Hey everyone, I'm in a bit of a bind after a recent requirement from our sysadmins to disable SMBv1, TLS 1.0, and TLS 1.1, and enable TLS 1.2 and 1.3 with SMB signing being required. As part of the helpdesk team, I don't have much experience with this stuff. I tried to handle it through Regedit, but my attempts ended up causing connection issues, and I ended up reformatted the PCs. Now I see that SMBv1 is disabled by default in the optional features, but upon joining the PCs to the domain, it automatically re-enables TLS 1.0 and 1.1 while disabling TLS 1.2. I understand they could be using Group Policy for this, but unfortunately, they've told me to tackle it on each machine individually.
So, my questions are:
1. What's the best way to disable TLS 1.0 and 1.1 and enable 1.2 and 1.3? I know I can manage it from Internet Options, but I'm unsure if that's sufficient. I've seen references to PowerShell commands, too.
2. How do I ensure SMB signing is a requirement? I can access gpedit.msc for this, but I've also seen PowerShell commands for it. Any help would be appreciated!
2 Answers
To properly disable TLS 1.0 and 1.1, you’ll need to adjust some registry settings manually and make sure to reboot afterward. It’s safer to first try out the changes in a controlled environment, like a test machine or group, before rolling it out everywhere. SSL/TLS settings are sensitive—keep in mind they can affect things like ODBC connections if you’re using any SQL with older drivers.
Honestly, I think you should approach your sysadmins about handling this via Group Policy instead of tackling it one by one. That’s really the way to go!
So, using the Internet Options won't cut it? Sounds like I’m back to regedit, then.