Adding TLS 1.2 support for Powershell
Fix an error downloading from the Powershell Gallery
Sometimes I try to setup PSWindowsUpdate (an amazing module from the Powershell Gallery) and receive an error like this one:
WARNING: Source Location ‘https://www.powershellgallery.com/api/v2/package/PSWindowsUpdate/2.2.0.2' is not valid.PackageManagement\Install-Package : Package ‘PSWindowsUpdate' failed to download.At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21+ … $null = PackageManagement\Install-Package @PSBoundParameters+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : ResourceUnavailable: (C:\Users\... :String) [Install-Package], Exception+ FullyQualifiedErrorId : PackageFailedInstallOrDownload,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage A similar issue arises with using the Invoke-WebRequest cmdlet. The root cause is that Powershell is trying to connect to a site and there’s no agreement on the encryption protocol to use. By default, Powershell uses TLS 1.0 and that’s been widely deprecated.
The Background
Transport Layer Security (TLS) is the successor to SSL. Starting in 2018, there was a groundswell of (good) advice that TLS 1.0 and 1.1 should be deprecated on websites and in browsers. This was largely adopted across the internet by 2020. That leaves TLS 1.2 as the de facto standard, with TLS 1.3 adoption rising but not as widespread yet.
The Problem
In April 2020, Microsoft disabled support for TLS 1.0 on the Powershell Gallery and now requires TLS 1.2. The issue is that Powershell 5.1 doesn’t support this configuration out of the box and the PowershellGet module (1.0.0.1) didn’t support TLS 1.2 at all. Smooth move, Microsoft.
The Solution
Microsoft released a new version of PowershellGet (2.2.4) in April 2020 that supports TLS 1.2. You can install it like this:
Install-Module PowerShellGet -RequiredVersion 2.2.4 -SkipPublisherCheckBy default, Powershell uses whatever the system default settings for crypto:
PS > [Net.ServicePointManager]::SecurityProtocolSystemDefault… but the problem is that the default for each system could be different. You can force your system to enable TLS 1.2 support in your Powershell session:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12… but the problem with this command is that you need to run it everytime you open a new Powershell session.
Let’s update the current user’s Powershell profile (creating it if it doesn’t exist) so that TLS 1.2 support is enabled every time a session is launched:
$ProfileFile = "${PsHome}\Profile.ps1"if (! (Test-Path $ProfileFile)) {New-Item -Path $ProfileFile -Type file -Force}'[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12' | Out-File -FilePath $ProfileFile -Encoding ascii -AppendActually, while we’re at it, let’s configure Windows and .NET too:
#TLS1.2-Windows.ps1<#Enable only TLS 1.2 on Windows.Disable TLS 1.0, 1.2Enable .NET to use TLS 1.2Greg Beifuss2020-07-02 16:11#>New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.0 has been Disabled.'New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.1 has been Disabled.'New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.2 has been Enabled.'Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWordSet-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord