Back

Adding TLS 1.2 support for Powershell

Fix an error downloading from the Powershell Gallery

Sometimes I try to setup PSWindowsUpdate (an amazing module from the Powershell Gallery) and receive an error like this one:

WARNING: Source Location https://www.powershellgallery.com/api/v2/package/PSWindowsUpdate/2.2.0.2' is not valid.
PackageManagement\Install-Package : Package ‘PSWindowsUpdate' failed to download.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+  $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (C:\Users\... :String) [Install-Package], Exception
+ FullyQualifiedErrorId : PackageFailedInstallOrDownload,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage 

A similar issue arises with using the Invoke-WebRequest cmdlet. The root cause is that Powershell is trying to connect to a site and there’s no agreement on the encryption protocol to use. By default, Powershell uses TLS 1.0 and that’s been widely deprecated.

The Background

Transport Layer Security (TLS) is the successor to SSL. Starting in 2018, there was a groundswell of (good) advice that TLS 1.0 and 1.1 should be deprecated on websites and in browsers. This was largely adopted across the internet by 2020. That leaves TLS 1.2 as the de facto standard, with TLS 1.3 adoption rising but not as widespread yet.

The Problem

In April 2020, Microsoft disabled support for TLS 1.0 on the Powershell Gallery and now requires TLS 1.2. The issue is that Powershell 5.1 doesn’t support this configuration out of the box and the PowershellGet module (1.0.0.1) didn’t support TLS 1.2 at all. Smooth move, Microsoft.

The Solution

Microsoft released a new version of PowershellGet (2.2.4) in April 2020 that supports TLS 1.2. You can install it like this:

Install-Module PowerShellGet -RequiredVersion 2.2.4 -SkipPublisherCheck

By default, Powershell uses whatever the system default settings for crypto:

PS > [Net.ServicePointManager]::SecurityProtocol
SystemDefault

… but the problem is that the default for each system could be different. You can force your system to enable TLS 1.2 support in your Powershell session:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

… but the problem with this command is that you need to run it everytime you open a new Powershell session.

Let’s update the current user’s Powershell profile (creating it if it doesn’t exist) so that TLS 1.2 support is enabled every time a session is launched:


$ProfileFile = "${PsHome}\Profile.ps1"
if (! (Test-Path $ProfileFile)) {New-Item -Path $ProfileFile -Type file -Force}
'[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12' | Out-File -FilePath $ProfileFile -Encoding ascii -Append

Actually, while we’re at it, let’s configure Windows and .NET too:

#TLS1.2-Windows.ps1

<#
Enable only TLS 1.2 on Windows.
Disable TLS 1.0, 1.2
Enable .NET to use TLS 1.2

Greg Beifuss
2020-07-02 16:11
#>

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.0 has been Disabled.'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.1 has been Disabled.'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been Enabled.'




Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Built with Hugo
Theme Stack designed by Jimmy