This example returns a pretty readable list that you can output to a csv:
# Returns a list of enabled SSL client protocols
$list = Foreach ($Computername in (Get-Content C:\Servers.txt)) {
Invoke-Command -ComputerName $Computername -ScriptBlock {
# Create a hash table to store the different SSL protocol names/values
$Item = [Ordered]@{}
# Iterate through the list of available protocols and add to the table
Foreach ($Protocol in (Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\").PSChildName) {
[bool]$ClientDisabled = (Get-ItemProperty -Name DisabledByDefault -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Client").DisabledByDefault
[bool]$ClientEnabled = (Get-ItemProperty -Name Enabled -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Client").Enabled
[bool]$ServerDisabled = (Get-ItemProperty -Name DisabledByDefault -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Server").DisabledByDefault
[bool]$ServerEnabled = (Get-ItemProperty -Name Enabled -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Server").Enabled
$Item["$Protocol Client Disabled"] = $ClientDisabled
$Item["$Protocol Server Disabled"] = $ServerDisabled
$Item["$Protocol Client Enabled"] = $ClientEnabled
$Item["$Protocol Server Enabled"] = $ServerEnabled
}
# Convert to a powershell object and add to the results list
[PSCustomObject]$Item
}
}
$list #| Export-Csv C:\temp\ServerSSL.csv
Outputs:
Multi-Protocol Unified Hello Client Disabled : True
Multi-Protocol Unified Hello Server Disabled : True
Multi-Protocol Unified Hello Client Enabled : False
Multi-Protocol Unified Hello Server Enabled : False
PCT 1.0 Client Disabled : True
PCT 1.0 Server Disabled : True
PCT 1.0 Client Enabled : False
PCT 1.0 Server Enabled : False
SSL 2.0 Client Disabled : True
SSL 2.0 Server Disabled : True
SSL 2.0 Client Enabled : False
SSL 2.0 Server Enabled : False
SSL 3.0 Client Disabled : True
SSL 3.0 Server Disabled : True
SSL 3.0 Client Enabled : False
SSL 3.0 Server Enabled : False
TLS 1.0 Client Disabled : True
TLS 1.0 Server Disabled : True
TLS 1.0 Client Enabled : False
TLS 1.0 Server Enabled : False
TLS 1.1 Client Disabled : False
TLS 1.1 Server Disabled : False
TLS 1.1 Client Enabled : True
TLS 1.1 Server Enabled : True
TLS 1.2 Client Disabled : False
TLS 1.2 Server Disabled : False
TLS 1.2 Client Enabled : True
TLS 1.2 Server Enabled : True
PSComputerName : my-server-name
RunspaceId : 452faf9a-e74a-4c02-834e-43bb6781ef57
Also note that these keys are not always present. Schannel will use default settings when no value is set in the registry. See more details per Microsoft here: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings