Enforce TLS SSL Hardening
Overview
Enforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the Reboot Pending Prompt solution to notify users that a restart is required for the changes to take effect. It disables below Cipher Suites:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
NOTE: A system reboot is required for all changes to take full effect. Either use 'Force Reboot' parameter to immediately restart the machine after hardening so the TLS/SSL changes are fully applied. Or enable 'cPVAL Enable Reboot Prompts' custom field to send user prompts for Reboot. 'Reboot Pending Prompt' solution must be enabled in the environment to use this feature.
Sample Run
Play Button > Run Automation > Script

Dependencies
Parameters
| Name | Example | Accepted Values | Required | Default | Type | Description |
|---|---|---|---|---|---|---|
| Force Reboot | - | - | False | Not selected | Check-box | Select it to immediately reboot the machine after applying the TLS Hardening. |
Automation Setup/Import
Output
- Activity Details
Changelog
2026-06-18
- Updated the script to configure .NET Framework strong cryptography settings, helping maintain application compatibility when legacy protocols are disabled and modern TLS versions are enforced.
- Added a Force Reboot parameter that can immediately restart the machine after hardening so the TLS/SSL changes are fully applied.
- Added an option for reboot prompts through the
cPVAL Enable Reboot Promptscustom field. When enabled, the script setscPVAL Pending Rebootto trigger user notifications. This feature requires theReboot Pending Promptsolution to be enabled in the environment.
2026-04-10
- Initial version of the document.