it brilliant:


  • Run the tftp software and point it at the firmware, make a note of the IP.
  • SSH to the switch with putty and run the following to check the version:
show ver
  • Then run this command on the switch (The IP if the IP of the tftp software):
boot system tftp://

  • Now reboot:
  • Once it’s rebooted, check the version, and you are done!
show ver

Tags: , ,

vMotion Slow

Posted by robd on January 11, 2022
vmware / No Comments

We recently replaced our estate of trusty PowerEdge R620 Dell servers, with shiny new Cisco UCS C220 M5SX Servers.

On each server, VMware ESXi was installed. We used LAG with 4 10 GB NIC’s, each server had 10 7200rpm drives setup in a RAID 6 (no SSDs, don’t ask why).

All looked great, but when moving the VM’s to the Cisco servers with vMotion, the process was super slow.

After a lot of digging, we discovered the issue was with the way the Wite Policy was setup on the RAID, we’d used Write Through, and we should have used Write Back Bad BBU:


– Write Through— Data is written through the cache and to the physical drives. Performance is improved, because subsequent reads of that data can be satisfied from the cache.

– Write Back— Data is stored in the cache, and is only written to the physical drives when space in the cache is needed. Virtual drives requesting this policy fall back to Write Through caching when the BBU cannot guarantee the safety of the cache in the event of a power failure.

– Write Back Bad BBU—With this policy, write caching remains Write Back even if the battery backup unit is defective or discharged.

Once we changed it, everything worked superfast.


Tags: , , ,


Posted by robd on January 06, 2022
powershell, SQL / No Comments


Been a while since I posted but here I am!

I recently needed to copy SQL users from one DB to another without changing SIDs etc, while googling how best to do this a colleague just told me to use dbatools.

Well I’m glad I did, they are amazing! If you’re not sure what dbatools is, its PowerShell for SQL!!

Here’s what I did:

Install the tools on my device:

Install-Module dbatools -Scope CurrentUser

Then I simply ran:

Copy-DbaLogin -Source SourceDB -Destination DestDB -force

and thats it.



Tags: , ,

Windows 10 and Fast Roaming Standards

Posted by robd on April 09, 2021
Windows 10, Wireless / No Comments

Did you know that Windows 10 supports fast roaming standards such as 802.11r/k/v?

Well it does but there’s a few caveats.

If you’re unsure what these standards are and how they operate then keep reading:

Remember, the CLIENT decides when to roam, not the Access Point!!!!

802.11k (Neighbor Reports)

Access points that have it will send out special reports of their Neighbours to the windows 10 device.  Neighbour Reports contain information about neighbouring access points so would allow a Windows 10 device to know if it can roam if it needs too. Windows 10 takes advantage of this capability by shortening the list of channels that the device needs to scan before finding a neighbouring AP to roam to.

802.11v (BSS Transition Management Frames)

Access points that support 802.11v can suggest that Windows 10 devices to roam to another AP that it believes will provide a better wireless experience.  Windows 10 devices can now accept and respond to these Basic Service Set (BSS) Transition Management frames, leading to improved wireless quality i.e. potentially better SNR or RSSI.

802.11r (Fast BSS Transition)

Fast BSS Transition reduces the time needed for a Windows 10 device to move/roam to another AP that supports 802.11r. This time reduction results from fewer frames being exchanged with the AP prior to data transfer. By moving quickly to a new AP the tranistion time will be less interupotive to the client, for example a slow move would disrupt a video call. You must be using Radius authentication (802.1X), Pre-Shared Key (PSK) and Open Networks are currently not supported.


Unfortunately there only these intel chipsets are supported with Windows 10:



What about other clients such as MACs and RF scanners???


Yes but it depends, have a look at this:


RF Scanners

Yes but it depends, for example 802.11r is support on mc9200 if the radio is updated to 2.03 so please ensure these devices are updated to the latest version.



If you’d like to know more on client roaming and supporting it then this video is interesting:



Any questions please let me know.

Tags: , , ,

Domain Controller – Sysvol and Group Polices

Posted by robd on February 16, 2021
Active Directory / No Comments

Had some strange issues recently where some group polices weren’t populating to certain sites.

i.e. you’d logon to a new device on a site and the work folders GPO wouldnt apply, after spending 5 minutes looking at RSOP.MSC I could see the policy just wasnt applied, at all.

So after some digging on the domain controller and googling events in the event viewer I found:


Which lead me to this nifty command to check the sysvol folder:

For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo

As you can see from the above, all looks ok!!!

So now lets have a look-see at the DFS replication:

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

Run it and look for the “state”, the  values can be any of the following:

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

As you can see on the above, the last one is wonky donkey!!! DFS BE BROKEN

So lets have a look through the events for dfs broken events:

and to double check with Powershell on the affected DC:

Get-WmiObject -Namespace 'root\MicrosoftDFS' -Class DfsrReplicatedFolderInfo

Nothing comes up, this is BAD!

So in the regisrty you should be able to check the recovery status


So its stopped and not recovering.

The fix:

First get the guid of the C:\ drive:


Now run this in a elevated command prompt:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="cc9a4e7a-0000-0000-0000-602200000000" call ResumeReplication

Wait 10 and check the replication status again:

and run the dsquery again:

HORRAY!!!!!  GPOs for everyone.

Tags: , , ,

Upgrade Cisco ISE from 2.6 to 2.7

Posted by robd on February 03, 2021
Cisco, Wireless / No Comments


Upgrading Cisco ISE is pretty straight forward, there’s a pretty GUI that makes sure you back everything up before you start and then you specify a repository and the files get downloaded and bobs your uncle.

FYI – This is good blog on backing up ISE before you start:  https://www.letsconfig.com/how-to-backup-cisco-ise-2-7/

My issue is I have a ISE node in a DMZ which cant contact the main repository on the network due to it being ultra secure.

So I had to do it manually via the Cisco ISE CLI on the node in the dmz.

First find a server that can access the DMZ on port 21 – Note, I tried tftp but the transfer would fail every time.

Then download this portable ftp server: https://www.xlightftpd.com/download.htm

Run the ftp server, setup the NIC and create a user with a home directory (a folder on the server)

Download the ISE upgrade file and put it in the home directory: ise-upgradebundle-2.2.x-2.6.x-to-

Next logon to your ISE node,

Create a repository on the ISE node:

conf t
repository dmzf
user FTPAdmin password plain FTPPassword

Now you can pull the upgrade file – Note, this will just download and unpackaged the file, NOT run the update.

application upgrade prepare ise-upgradebundle-2.2.x-2.6.x-to- dmzf

Wait for that to finish:

Now you’re ready to actually upgrade.

application upgrade proceed

Wait for the reboot and update:

Then  you are done!!

Double check

Show Version


Done. Boom

Tags: , , ,

Disable weak RDP Vulnerabilities remotely

Posted by robd on January 28, 2021
powershell, Vulnerabilities / No Comments


Here’s another handy fix for resolving RDP vulnerabilities remotely.

The script is a bit rubbish as I’ve not used CredSSP (I was in a rush) so you’ll need to run PowerShell as a admin and you’ll need a CSV with the servers in:

csv format:





Import-Csv "c:\temp\RDP_Vun.csv"| ForEach-Object {

write-host ""
write-host "===================================="
write-host "Computer: $_.server"
write-host "===================================="

write-host "-----------------------------------"
write-host "Fix RDP Vunrability"
write-host "-----------------------------------"

# Remote Desktop Services: Enable NLA Requirement
(Get-WmiObject -Computer $_.server -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired  
(Get-WmiObject -Computer $_.server -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1) 

# Remote Desktop Services: Require 'High' level of encryption
(Get-WmiObject -Computer $_.server -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetEncryptionLevel(3) 

# Remote Desktop Services: Set Security Layer to SSL
(Get-WmiObject -Computer $_.server -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetSecurityLayer(2)



Tags: , ,

TLS and SSL – Securing the protocols with PowerShell

Posted by robd on January 27, 2021
Vulnerabilities / No Comments


We’ve been scanning some of our internal servers with Qualys recently and its picked up a few vulnerability, specifically related to TLS 1 and SSL.

So after a bit of Googling I found this post:


This fixes the vulnerabilities via PowerShell.

Since then I’ve modified it to work remotely.

To run the script, make a csv with the servers in:

if (! $cred1){
$cred1 = Get-Credential -Message "Please provide domain admin credentials"
Import-Csv "c:\temp\tcp_vun.csv"| ForEach-Object {
write-host "Computer: $($_.computer) staring"
#If you are going to want to use CredSSP below, then enable it by uncommenting this next bit.
#$session = New-PSSession -cn $_.computer -Credential $cred1
#invoke-Command  -session $session -scriptblock{ Enable-WsManCredSSP -Role Server -Force}
#remove-pssession $session
#Pick one of the following session types, if you are doing some remote tasks in the remote command you will need the Credssp method
#$session = New-PSSession -cn $_.computer -Credential $cred1 -Authentication Credssp -ErrorAction SilentlyContinue
#### TRY 1st#####################:
$session = New-PSSession -cn $_.computer -Credential $cred1
invoke-Command  -session $session -Scriptblock {
Write-Host 'Configuring SCHANNEL protocols' -NoNewline
# Disable Multi-Protocol Unified Hello
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Disable PCT 1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Disable SSL 2.0 (PCI Compliance)
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Disable TLS 1.0 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Add and Disable TLS 1.1 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
# Add and Enable TLS 1.2 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
Write-Host ' Completed!'
Write-Host 'Configuring Ciphers.' -NoNewline
# Re-create the ciphers key.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
Write-Host '.' -NoNewline
# Disable insecure/weak ciphers.
$insecureCiphers = @(
  'DES 56/56',
  'RC2 128/128',
  'RC2 40/128',
  'RC2 56/128',
  'RC4 40/128',
  'RC4 56/128',
  'RC4 64/128',
  'RC4 128/128',
  'Triple DES 168'
Foreach ($insecureCipher in $insecureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  $key.SetValue('Enabled', 0, 'DWord')
  Write-Host '.' -NoNewline
# Enable new secure ciphers.
# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.
# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030
$secureCiphers = @(
  'AES 128/128',
  'AES 256/256'
Foreach ($secureCipher in $secureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  Write-Host '.' -NoNewline
Write-Host ' Completed!'
Write-Host 'Configuring Hashes.' -NoNewline
# Set hashes configuration.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
$secureHashes = @(
Foreach ($secureHash in $secureHashes) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash)
  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  Write-Host '.' -NoNewline
# Set KeyExchangeAlgorithms configuration.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
$secureKeyExchangeAlgorithms = @(
Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)
  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  Write-Host '.' -NoNewline
Write-Host ' Completed!'
# Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange
# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644
Write-Host 'Configure longer DHE key shares for TLS servers.' -NoNewline
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline 
# https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline 
# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
$os = Get-WmiObject -class Win32_OperatingSystem
if ([System.Version]$os.Version -lt [System.Version]'10.0') {
  Write-Host '.' -NoNewline
  $cipherSuitesOrder = @(
    # Below are the only AEAD ciphers available on Windows 2012R2 and earlier.
    # - RSA certificates need below ciphers, but ECDSA certificates (EV) may not.
    # - We get penalty for not using AEAD suites with RSA certificates.
} else {
  Write-Host '.' -NoNewline
  $cipherSuitesOrder = @(
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
# One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
Write-Host '.' -NoNewline
Write-Host ' Completed!'
# Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
# https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
# New IIS functionality to help identify weak TLS usage
# https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
Write-Host 'Enable TLS 1.2 for .NET 3.5 and .NET 4.x' -NoNewline
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -name 'SystemDefaultTlsVersions' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -name 'SchUseStrongCrypto' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -name 'SystemDefaultTlsVersions' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -name 'SchUseStrongCrypto' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host '.' -NoNewline
if (Test-Path 'HKLM:\SOFTWARE\Wow6432Node') {
  New-ItemProperty -path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -name 'SystemDefaultTlsVersions' -value 1 -PropertyType 'DWord' -Force | Out-Null
  New-ItemProperty -path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -name 'SchUseStrongCrypto' -value 1 -PropertyType 'DWord' -Force | Out-Null
  New-ItemProperty -path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -name 'SystemDefaultTlsVersions' -value 1 -PropertyType 'DWord' -Force | Out-Null
  New-ItemProperty -path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -name 'SchUseStrongCrypto' -value 1 -PropertyType 'DWord' -Force | Out-Null
  Write-Host '.' -NoNewline
# DefaultSecureProtocols Value  Decimal value  Protocol enabled
# 0x00000008                                8  Enable SSL 2.0 by default
# 0x00000020                               32  Enable SSL 3.0 by default
# 0x00000080                              128  Enable TLS 1.0 by default
# 0x00000200                              512  Enable TLS 1.1 by default
# 0x00000800                             2048  Enable TLS 1.2 by default
$defaultSecureProtocols = @(
  '2048'  # TLS 1.2
$defaultSecureProtocolsSum = ($defaultSecureProtocols | Measure-Object -Sum).Sum
Write-Host ' Completed!'
# Update to enable TLS 1.2 as a default secure protocols in WinHTTP in Windows
# https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
Write-Host 'Verifying...' 
# Verify if hotfix KB3140245 is installed.
$file_version_winhttp_dll = (Get-Item $env:windir\System32\winhttp.dll).VersionInfo | % {("{0}.{1}.{2}.{3}" -f $_.ProductMajorPart,$_.ProductMinorPart,$_.ProductBuildPart,$_.ProductPrivatePart)}
$file_version_webio_dll = (Get-Item $env:windir\System32\Webio.dll).VersionInfo | % {("{0}.{1}.{2}.{3}" -f $_.ProductMajorPart,$_.ProductMinorPart,$_.ProductBuildPart,$_.ProductPrivatePart)}
if ([System.Version]$file_version_winhttp_dll -lt [System.Version]"6.1.7601.23375" -or [System.Version]$file_version_webio_dll -lt [System.Version]"6.1.7601.23375") {
  Write-Host 'WinHTTP: Cannot enable TLS 1.2. Please see https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in for system requirements.'
} else {
  Write-Host 'WinHTTP: Minimum system requirements are met.'
  Write-Host 'WinHTTP: Activate TLS 1.2 only.'
  New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -name 'DefaultSecureProtocols' -value $defaultSecureProtocolsSum -PropertyType 'DWord' -Force | Out-Null
  if (Test-Path 'HKLM:\SOFTWARE\Wow6432Node') {
    # WinHttp key seems missing in Windows 2019 for unknown reasons.
    New-Item 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -ErrorAction SilentlyContinue | Out-Null
    New-ItemProperty -path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -name 'DefaultSecureProtocols' -value $defaultSecureProtocolsSum -PropertyType 'DWord' -Force | Out-Null
#Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
#Restart-Computer -Force -Confirm
remove-pssession $session
write-host "Computer: $($_.computer) finsished"





Tags: , ,