1313 Lowest OS version where this script has been tested on: Windows Server 2008 R2.
1414#>
1515
16- $version = " 2022-04-14 "
16+ $version = " 2022-05-05 "
1717
1818function Write-OK { param ($str ) Write-Host - ForegroundColor green $str }
1919function Write-nonOK { param ($str ) Write-Host - ForegroundColor red $str }
@@ -317,31 +317,6 @@ if (-not $gettlsciphersuiteAnalysisDone)
317317 Write-Break
318318}
319319
320- Write-Detail " Running DHE check..."
321-
322- $dhePath = " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman"
323- $dheIsExpected = CheckValueIsExpected $dhePath " Enabled" 4294967295 $true $exactCheck
324- if ($dheIsExpected )
325- {
326- Write-Detail " Diffie-Helman key exchange allowed."
327- }
328- else
329- {
330- $dheFiltered = $requiredEnabledCipherSuites | Where-Object { -not ($_ -match " _DHE_"
331- Write-Host " Diffie-Helman key exchange disabled. Enabled cipher suites after filtering: $dheFiltered "
332- if (($requiredEnabledCipherSuites.Length -gt 0 ) -and $dheFiltered.Length -eq 0 )
333- {
334- Write-nonOK " ISSUE FOUND: No TLS 1.2 cipher suites required by Azure DevOps remain enabled after applying Diffie-Hellman disablement."
335- Write-nonOK " MITIGATION 'regDHE': by registry change"
336- Write-nonOK " [$dhePath ] 'Enabled'=dword:0xFFFFFFFF"
337- }
338- $requiredEnabledCipherSuites = $dheFiltered
339- }
340-
341- Write-Break
342-
343- Write-Detail " Running Group Policy check..."
344-
345320
346321function OutputMitigationToPs1
347322{
@@ -353,6 +328,48 @@ function OutputMitigationToPs1
353328 return $fileName
354329}
355330
331+ Write-Detail " Running Key-Exchange check..."
332+
333+ function CheckKeyExchangeEnabled
334+ {
335+ param ($name , $path , $ciphersuiteSegment , $enabledCipherSuites )
336+
337+ $enabledValue = [System.Convert ]::ToUInt32(" FFFFFFFF" , 16 )
338+ $isExpected = CheckValueIsExpected $path " Enabled" $enabledValue $true $exactCheck
339+ if ($isExpected )
340+ {
341+ Write-Detail " $name key exchange allowed."
342+ return $enabledCipherSuites
343+ }
344+ else
345+ {
346+ $filtered = $enabledCipherSuites | Where-Object { -not ($_ -match $ciphersuiteSegment ) }
347+ Write-Host " $name key exchange disabled. Enabled cipher suites after filtering: $filtered "
348+ if (($enabledCipherSuites.Length -gt 0 ) -and $filtered.Length -eq 0 )
349+ {
350+ Write-nonOK " ISSUE FOUND: No TLS 1.2 cipher suites required by Azure DevOps remain enabled after applying $name disablement."
351+
352+ $fmtpath = $path.replace (" HKLM:\" , " HKEY_LOCAL_MACHINE\"
353+ $scriptFile = OutputMitigationToPs1 " RegKeyEx" " [microsoft.win32.registry]::SetValue("" $fmtpath "" , "" Enabled"" , 0xFFFFFFFF)"
354+ Write-nonOK " MITIGATION 'RegKeyEx': enabling of Key-Exchange schema at $path !Enabled"
355+ Write-nonOK " Mitigation script generated at $scriptFile "
356+ Write-nonOK " Run the mitigation script as Administrator and restart the computer."
357+ }
358+ return $filtered
359+ }
360+ }
361+
362+ $requiredEnabledCipherSuites = CheckKeyExchangeEnabled " Diffie-Hellman" " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" " _DHE_" $requiredEnabledCipherSuites
363+
364+ if ($winBuildVersion.Major -ge 10 )
365+ {
366+ $requiredEnabledCipherSuites = CheckKeyExchangeEnabled " Elliptic-curve Diffie–Hellman" " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" " _ECDHE_" $requiredEnabledCipherSuites
367+ }
368+
369+ Write-Break
370+
371+ Write-Detail " Running Group Policy check..."
372+
356373function GetFunctionsList
357374{
358375 param ($path )
0 commit comments