Suggestion: "SchUseStrongCrypto" for .NET Framework
pronichkin opened this issue · 2 comments
Apparently, .NET Framework starts to experience issues once TLS 1.0 is disabled and only TLS 1.1 and 1.2 are left enabled. (Here's one example explained in details: https://blogs.technet.microsoft.com/keithab/2015/06/22/error-while-configuring-wapthe-underlying-connection-was-closedpart-2/. However, there are other apps as well known to experience similar problems, e.g. Azure Backup agent.)
This can be mitigated with "SchUseStrongCrypto" value in registry. It should be set up twice (for x64 and x86 versions of .NET Framework), and separately for .NET Framework 2.x/3.x family, and for .NET Framework 4.x, which makes four areas total. (See https://technet.microsoft.com/library/security/2960358 for details.)
I propose you add respective settings to your awesome ADMX templates. So that people who disable TLS 1.0 using Group Policy, could also enable "SchUseStrongCrypto" using the same policy, and avoid issues. I doubt you can set multiple registry properties using the same setting, so you might end up adding four different settings (2.x-x86, 2.x-x64, 4.x-x86 and 4.x-x64.) That would be fine.
Thanks in advance!
I am no longer a Windows administrator, so this repo probably won't get updated that frequently anymore, but I will see about making this change soon. Alternately, if you can submit a PR I'll review it and merge it.
Thank you!