1

I'm currently looking to find out all SSL and TLS Registry value information on the system. I need help writing a script for powershell to look at a list of hosts that are on a csv/txt file then execute the following command saving the result in a csv format having the computer name, SSL and TLS registry entry.

#Get computers from text file. 1 compute per line
$myComputerList = Get-Content C:\Servers.txt

#Loop Through Array
ForEach ($computer in $myComputerList) {
    #Execute a command on the computer
    Invoke-Command -ComputerName $computer -ScriptBlock {
        #This is the command to execute
        #Grab the registry value you want and hold it in a variable
        $value1 = Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" -Name DisabledByDefault
               
        $Name = "SSL 2.0\Client\DisabledByDefault"
        #grab the machine name you're working on
        $computerName = $env:COMPUTERNAME
        #comma separate them and spit them out to a file.  This can be a UNC path on a network share
        ($computerName + " -> " + $Name + " = "+ $value) | Out-File -FilePath C:\Output.csv -Append
    }
}

Under SSL & TLS there are multiple sub folder as Client and Server i need to extract the values of all those SSL and TLS version protocols to a CS format for multiple Servers

Thanks In Advance

Improve this question

1 Answer 1

Reset to default
0

This example returns a pretty readable list that you can output to a csv:

# Returns a list of enabled SSL client protocols 
$list = Foreach ($Computername in (Get-Content C:\Servers.txt)) {
    Invoke-Command -ComputerName $Computername -ScriptBlock {

        # Create a hash table to store the different SSL protocol names/values
        $Item = [Ordered]@{}

        # Iterate through the list of available protocols and add to the table
        Foreach ($Protocol in (Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\").PSChildName) {
            [bool]$ClientDisabled = (Get-ItemProperty -Name DisabledByDefault -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Client").DisabledByDefault 
            [bool]$ClientEnabled  = (Get-ItemProperty -Name Enabled           -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Client").Enabled 
            [bool]$ServerDisabled = (Get-ItemProperty -Name DisabledByDefault -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Server").DisabledByDefault
            [bool]$ServerEnabled  = (Get-ItemProperty -Name Enabled           -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\Server").Enabled
            $Item["$Protocol Client Disabled"] = $ClientDisabled
            $Item["$Protocol Server Disabled"] = $ServerDisabled
            $Item["$Protocol Client Enabled"]  = $ClientEnabled
            $Item["$Protocol Server Enabled"]  = $ServerEnabled
        }

        # Convert to a powershell object and add to the results list
        [PSCustomObject]$Item
    }
}
$list #| Export-Csv C:\temp\ServerSSL.csv

Outputs:

Multi-Protocol Unified Hello Client Disabled : True
Multi-Protocol Unified Hello Server Disabled : True
Multi-Protocol Unified Hello Client Enabled  : False
Multi-Protocol Unified Hello Server Enabled  : False
PCT 1.0 Client Disabled                      : True
PCT 1.0 Server Disabled                      : True
PCT 1.0 Client Enabled                       : False
PCT 1.0 Server Enabled                       : False
SSL 2.0 Client Disabled                      : True
SSL 2.0 Server Disabled                      : True
SSL 2.0 Client Enabled                       : False
SSL 2.0 Server Enabled                       : False
SSL 3.0 Client Disabled                      : True
SSL 3.0 Server Disabled                      : True
SSL 3.0 Client Enabled                       : False
SSL 3.0 Server Enabled                       : False
TLS 1.0 Client Disabled                      : True
TLS 1.0 Server Disabled                      : True
TLS 1.0 Client Enabled                       : False
TLS 1.0 Server Enabled                       : False
TLS 1.1 Client Disabled                      : False
TLS 1.1 Server Disabled                      : False
TLS 1.1 Client Enabled                       : True
TLS 1.1 Server Enabled                       : True
TLS 1.2 Client Disabled                      : False
TLS 1.2 Server Disabled                      : False
TLS 1.2 Client Enabled                       : True
TLS 1.2 Server Enabled                       : True
PSComputerName                               : my-server-name
RunspaceId                                   : 452faf9a-e74a-4c02-834e-43bb6781ef57

Also note that these keys are not always present. Schannel will use default settings when no value is set in the registry. See more details per Microsoft here: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

Improve this answer
5
  • Thanks for the help, but in some of the Servers where we have the old Powershell version than 5 the command Get-ItemPropertyValue is not a valid one Error : The term 'Get-ItemPropertyValue' is not recognized as the name of a cmdlet
    – chandu
    Commented Mar 18, 2021 at 15:55
  • Can you please help me with the script to add the values for Enabled as well
    – chandu
    Commented Mar 18, 2021 at 16:04
  • @chandu I've replaced Get-ItemPropertyValue with Get-ItemProperty which is available in older versions of powershell, and have added the Enabled values.
    – Cpt.Whale
    Commented Mar 18, 2021 at 17:16
  • Is there a way to get the output value as same as the registry key value instead of the Boolean True or False.?
    – chandu
    Commented Mar 18, 2021 at 17:26
  • @chandu yep, just remove all of the [bool] and it defaults to the int value
    – Cpt.Whale
    Commented Mar 18, 2021 at 17:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .