1

I am looking to enable TLS ciphers on a Windows 10 Pro 21h1 Operating system. I am planning to use the following PowerShell commands and apply these to multiple devices via an MDM solution.

Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" -position 0
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" -position 1

Does it matter what position these appear in the array of ciphers? I read over the MSFT docs and I do not see anything mentioned about positioning requirements.

Improve this question

1 Answer 1

Reset to default
3

Yes Cipher order is important, Get-TlsCipherSuite returns an ordered list. That order is respected when the server is negotiating a cipher to use. You want to ensure your strongest ciphers at the top of the list, and any weaker ones you need to support are at end of the list (and its generally a good idea to remove all the really weak ones eg Disable-TlsCipherSuite -Name 'TLS_RSA_WITH_NULL_SHA')

Calling Enable-TlsCipherSuite with -position 0 will insert the new Cipher at the top of the list. Calling Enable-TlsCipherSuite without the -position param (or specifying -position 4294967295) will append the Cipher Suite to the end of the list.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.