Disable SSL and TLS 1.0/1.1 on IIS with PowerShell

The PowerShell script discussed in this post allows you to disable and enable SSL and TLS on IIS. You probably know that SSL 3.0, TLS 1.0, and TLS 1.1 are weak protocols. The general recommendation is to work only with TLS 1.2. However, sometimes this causes compatibility issues. Thus, it is useful if you can enable the protocols again quickly if problems come up.

Take a look at the script before I start explaining how it works.

Because I don't want to edit the script text every time I run it, I've defined the parameters below.

The first parameter is for the four different protocols. To be sure, I added the ValidateSet option that restricts the parameter input to the four possible options. The Target parameter is optional and allows you to disable the protocols for client and server applications separately. Omitting this parameter will change both the client and server protocols. The last parameter is mandatory and determines whether to enable or disable the specified protocols.

The screenshot below shows what happens if you call the script with the wrong parameters.

Validating a parameter fails

Validating a parameter fails

You can disable and enable the protocols through registry keys. The function below defines the corresponding variables depending on the protocol settings you want to change.

The next snippet determines whether I have to change the settings for the client or server or both.

With the help of the Join-Path cmdlet, I combine the registry path with the target (client or server) and save the corresponding registry key in the $Targetkey variable. With the Test-Path cmdlet, I determine whether the key exists, and if not I create it. After executing this piece of code, I have the $Targetkey string array, which consist of either one or two values (client or server, or both).

The next function then changes the protocol settings in the registry.

The function accepts the $Targetkey string array and the $Action variable as parameters. I'm going through every registry key stored in the $Targetkey array using a foreach loop to do the steps below.

First I try to get the "Enabled" value from the key. If this succeeds and if $Action is equal to "Disable," I assign "0" to the registry key stored in the $Targetkey array. This disables the security protocol that the $Proto parameter specifies. If $Action is not equal to "Disable," I assign "1" to enable the protocol.

And if I can't get the "Enabled" key name from the path stored in the $Targetkey array, it throws the System.Management.Automation.PSArgumentException. I catch this exception, and since I know there is no "Enabled" key name, I can create the key and assign the appropriate value depending on the contents of the $Action variable.

The second try-catch block does essentially the same thing, only it changes the DisabledByDefault key. The two keys Enabled and DisabledByDefault have opposite values. Thus, when Enabled is "0" DisabledByDefault is "1" and vice versa.

And finally, I call the SetProto function and notify the user that a reboot is required to apply the changes.

The screenshots below show the console output of the script:

Disabling SSL 3.0 for a client and server

Disabling SSL 3.0 for a client and server

Enabling SSL 3.0 for a client

Enabling SSL 3.0 for a client

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

  1. Satheesh 1 year ago

    Thanks Alex,

    I have tested your script and very useful, Is it possible to display the current settings first and give Options like radio button or Popup box to Enable/Disable specific or Default settings.



  2. Karthik K 7 months ago

    Good stuff. Very useful


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account