Skip to main content

Enforce TLS SSL Hardening

Overview

Enforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the Reboot Pending Prompt solution to notify users that a restart is required for the changes to take effect. It disables below Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

NOTE: A system reboot is required for all changes to take full effect. Either use 'Force Reboot' parameter to immediately restart the machine after hardening so the TLS/SSL changes are fully applied. Or enable 'cPVAL Enable Reboot Prompts' custom field to send user prompts for Reboot. 'Reboot Pending Prompt' solution must be enabled in the environment to use this feature.

Sample Run

Play Button > Run Automation > Script

SampleRun1

Dependencies

Parameters

NameExampleAccepted ValuesRequiredDefaultTypeDescription
Force Reboot--FalseNot selectedCheck-boxSelect it to immediately reboot the machine after applying the TLS Hardening.

Automation Setup/Import

Automation Configuration

Output

  • Activity Details

Changelog

2026-06-18

  • Updated the script to configure .NET Framework strong cryptography settings, helping maintain application compatibility when legacy protocols are disabled and modern TLS versions are enforced.
  • Added a Force Reboot parameter that can immediately restart the machine after hardening so the TLS/SSL changes are fully applied.
  • Added an option for reboot prompts through the cPVAL Enable Reboot Prompts custom field. When enabled, the script sets cPVAL Pending Reboot to trigger user notifications. This feature requires the Reboot Pending Prompt solution to be enabled in the environment.

2026-04-10

  • Initial version of the document.