cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ICT_Overijse
Engaged Sweeper

Hi,

As Microsoft requires all resources which interact with Azure services to be using TLS 1.2 or higher as of 31 October 2024 we were looking to create a Lansweeper report which can identify the TLS version used in our network. On our DC's we've already manualy disabled TLS 1.0. But is there a report available that lists which TLS version is used by all resources in the network?

Thanks in advance for your reply.

2 REPLIES 2
rader
Champion Sweeper III

Real basic report that you can expand upon, but it requires registry keys to be scanned. Add these examples to your Custom Registry Scanning list. Here I've just thrown together two keys to scan for.

  • Rootkey: HKLM
  • RegPath: System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
  • RegVaule: Enabled

and

  • Rootkey: HKLM
  • RegPath: System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  • RegVaule: Enabled

Report

Select Top 1000000 tblassets.AssetID,
  tblassets.AssetName,
  tsysassettypes.AssetTypename,
  tsysassettypes.AssetTypeIcon10 As icon,
  tblassets.IPAddress,
  tblassets.Lastseen,
  tblassets.Lasttried,
  tblRegistry.Regkey,
  tblRegistry.Valuename,
  tblRegistry.Value
From tblassets
  Inner Join tblassetcustom On tblassets.AssetID = tblassetcustom.AssetID
  Inner Join tsysassettypes On tsysassettypes.AssetType = tblassets.Assettype
  Inner Join tblRegistry On tblassets.AssetID = tblRegistry.AssetID
Where tblRegistry.Regkey Like '%TLS%' And tblassetcustom.State = 1

 

Depending on your needs Microsoft also lists these additional ones below. See the article https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hell... for more information.

For example, here are some valid registry paths with version-specific subkeys:

  • HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client

  • HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

  • HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.2\Client

In order to override a system default and set a supported (D)TLS or SSL protocol version to the Enabled state, create a DWORD registry value named Enabled with an entry value of "1" under the corresponding version-specific subkey.

Good luck.

 

Thanks for your reply, I will have a look at it and let you know what the outcome was.