在Intune中使用Powershell禁用TLS1.0

332nm8kg 于 2023-01-30 发布在 Shell

关注(0)|答案(2)|浏览(107)

我想禁用TLS 1. 0和其他折旧加密。所以我创建这个powershell脚本，并把它放在脚本在所有服务设备刀片。
下面是我的脚本。

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 128/128' -value '0' -Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 40/128'  -Value '0' -Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 56/128'  -Value '0' -Type 'DWORD'

<#Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.2\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'#>

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -value '0' -Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
                                                                                                                                                                                 
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
                                                                                                                                                       
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force                                         
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

enter image description here
当我用我的测试组测试它时，一切都正常。但是，我意识到当用户（拥有本地管理员）删除注册表项（例如HKLM：\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client）时，它不会重新创建该注册表项（因此，似乎脚本只运行一次？-即使在我尝试同步帐户后）。我如何才能使它即使用户删除注册表项，脚本也会定期运行并再次重新创建注册表项？

powershell

来源：https://stackoverflow.com/questions/72021932/disabling-tls1-0-using-powershell-in-intune

2条答案

按热度按时间

7gcisfzg1#

建议您将脚本用作主动补救对的一半，这样，如果有人篡改设置，脚本可以触发重新运行

赞(0）回复(0）举报 2023-01-30

sycxhyv72#

> # Start Logging
> # Date 4 May 2022
> 
> $LogPrefix = "Log-WinTLS101DeprecatedDisable-$Env:Computername-"
> $LogDate   = Get-Date -Format dd-MM-yyyy-HH-mm $LogName   = $LogPrefix
> + $LogDate + ".txt" Start-Transcript -Path "C:\Windows\Temp\$LogName"
> 
> <#
> # You can use the Test-Path cmdlet to check for a key, but not for specific values within a key
> # Using the below function we can see if Get-ItemProperty contains the value or not, then also take different actions for data within the
> value
> # If the value doesn't exist we will return $False, which later calls New-ItemProperty
> # If the value already exists (by checking 0 or greater) we will return $True, which later calls Set-ItemProperty
> #> function Test-RegistryValue {
> 
>     param (
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Path,
> 
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Name
>     )
> 
>     try {
>         $ItemProperty = Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Name -ErrorAction Stop
>         if ($ItemProperty -eq "1") {
>             return $true
>         }
>         else {
>             return $false
>         }
>     }
> 
>     catch {
>         return $false
>     } }
> 
> <#
> # Using the below function we can create a new value (when $False) or update an existing value to 1 (when $True)
> # Set-ItemProperty doesn't support -PropertyType parameter therefore can't handle both scenarios
> #> function Update-RegistryValue {
> 
>     param (
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Path,
> 
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Name,
> 
>         [parameter(Mandatory=$false)]
>         [ValidateNotNullOrEmpty()]$Exists
>     )
> 
>     try {
>         if ($Exists -eq $False) {
>             New-ItemProperty -Path $Path -Name $Name -Value "0" -PropertyType "DWord" -ErrorAction Stop
>             Write-Host "$Path\$Name has been created"
>         }
>         else {
>             Set-ItemProperty -Path $Path -Name $Name -Value "0" -ErrorAction Stop
>             Write-Host "$Path\$Name has been updated"
>         }
>         return $true
>     }
> 
>     catch {
>         return $false
>     } }
> 
> function Disabled-RegistryValue {
> 
>     param (
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Path,
> 
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Name,
> 
>         [parameter(Mandatory=$false)]
>         [ValidateNotNullOrEmpty()]$Exists
>     )
> 
>     try {
>         if ($Exists -eq $False) {
>             New-ItemProperty -Path $Path -Name $Name -Value "1" -PropertyType "DWord" -ErrorAction Stop
>             Write-Host "$Path\$Name has been created"
>         }
>         else {
>             Set-ItemProperty -Path $Path -Name $Name -Value "1" -ErrorAction Stop
>             Write-Host "$Path\$Name has been updated"
>         }
>         return $true
>     }
> 
>     catch {
>         return $false
>     } }
> 
> function Update-RegistryValue-Enable {
> 
>     param (
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Path,
> 
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Name,
> 
>         [parameter(Mandatory=$false)]
>         [ValidateNotNullOrEmpty()]$Exists
>     )
> 
>     try {
>         if ($Exists -eq $False) {
>             New-ItemProperty -Path $Path -Name $Name -Value "1" -PropertyType "DWord" -ErrorAction Stop
>             Write-Host "$Path\$Name has been created"
>         }
>         else {
>             Set-ItemProperty -Path $Path -Name $Name -Value "1" -ErrorAction Stop
>             Write-Host "$Path\$Name has been updated"
>         }
>         return $true
>     }
> 
>     catch {
>         return $false
>     } }
> 
> function Enabled-RegistryValue {
> 
>     param (
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Path,
> 
>         [parameter(Mandatory=$true)]
>         [ValidateNotNullOrEmpty()]$Name,
> 
>         [parameter(Mandatory=$false)]
>         [ValidateNotNullOrEmpty()]$Exists
>     )
> 
>     try {
>         if ($Exists -eq $False) {
>             New-ItemProperty -Path $Path -Name $Name -Value "0" -PropertyType "DWord" -ErrorAction Stop
>             Write-Host "$Path\$Name has been created"
>         }
>         else {
>             Set-ItemProperty -Path $Path -Name $Name -Value "0" -ErrorAction Stop
>             Write-Host "$Path\$Name has been updated"
>         }
>         return $true
>     }
> 
>     catch {
>         return $false
>     } }
> 
> $Paths =
> @("HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple
> DES 168",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
> Unified Hello",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
> Unified Hello\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
> Unified Hello\Server",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0\Server", 
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 2.0",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 2.0\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 2.0\Server",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 3.0",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 3.0\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 3.0\Server",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.0",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.0\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.0\Server"
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.1",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.1\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.1\Server",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.2",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.2\Client",
>            "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.2\Server")
> 
> 
> foreach ($Path in $Paths) {
>     $PathExists = Test-Path -Path $Path
>     if ($PathExists -eq $False) {New-Item -Path $Path} }
> 
> <#
> # Disable NULL
> #> $NULLClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL"
> $NULLClientName = "Enabled" $NULLClientExists = Test-RegistryValue
> -Path $NULLClientKey -Name $NULLClientName Update-RegistryValue -Exists $NULLClientExists -Path $NULLClientKey -Name $NULLClientName
> 
> <#
> # Enable Triple DES 168
> #> $TripleDES168ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple
> DES 168" $TripleDES168ClientName = "Enabled" $TripleDES168ClientExists
> = Test-RegistryValue -Path $TripleDES168ClientKey -Name $TripleDES168ClientName Update-RegistryValue-Enable -Exists
> $TripleDES168ClientExists -Path $TripleDES168ClientKey -Name
> $TripleDES168ClientName
> 
> <#
> # Disable Multi-Protocol Unified Hello Client
> #> $MPUHClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
> Unified Hello\Client" $MPUHClientName = "Enabled" $MPUHClientExists =
> Test-RegistryValue -Path $MPUHClientKey -Name $MPUHClientName
> Update-RegistryValue -Exists $MPUHClientExists -Path $MPUHClientKey
> -Name $MPUHClientName
> 
> $MPUHDisabledClientName = "DisabledByDefault"
> $MPUHDisabledClientExists = Test-RegistryValue -Path $MPUHClientKey
> -Name $MPUHDisabledClientName Disabled-RegistryValue -Exists $MPUHDisabledClientExists -Path $MPUHClientKey -Name
> $MPUHDisabledClientName
> 
> <#
> # Disable Multi-Protocol Unified Hello Server
> #> $MPUHServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
> Unified Hello\Server" $MPUHServerName = "Enabled" $MPUHServerExists =
> Test-RegistryValue -Path $MPUHServerKey -Name $MPUHServerName
> Update-RegistryValue -Exists $MPUHServerExists -Path $MPUHServerKey
> -Name $MPUHServerName
> 
> $MPUHDisabledClientName = "DisabledByDefault"
> $MPUHDisabledClientExists = Test-RegistryValue -Path $MPUHServerKey
> -Name $MPUHDisabledClientName Disabled-RegistryValue -Exists $MPUHDisabledClientExists -Path $MPUHServerKey -Name
> $MPUHDisabledClientName
> 
> <#
> # Disable PCT 1.0 Client
> #> $PCTClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0\Client" $PCTClientName = "Enabled" $PCTClientExists = Test-RegistryValue -Path $PCTClientKey -Name $PCTClientName
> Update-RegistryValue -Exists $PCTClientExists -Path $PCTClientKey
> -Name $PCTClientName
> 
> $PCTDisabledClientName = "DisabledByDefault" $PCTDisabledClientExists
> = Test-RegistryValue -Path $PCTClientKey -Name $PCTDisabledClientName Disabled-RegistryValue -Exists $PCTDisabledClientExists -Path
> $PCTClientKey -Name $PCTDisabledClientName
> 
> <#
> # Disable PCT 1.0 Server
> #> $PCTServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0\Server" $PCTServerName = "Enabled" $PCTServerExists = Test-RegistryValue -Path $PCTServerKey -Name $PCTServerName
> Update-RegistryValue -Exists $PCTServerExists -Path $PCTServerKey
> -Name $PCTServerName
> 
> $PCTDisabledServerName = "DisabledByDefault" $PCTDisabledServerExists
> = Test-RegistryValue -Path $PCTServerKey -Name $PCTDisabledServerName Disabled-RegistryValue -Exists $PCTDisabledServerExists -Path
> $PCTServerKey -Name $PCTDisabledServerName
> 
> <#
> # Disable SSL 2.0 Client
> #> $SSL20ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 2.0\Client" $SSL20ClientName = "Enabled" $SSL20ClientExists = Test-RegistryValue -Path $SSL20ClientKey -Name $SSL20ClientName
> Update-RegistryValue -Exists $SSL20ClientExists -Path $SSL20ClientKey
> -Name $SSL20ClientName
> 
> $SSL20ClientName = "DisabledByDefault" $SSL20DisabledClientExists =
> Test-RegistryValue -Path $SSL20ClientKey -Name $SSL20ClientName
> Disabled-RegistryValue -Exists $SSL20DisabledClientExists -Path
> $SSL20ClientKey -Name $SSL20ClientName
> 
> <#
> # Disable SSL 2.0 Server
> #> $SSL20ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 2.0\Server" $SSL20ServerName = "Enabled" $SSL20ServerExists = Test-RegistryValue -Path $SSL20ServerKey -Name $SSL20ServerName
> Update-RegistryValue -Exists $SSL20ServerExists -Path $SSL20ServerKey
> -Name $SSL20ServerName
> 
> $SSL20ServerDisabledName = "DisabledByDefault"
> $SSL20ServerDisabledExists = Test-RegistryValue -Path $SSL20ServerKey
> -Name $SSL20ServerDisabledName Disabled-RegistryValue -Exists $SSL20ServerDisabledExists -Path $SSL20ServerKey -Name
> $SSL20ServerDisabledName
> 
> <#
> # Disable SSL 3.0 Client
> #> $SSL30ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 3.0\Client" $SSL30ClientName = "Enabled" $SSL30ClientExists = Test-RegistryValue -Path $SSL30ClientKey -Name $SSL30ClientName
> Update-RegistryValue -Exists $SSL30ClientExists -Path $SSL30ClientKey
> -Name $SSL30ClientName
> 
> $SSL30DisabledClientName = "DisabledByDefault"
> $SSL30DisabledClientExists = Test-RegistryValue -Path $SSL30ClientKey
> -Name $SSL30DisabledClientName Disabled-RegistryValue -Exists $SSL30DisabledClientExists -Path $SSL30ClientKey -Name
> $SSL30DisabledClientName
> 
> <#
> # Disable SSL 3.0 Server
> #> $SSL30ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
> 3.0\Server" $SSL30ServerName = "Enabled" $SSL30ServerExists = Test-RegistryValue -Path $SSL30ServerKey -Name $SSL30ServerName
> Update-RegistryValue -Exists $SSL30ServerExists -Path $SSL30ServerKey
> -Name $SSL30ServerName
> 
> $SSL30DisabledServerName = "DisabledByDefault"
> $SSL30DisabledServerExists = Test-RegistryValue -Path $SSL30ServerKey
> -Name $SSL30DisabledServerName Disabled-RegistryValue -Exists $SSL30DisabledServerExists -Path $SSL30ServerKey -Name
> $SSL30DisabledServerName
> 
> <#
> # Disable TLS 1.0 Client
> #> $TLS10ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.0\Client" $TLS10ClientName = "Enabled" $TLS10ClientExists = Test-RegistryValue -Path $TLS10ClientKey -Name $TLS10ClientName
> Update-RegistryValue -Exists $TLS10ClientExists -Path $TLS10ClientKey
> -Name $TLS10ClientName
> 
> $TLS10DisabledClientName = "DisabledByDefault"
> $TLS10DisabledClientExists = Test-RegistryValue -Path $TLS10ClientKey
> -Name $TLS10ClientName Disabled-RegistryValue -Exists $TLS10DisabledClientExists -Path $TLS10ClientKey -Name
> $TLS10DisabledClientName
> 
> <#
> # Disable TLS 1.0 Server
> #> $TLS10ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.0\Server" $TLS10ServerName = "Enabled" $TLS10ServerExists = Test-RegistryValue -Path $TLS10ServerKey -Name $TLS10ServerName
> Update-RegistryValue -Exists $TLS10ServerExists -Path $TLS10ServerKey
> -Name $TLS10ServerName
> 
> $TLS10DisabledServerName = "DisabledByDefault"
> $TLS10DisabledServerExists = Test-RegistryValue -Path $TLS10ServerKey
> -Name $TLS10ServerName Disabled-RegistryValue -Exists $TLS10DisabledServerExists -Path $TLS10ServerKey -Name
> $TLS10DisabledServerName
> 
> <#
> # Disable TLS 1.1 Client
> #> $TLS11ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.1\Client" $TLS11ClientName = "Enabled" $TLS11ClientExists = Test-RegistryValue -Path $TLS10ClientKey -Name $TLS10ClientName
> Update-RegistryValue -Exists $TLS11ClientExists -Path $TLS11ClientKey
> -Name $TLS11ClientName
> 
> $TLS11DisabledClientName = "DisabledByDefault"
> $TLS11DisabledClientExists = Test-RegistryValue -Path $TLS11ClientKey
> -Name $TLS11ClientName Disabled-RegistryValue -Exists $TLS11DisabledClientExists -Path $TLS11ClientKey -Name
> $TLS11DisabledClientName
> 
> <#
> # Disable TLS 1.1 Server
> #> $TLS11ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.1\Server" $TLS11ServerName = "Enabled" $TLS11ServerExists = Test-RegistryValue -Path $TLS11ServerKey -Name $TLS11ServerName
> Update-RegistryValue -Exists $TLS11ServerExists -Path $TLS11ServerKey
> -Name $TLS11ServerName
> 
> $TLS11ServerName = "DisabledByDefault" $TLS11DisabledServerExists =
> Test-RegistryValue -Path $TLS11ServerKey -Name $TLS11ServerName
> Disabled-RegistryValue -Exists $TLS11DisabledServerExists -Path
> $TLS11ServerKey -Name $TLS11ServerName
> 
> <#
> # Enable TLS 1.2 Client
> #> $TLS12ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.2\Client" $TLS12ClientName = "Enabled" $TLS12ClientExists = Test-RegistryValue -Path $TLS12ClientKey -Name $TLS12ClientName
> Update-RegistryValue-Enable -Exists $TLS12ClientExists -Path
> $TLS12ClientKey -Name $TLS12ClientName
> 
> $TLS12EnabledClientName = "DisabledByDefault"
> $TLS12EnabledClientExists = Test-RegistryValue -Path $TLS12ClientKey
> -Name $TLS12EnabledClientName Enabled-RegistryValue -Exists $TLS12EnabledClientExists -Path $TLS12ClientKey -Name
> $TLS12EnabledClientName
> 
> <#
> # Enable TLS 1.2 Server
> #> $TLS12ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
> 1.2\Server" $TLS12ServerName = "Enabled" $TLS12ServerExists = Test-RegistryValue -Path $TLS12ServerKey -Name $TLS12ServerName
> Update-RegistryValue-Enable -Exists $TLS12ServerExists -Path
> $TLS12ServerKey -Name $TLS12ServerName
> 
> $TLS12EnabledServerName = "DisabledByDefault"
> $TLS12EnabledServerExists = Test-RegistryValue -Path $TLS12ServerKey
> -Name $TLS12EnabledServerName Enabled-RegistryValue -Exists $TLS12EnabledServerExists -Path $TLS12ServerKey -Name
> $TLS12EnabledServerName
> 
> $SpecialPaths =
> @('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES
> 56/56',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 128/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 40/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 56/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 128/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 40/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 56/128',
>                   'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 64/128')
> 
> foreach ($SpecialPath in $SpecialPaths) {
>     $SpecialPathExists = Test-Path -Path $SpecialPath
>     if ($SpecialPathExists -eq $False) {[Microsoft.Win32.Registry]::LocalMachine.CreateSubKey($SpecialPath)}
> }
> 
> <#
> # Disable DES 56/56 Cipher
> #> $DES56ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES
> 56/56" $DES56ClientName = "Enabled" $DES56ClientExists =
> Test-RegistryValue -Path $DES56ClientKey -Name $DES56ClientName
> Update-RegistryValue -Exists $DES56ClientExists -Path $DES56ClientKey
> -Name $DES56ClientName
> 
> <#
> # Disable RC2 128/128 Cipher
> #> $RC2128ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 128/128" $RC2128ClientName = "Enabled" $RC2128ClientExists =
> Test-RegistryValue -Path $RC2128ClientKey -Name $RC2128ClientName
> Update-RegistryValue -Exists $RC2128ClientExists -Path
> $RC2128ClientKey -Name $RC2128ClientName
> 
> <#
> # Disable RC2 40/128 Cipher
> #> $RC240ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 40/128" $RC240ClientName = "Enabled" $RC240ClientExists =
> Test-RegistryValue -Path $DES56ClientKey -Name $DES56ClientName
> Update-RegistryValue -Exists $RC240ClientExists -Path $RC240ClientKey
> -Name $RC240ClientName
> 
> <#
> # Disable RC2 56/128 Cipher
> #> $RC256ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
> 56/128" $RC256ClientName = "Enabled" $RC256ClientExists =
> Test-RegistryValue -Path $RC256ClientKey -Name $RC256ClientName
> Update-RegistryValue -Exists $RC256ClientExists -Path $RC256ClientKey
> -Name $RC256ClientName
> 
> <#
> # Disable RC4 128/128 Cipher
> #> $RC4128ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 128/128" $RC4128ClientName = "Enabled" $RC4128ClientExists =
> Test-RegistryValue -Path $RC4128ClientKey -Name $RC4128ClientName
> Update-RegistryValue -Exists $RC4128ClientExists -Path
> $RC4128ClientKey -Name $RC4128ClientName
> 
> <#
> # Disable RC4 40/128 Cipher
> #> $RC440ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 40/128" $RC440ClientName = "Enabled" $RC440ClientExists =
> Test-RegistryValue -Path $RC440ClientKey -Name $RC440ClientName
> Update-RegistryValue -Exists $RC440ClientExists -Path $RC440ClientKey
> -Name $RC440ClientName
> 
> <#
> # Disable RC4 56/128 Cipher
> #> $RC456ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 56/128" $RC456ClientName = "Enabled" $RC456ClientExists =
> Test-RegistryValue -Path $RC456ClientKey -Name $RC456ClientName
> Update-RegistryValue -Exists $RC456ClientExists -Path $RC456ClientKey
> -Name $RC456ClientName
> 
> <#
> # Disable RC4 64/128 Cipher
> #> $RC464ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
> 64/128" $RC464ClientName = "Enabled" $RC464ClientExists =
> Test-RegistryValue -Path $RC464ClientKey -Name $RC464ClientName
> Update-RegistryValue -Exists $RC464ClientExists -Path $RC464ClientKey
> -Name $RC464ClientName
> 
> <#
> # Delete TlsVersion Registry Key if exists
> #> $TLSVersionClientKey = "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13"
> $TLSVersionClientName = "TlsVersion" $TLSVersionClientExists =
> Test-RegistryValue -Path $TLSVersionClientKey -Name
> $TLSVersionClientName if ($TLSVersionClientExists -eq $True) {
> Remove-ItemProperty -Path $TLSVersionClientKey -Name
> $TLSVersionClientName}

赞(0）回复(0）举报 2023-01-30

我来回答

在Intune中使用Powershell禁用TLS1.0

2条答案

相关问题

热门标签

最新问答