Welcome Forums General PowerShell Q&A Is it possible to enable TLS 1.2 as default in Powershell

Viewing 8 reply threads
  • Author
    Posts
    • #68230
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Have searched and it seems that it should be possible to set the default values via various regkey’s.
      But so far none of them have changed the output of:

      [Net.ServicePointManager]::SecurityProtocol
      

      So is there a way to include TLS12 as default and not just SSL3 and TLS?

      I know you can set this manually in a session.
      But I’m wondering if this can be set as a default setting.

    • #68301
      Participant
      Topics: 0
      Replies: 2
      Points: 38
      Rank: Member

      Try this:

      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

      It should work against subsequent Invoke-WebRequest calls.

    • #68304
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Yes but not in the next session without adding it again or e.g. if you’re e.g. using DSC.
      Via various pages they suggest that you can set the regkeys for schannel, the .netframework hive etc. but nothing seem to affect the defaults of PS.

      • #75301
        Participant
        Topics: 7
        Replies: 10
        Points: -15
        Rank: Member

        You can put

        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; 

        in your Microsoft.PowerShell_profile.ps1 and/or Microsoft.PowerShellISE_profile.ps1.

    • #75292
      Participant
      Topics: 0
      Replies: 1
      Points: 0
      Rank: Member

      I tried this:
      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

      and get this:
      Cannot convert null to type “System.Net.SecurityProtocolType” due to invalid enumeration values. Specify one o
      f the following enumeration values and try again. The possible enumeration values are “Ssl3, Tls”.”

      I am running Win7 Enterprise SP1, and and have the following installed:
      Microsoft .NET Framework 4.6.2 Targeting Pack
      Microsoft .NET Framework 4.5.2 Multi-Targeting Pack
      Microsoft .NET Framework 4.6.2 Targeting Pack (ENU)
      Microsoft .NET Framework 4.6.2
      Microsoft .NET Framework 4 Multi-Targeting Pack
      Microsoft .NET Framework 4.5 Multi-Targeting Pack
      Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU)
      Microsoft .NET Framework 4.6.2 SDK
      Microsoft .NET Framework 4.5 SDK

      I have followed steps getting TLS1.1 and TLS1.2 setup in the registry:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

      All to no avail.

      Any ideas welcome!

    • #78350
      Participant
      Topics: 0
      Replies: 3
      Points: 1
      Rank: Member

      Check out this link: Enabling strong cryptography for all .Net applications

      This registry setting worked for me. I had to close PowerShell session and open a new one.
      PS > [Net.ServicePointManager]::SecurityProtocol
      Tls, Tls11, Tls12

      • #101908
        Jon
        Participant
        Topics: 13
        Replies: 226
        Points: 170
        Helping Hand
        Rank: Participant

        This is what I use to force TLS 1.2

        I also have reg entries to disable SSL v3 etc

    • #101893
      Participant
      Topics: 0
      Replies: 2
      Points: 0
      Rank: Member

      Please kindly clarify if the line [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 will take effect only per session, and if PS session will be closed (script ends) you will need to use the “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12” every time

    • #101977
      Participant
      Topics: 11
      Replies: 1443
      Points: 1,773
      Helping Hand
      Rank: Community Hero

      It is a per session setting. The cmdlets like Invoke-RestMethod will always by default use, TLS 1.0, so prior to making the call you would have the have the code Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12. While you could mess with the registry, it’s probably safer to just force the protocol during the script session.

      • #101989
        Participant
        Topics: 0
        Replies: 2
        Points: 0
        Rank: Member

        Thank you for feedback.

    • #101978
      Participant
      Topics: 0
      Replies: 3
      Points: 1
      Rank: Member

      Please read this article:
      https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

      You need to enable Strong Crypto and then PowerShell will only use TLS 1.0, 1.1, 1.2. But it should try to negotiate as high as it can, meaning it should use 1.2

      This does NOT require a server restart; however, you do have to restart your PowerShell session. After that, it will be retained though.

    • #112696
      Participant
      Topics: 0
      Replies: 1
      Points: 0
      Rank: Member

      You can always add that line to your powershell profile.
      check here for setting up your PS Profile. That way every time you open a powershell session while logged into your profile it will open running tls1.2. You’d still want to include the line in your scripts but at least you wouldn’t have to set it just to run a couple simple commands.

Viewing 8 reply threads
  • The topic ‘Is it possible to enable TLS 1.2 as default in Powershell’ is closed to new replies.