Skip to content

SChannelSettings

Jump to bottom
dscbot edited this page Feb 11, 2022 · 4 revisions

SChannelSettings

Parameters

Parameter Attribute DataType Description Allowed Values
IsSingleInstance Key String Specifies the resource is a single instance, the value must be 'Yes' Yes
TLS12State Write String Specifies the state of TLS 1.2 for the .Net Framework 3.5 and 4.* Enabled, Disabled, Default
DiffieHellmanMinClientKeySize Write UInt32 Minimum client key size for the Diffie-Hellman key exchange algorithm 1024, 2048, 3072, 4096
DiffieHellmanMinServerKeySize Write UInt32 Minimum server key size for the Diffie-Hellman key exchange algorithm 1024, 2048, 3072, 4096
KerberosSupportedEncryptionType Write StringArray[] Specifies the supported Kerberos Encryption Types DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC-MD5, AES128-HMAC-SHA1, AES256-HMAC-SHA1
WinHttpDefaultSecureProtocols Write StringArray[] Specifies the WinHTTP Default Secure Protocols SSL2.0, SSL3.0, TLS1.0, TLS1.1, TLS1.2
EnableFIPSAlgorithmPolicy Write Boolean Specifies if the FIPS Algorithm Policy is enabled
RebootWhenRequired Write Boolean Specifies if a reboot will be performed when required (Default: False)

Description

This resource is responsible for configuring various Secure Channel settings.

TLS 1.2 and the .Net Framework: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

Kerberos Supported Encryption Types: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

WinHTTP Default Secure Protocols: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

FIPS Compliance: https://docs.microsoft.com/en-us/dotnet/standard/security/fips-compliance https://support.microsoft.com/en-us/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi

Examples

Example 1

This example shows how to configure SChannel.

    Configuration Example
    {
        param ()

        Import-DscResource -ModuleName SChannelDsc

        node localhost
        {
            SChannelSettings 'ConfigureSChannel'
            {
                IsSingleInstance                = 'Yes'
                TLS12State                      = 'Enabled'
                DiffieHellmanMinClientKeySize   = 4096
                DiffieHellmanMinServerKeySize   = 4096
                EnableFIPSAlgorithmPolicy       = $false
            }
        }
    }

Example 2

This example shows how to configure the Kerberos Supported Encryption Types.

Configuration Example
{
    param ()

    Import-DscResource -ModuleName SChannelDsc

    node localhost
    {
        SChannelSettings 'ConfigureKerberosEncrTypes'
        {
            IsSingleInstance                = 'Yes'
            KerberosSupportedEncryptionType = @("RC4-HMAC-MD5","AES128-HMAC-SHA1","AES256-HMAC-SHA1")
        }
    }
}

Example 3

This example shows how to configure the WinHTTP Default Secure Protocols.

    Configuration Example
    {
        param ()

        Import-DscResource -ModuleName SChannelDsc

        node localhost
        {
            SChannelSettings 'ConfigureWinHTTPProtocols'
            {
                IsSingleInstance              = 'Yes'
                WinHttpDefaultSecureProtocols = @("TLS1.1","TLS1.2")
            }
        }
    }

SChannelDsc Module

Clone this wiki locally