PowerShell command to change Windows Cipher Suite Order

While journying down the whole cipher suite road this weekend, I put together a little one liner that reconfigures the cipher suite order that Windows will try and use. As I mentioned in a previous blog, you can configure this via GPO. But, maybe you want to build in the configuration to a golden image. You probably have other PowerShell scripts to configure your golden image, so you can throw this command in to tweak the cipher suite order.

The command only works on Windows Server 2008 R2 and Windows 7. If you use Vista or Server 2008, look at your existing registry key for the list of cipher suites then modify the script. Many of the new cipher suites are not availabile on 2008/Vista.

After you cut and paste the script to your computer remove all line breaks and spaces in the cipher suite string. This is important, as we are at the 1024 character limit of a PowerShell string.

set-itemproperty -path “HKLM:SOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002” -name “Functions” -value “TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5” -type string

Print Friendly, PDF & Email

Related Posts

3
Leave a Reply

avatar
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
MrRJ45Mark Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Mark
Guest
Mark

Please note: The sting is limited to 1023 characters.

The example above is one character too long once you get the <space> characters out of the string. Note the end of the sequence is "MD", not MD5".

Mark
Guest

Dude, you solved a massive problem for me with my Azure VM. Thank you!

MrRJ45
Guest
MrRJ45

I got stuck with my Azure VM unreachable with RDP / SSH after cipher suites change and server restart. I used your command with these changes : – Add antislash in the path. – Use of 00010002 instead of 0010002 in the path. My VM is a Windows server 2008 R2 Datacenter. So, how to update cipher suites if VM is unreachable ? Here follow the steps : – Go to Azure portal – Select your VM and start it if stopped. – Go to Execute command – Click on RunPowerShellScript – Paste the Set-ItemProperty command and click on Execute.… Read more »

Scroll to Top