Powershell, Server 2012 R2 and determine if cipher suite is active

Question

I have a small project where I have to query about 1800 servers on Server 2012 R2 and want to see if they have TLS 1.2 AND the specific cipher suites that I need enabled on the server AND enabled.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Using Get-TlsCipherSuite in Server 2016 works as expected, but that is not available in Server 2012 R2.

For Server 2012 R2 I was trying to use this call:

Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 -Name Functions

But it shows that it is installed, but not it's state. I need to confirm if it is actually enabled and not just installed. The above call doesn't do that, and I can not find where the 'flag' is to show that the item is enabled.

Any help would be appreciated.

Answer 1

In my use case I found that the following reliably indicated whether or not the target cipher suites were present and enabled on OS 2012r2

$osVer=(Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
if (($osVer).GetValue('ProductName') -like "*2012*") {
    Write-Host "detected OS: 2012"
    $2012suites = ((Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002").Functions).split(",")
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" | ForEach-Object {
    if ($_ -in $2012suites) {
        Write-Host "Present: $_" -ForegroundColor Green
    } else {
        Write-Host "Missing: $_" -ForegroundColor Red
   }
}