Disable Cipher Suite in Server 2022 but still active

Sebastian Mann 6 Reputation points
2021-12-01T08:00:48.723+00:00

Hi,

I've created a new VM in Azure of type "Windows Server 2022 Datacenter Azure Edition" - Core - and disabled weak cipher suites using PowerShells Disable-TlsCipherSuite.
The VM is behind an azure LoadBalancer.

Afterwards I checked with ssllabs.com. But it showed me, that there are still some weak cipher suites active.
153929-image.png

So I went ahead and tried to explicitly disable the two weak cipher suites again using Disable-TlsCipherSuite.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

But PowerShell showed me, that these are already disabled.
When doing this in Server 2019 we had no problems at all. What am I missing here?

Any help appreciated.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,479 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,525 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
421 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrei Popov 10 Reputation points Microsoft Employee
    2023-01-19T18:27:28.52+00:00

    TLS cmdlets (e.g., Disable-TlsCipherSuite) use Crypto Config APIs to modify the local cipher suite configuration.

    Group Policy (GP) settings are enterprise-level configuration (usually set by the enterprise admin) and therefore override any local cipher suite configuration.

    Most likely, what you are seeing is GP overriding local configuration. To confirm, please check whether the following reg value exists (and whether it includes the ciphers you've disabled locally (using TLS cmdlets):

    HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\Functions

    2 people found this answer helpful.
    0 comments
  2. Limitless Technology 39,496 Reputation points
    2021-12-01T16:17:57.373+00:00

    Hello SebastianMann,

    The fact that they are disabled doesn't mean that the suites will be deleted from the system. They will not be user/accepted, but they remain in the system.

    --If the reply is helpful, please Upvote and Accept as answer--

  3. Evgenij Smirnov 541 Reputation points
    2021-12-02T08:44:53.833+00:00

    Hi,

    two things:

    1. have you rebooted the server after the changes?
    2. are you sure TLS is terminated on the server and not on the load balancer?
  4. Misha Mishra 1 Reputation point Microsoft Employee
    2022-11-30T15:02:22.95+00:00

    Hi @Sebastian Mann , I'm facing the same problem. Were you able to resolve this issue?

    0 comments
  5. Alex Carlock 156 Reputation points
    2023-06-08T21:40:17.98+00:00

    I'm seeing the same issue here. Disable-TlsCipherSuite doesn't seem to work on Windows Server 2022.

    On Windows 2019:

    1. Get-TlsCipherSuite | Format-Table Name
      1. I see a list of Ciphers that are active on the system
    2. Disable-TlsCipherSuite -Name [name of Cipher]
      1. Command comes back with no output
    3. Get-TlsCipherSuite | Format-Table Name
      1. Returns the original list minus the cipher I just disabled

    On Windows 2022:

    1. Get-TlsCipherSuite | Format-Table Name
      1. I see a list of Ciphers that are active on the system
    2. Disable-TlsCipherSuite -Name [name of Cipher]
      1. Command comes back with no output
      2. Get-TlsCipherSuite | Format-Table Name
      3. Returns the original list
      If I run Disable-TlsCipherSuite -Name [name of Cipher] a second time, I get errors:
       PS> disable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225
   At line:1 char:1
   + disable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       + CategoryInfo          : NotSpecified: (:) [Disable-TlsCipherSuite], COMException
       + FullyQualifiedErrorId : Exception from HRESULT: 0xD0000225,Microsoft.WindowsAuthenticationProtocols.Commands.Rem
      oveTlsCipherSuiteCommand
    0 comments