6

How can I check whether TLS 1.2 is enabled in the browser (not in registry) using a PowerShell script?

Improve this question
2
  • you'll need to figure out the respective registry key for that browser setting. Unfortunately I suspect that may be a per user setting which makes things a lot trickier. While you can check reg keys in HKCU it will be your registry and HKU will be populated with only users that are logged in. It just makes things quite complicated but not impossible. Commented Oct 1, 2021 at 17:28
  • Did you intend to add the PowerShell 4 tag? If so, TLS 1.2 is unsupported in PowerShell 4 because PS v4 uses .NET 4.0, which doesn't support TLS 1.2. Commented Jun 4, 2024 at 13:25

2 Answers 2

Reset to default
8

When running in the PowerShell_ISE, the .Net Class Property is a simple method to query TLS settings:

[Net.ServicePointManager]::SecurityProtocol

If TLS is only enabled the output will be:

Ssl, Tls

If TLS1.2 is enabled then the list will be:

Tls, Tls11, Tls12

However, the return type is a System.Enum, which can be checked using a regular expression as follows:

[Net.ServicePointManager]::SecurityProtocol -match "Tls12"

Resulting in a boolean result

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is only telling what protocols dot net will attempt to negotiate, but it is still subject to the server configuration. So, dot net could tell you Tls12 in the ServicePointManager, but if it is disabled on the server dot net will revert to the next highest protocol.
7

To check the schannel keys in your question, this works

$key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\'
if (Test-Path $key) {
  $TLS12 = Get-ItemProperty $key
  if ($TLS12.DisabledByDefault -ne 0 -or $TLS12.Enabled -eq 0) {
    Throw "TLS 1.2 Not Enabled"
  }
}

Note that most browsers also check the SecureProtocols value in Internet Settings, which can be set per-user or for the whole machine:

# User settings
Get-ItemProperty 'hkcu:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name SecureProtocols
# Machine settings
Get-ItemProperty 'hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -Name SecureProtocols

The Value is a little strange since it is a combination of the hex-values for each supported protocol. For example, TLS1.2 is 0x800 or 2048. Check out the Microsoft TLS 1.2 page for more details on all this information.

It is showing 280 tls 1.2 off,tls 1.2 a80 On in my laptop registry.

Improve this answer

6 Comments

Thanks for the insights, it really helpful. Can you also mention the full path for internet settings ? is is Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols what should be the key value, is it same as before?
@SmartestVEGA I've updated my answer. Unfortunately not, the correct value is more complex than just 0or1. Please check out the linked page for more information.
Thank you, i got the values in my system as 280 off,a80 On. Great thanks for your help
when if (Test-Path $key) is false, there is no error output
@nd34567s32e if the key doesn't exist, then the TLS client settings are at the OS defaults (enabled, for windows 8.1 and up)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.