Defines the accepted cryptographic protocols at the OS level

1. <#
2. .SYNOPSIS
3.     Defines the accepted cryptographic protocols at the OS level (schannel.dll)
4. .NOTES    
5.     Changes Windows registry to define the accepted cryptographic protocols.
6.     Warning, depending on your configuration, some websites might stop working on IE or other applications using 'schannel.dll'
7.     For more information please check https://support.microsoft.com/en-us/kb/245030
8. #>  
9.  
10.  
11. # set the desired configurations here
12. $protocols = @{
13.     'SSL 2.0'= @{
14.         'Server-Enabled' = $false
15.         'Client-Enabled' = $false
16.     }
17.     'SSL 3.0'= @{
18.         'Server-Enabled' = $false
19.         'Client-Enabled' = $false
20.     }
21.     'TLS 1.0'= @{
22.         'Server-Enabled' = $false
23.         'Client-Enabled' = $true
24.     }
25.     'TLS 1.1'= @{
26.         'Server-Enabled' = $true
27.         'Client-Enabled' = $true
28.     }
29.     'TLS 1.2'= @{
30.         'Server-Enabled' = $true
31.         'Client-Enabled' = $true
32.     }
33. }
34.    
35.    
36. $protocols.Keys | ForEach-Object {
37.        
38.     Write-Output "Configuring '$_'"
39.    
40.     # create registry entries if they don't exist
41.     $rootPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$_"
42.     if(-not (Test-Path $rootPath)) {
43.         New-Item $rootPath
44.     }
45.    
46.     $serverPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$_\Server"
47.     if(-not (Test-Path $serverPath)) {
48.         New-Item $serverPath
49.    
50.         New-ItemProperty -Path $serverPath -Name 'Enabled' -Value 4294967295 -PropertyType 'DWord'
51.         New-ItemProperty -Path $serverPath -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'
52.     }
53.    
54.     $clientPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$_\Client"
55.     if(-not (Test-Path $clientPath)) {
56.         New-Item $clientPath
57.            
58.         New-ItemProperty -Path $clientPath -Name 'Enabled' -Value 4294967295 -PropertyType 'DWord'
59.         New-ItemProperty -Path $clientPath -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'
60.     }
61.        
62.     # set server settings
63.     if($protocols[$_]['Server-Enabled']) {
64.         Set-ItemProperty -Path $serverPath -Name 'Enabled' -Value 4294967295
65.         Set-ItemProperty -Path $serverPath -Name 'DisabledByDefault' -Value 0
66.     } else {
67.         Set-ItemProperty -Path $serverPath -Name 'Enabled' -Value 0
68.         Set-ItemProperty -Path $serverPath -Name 'DisabledByDefault' -Value 1
69.     }
70.        
71.     # set client settings
72.     if($protocols[$_]['Client-Enabled']) {
73.         Set-ItemProperty -Path $clientPath -Name 'Enabled' -Value 4294967295
74.         Set-ItemProperty -Path $clientPath -Name 'DisabledByDefault' -Value 0
75.     } else {
76.         Set-ItemProperty -Path $clientPath -Name 'Enabled' -Value 0
77.         Set-ItemProperty -Path $clientPath -Name 'DisabledByDefault' -Value 1
78.     }
79. }