After using this in my lab, and then in production, we noticed after setting TLS 1.1 and 1.2 to enabled, that the "Default" registry key for Client and Server sub-sections was changed from a string to a DWORD type, and set to the value of 1. For example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
@=dword:00000001

Any idea how/why the Default value for these keys is having it's type modified and/or being set to 1? I have looked at your XML and can't see anything that jumps out at me as to why.

Thank you for your time putting this together BTW!

When enabling TLS 1.3 in the GPO the TLS 1.2 settings disappear from the gpresult page in the Group Policy Management sometimes.
It looks like the settings are not being rendered.
After editing the GPO settings a few times the TLS 1.2 settings appear again. But after refreshing the settings page of the GPO the settings disappear again...

And after refreshing a few times the setting appear again...

Seems like a weird bug...

The registry key you set for "Triple DES 168" is "Triple DES 168/168." However, as per official Microsoft support article (https://support.microsoft.com/help/245030), this key name only applies to legacy (pre-Windows Vista) operating system. For modern OSes, the name of the key should be just "Triple DES 168"--i.e., without the tailing "/168."

As per @JonathanPitre: for TLS 1.3, this needs to be fixed from

SUPPORTED_Windows_10_0 (line 392)
to
SUPPORTED_Windows_10_0_RS6_NOSERVER

so it's only enable on Windows 10 1903. There's no such thing as Windows Server 2019 1903 (with GUI at least)

Originally posted by @JonathanPitre in #14 (comment)

Hi,

Thanks for providing these templates!
I have installed the templates on my lab DC. When I configure a GPO, both settings (".NET Framework 2 STrong Crypto" and ".NET Framework 4 Strong Crypto") shows under "SSL Configuration Settings". However, when I open the setting, the "options window" is empty.
My DC is Windows Server 2019 (schema version 88). Did anyone try these templates on a Windows Server 2019 Domain Controller?

Hi,

Just wondering why DTLS 1.0 is not shown under the "Weak Protocols" section, since it is based on TLS 1.1, which is considered weak in the template ?

If it's a bug, would be happy to open a PR to fix it, just let me know !

README.md contains several suggestions for "Cipher Suite Order." One of them is entitled as "Steve Gibson's list." However, the link goes to Microsoft website (https://msdn.microsoft.com/library/windows/desktop/bb870930)--which, I assume, is not what you intended.

The link should be important, because other suggestion (Use IIS Crypto as a guide) is not terribly actionable. Unfortunately, you cannot copy the names from the tool, and re-typing them seems too error-prone.

Apparently, .NET Framework starts to experience issues once TLS 1.0 is disabled and only TLS 1.1 and 1.2 are left enabled. (Here's one example explained in details: https://blogs.technet.microsoft.com/keithab/2015/06/22/error-while-configuring-wapthe-underlying-connection-was-closedpart-2/. However, there are other apps as well known to experience similar problems, e.g. Azure Backup agent.)

This can be mitigated with "SchUseStrongCrypto" value in registry. It should be set up twice (for x64 and x86 versions of .NET Framework), and separately for .NET Framework 2.x/3.x family, and for .NET Framework 4.x, which makes four areas total. (See https://technet.microsoft.com/library/security/2960358 for details.)

I propose you add respective settings to your awesome ADMX templates. So that people who disable TLS 1.0 using Group Policy, could also enable "SchUseStrongCrypto" using the same policy, and avoid issues. I doubt you can set multiple registry properties using the same setting, so you might end up adding four different settings (2.x-x86, 2.x-x64, 4.x-x86 and 4.x-x64.) That would be fine.

Thanks in advance!

To enable TLS v1.3 in either of these versions of Windows you should import the following registry file into your registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

Sources:
https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/#:~:text=TLS%2F1.3%20is%20supported%20in,based%20browsers%20support%20TLS%201.3.&text=Will%20TLS%201.3%20be%20supported%20in%20Windows%2010%20and%20Server%3F