PowerShell Scripting for IT Pros: Disabling Weak SSL/TLS Ciphers Made Easy

by Team Ninja
reviewed by Stan Hunter
How to Disable Weak SSL and TLS Ciphers

When it comes to cybersecurity, the line between compliance and compromise is often a thin one. If you're in the realm of IT, especially if you're an IT professional or part of a Managed Service Provider (MSP), you've likely been toeing this line for a while. Let's face it; old ciphers like SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are not only outdated but are essentially cybersecurity hazards waiting to explode. It's a problem that needs solving, and this blog post is your step-by-step guide to do just that—disable weak SSL ciphers and uplift your security posture in the process. 

What are Weak Ciphers and Why Should You Care? 

Weak ciphers are outdated algorithms used in SSL/TLS encryption that are susceptible to attacks. Cybercriminals could exploit these weak links to compromise sensitive data. Given today's stringent regulatory landscape, keeping these outdated protocols in use could also incur compliance risks, not to mention the reputational damage it could cause to an organization. 

PowerShell Script to Disable Weak Ciphers in SSL/TLS 

If you're managing a Windows-based infrastructure, PowerShell is your best friend. For those keen on diving right in, the script featured below automates the process of disabling weak ciphers like TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0, while enabling the more robust TLS 1.2.

The Script

Note: The script requires PowerShell 5.1 and administrator-level privileges to execute. It's compatible with Windows 10 and Windows Server 2016. Though it may run on older versions like Windows 7 or Server 2008 R2, PowerShell 5.1 would be a prerequisite. 

#Requires -Version 5.1

    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
    No Parameters Needed
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2. Does Restart the computer.
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Could possibly run on Windows 7 and Server 2008 R2, but PowerShell 5.1 would be required.
    Release Notes:
    Initial Release
    (c) 2023 NinjaOne
    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).

param ()

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)

process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
            Protocol = 'SSL 2.0'
            Value    = 0
            Default  = 1
            Protocol = 'SSL 3.0'
            Value    = 0
            Default  = 1
            Protocol = 'TLS 1.0'
            Value    = 0
            Default  = 1
            Protocol = 'TLS 1.1'
            Value    = 0
            Default  = 1
            Protocol = 'TLS 1.2'
            Value    = 1
            Default  = 0
    ) | ForEach-Object {
        $RegServerBase = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$($_.Protocol)\Server"
        $RegClientBase = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$($_.Protocol)\Client"
        New-Item $RegServerBase -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegServerBase -Name 'Enabled' -Value $($_.Value) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegServerBase -Name 'DisabledByDefault' -Value $($_.Default) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        New-Item $RegClientBase -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegClientBase -Name 'Enabled' -Value $($_.Value) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegClientBase -Name 'DisabledByDefault' -Value $($_.Default) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null

        $State = if (
            $(Get-ItemPropertyValue -Path $RegServerBase -Name 'Enabled') -eq 0 -and
            $(Get-ItemPropertyValue -Path $RegServerBase -Name 'DisabledByDefault') -eq 1
        ) { 'disabled' } else { 'enabled' }

        Write-Host "$($_.Protocol) has been $State."

    Write-Host "Please reboot for settings to take effect."
end {}


Access over 700+ scripts in the NinjaOne Dojo

Get Access

Key Features of the Script 

  1. Check for Administrative Privileges: The script exits if it's not run with administrative permissions, thereby safeguarding against accidental execution. 
  2. Registry Edits: The script makes targeted changes to the Windows Registry, specifically in the areas that manage SSL/TLS protocols, to enforce the security settings. 
  3. Feedback Loop: The script confirms which protocols have been enabled or disabled. 
  4. No Parameters Needed: The script is straightforward to run. If you want to restart the computer after the script executes, include the -Restart parameter.

How Can IT Professionals and MSPs Benefit?


For IT professionals and MSPs who manage multiple systems, this script is a godsend. Deploy it across multiple machines with ease, saving countless man-hours. 


Regulatory frameworks like PCI DSS require that weak ciphers be disabled. This script provides a one-stop solution for achieving compliance with minimal hassle. 


The script can be incorporated into larger automation workflows, making it a versatile tool for scaling security operations. 

Risk Mitigation 

By disabling weak ciphers in SSL/TLS, you mitigate the risks of data breaches and cyberattacks, thereby enhancing your organization's security posture.

Integrating the Script with NinjaOne for Streamlined Operations 

If you're an IT professional or part of an MSP, there's a good chance you're already familiar with NinjaOne. Our platform's capabilities can extend far beyond the usual ticketing, patch management, and inventory functions you may associate with an RMM.  

Here's how you can integrate the PowerShell script to disable weak ciphers in SSL/TLS into your NinjaOne setup:

Centralized Deployment 

NinjaOne offers centralized script deployment, allowing you to run this PowerShell script on multiple endpoints simultaneously. Navigate to the 'Scripting' section, upload the script, and execute it across the systems you manage—all from a single dashboard. 

Scheduled Execution 

Set up schedules within NinjaOne to run the script at designated times. This is particularly useful for new devices that join the network or to enforce compliance standards periodically. 

Alerts and Monitoring 

Configure NinjaOne to monitor registry settings related to SSL/TLS protocols. Any deviation from the established norms (such as enabling a weak cipher) can trigger an alert, allowing for immediate remedial action. 


NinjaOne’s comprehensive reporting allows you to validate the success of the script deployment. You can generate reports that confirm the disabling of weak ciphers, which can be instrumental during compliance audits.

Final Thoughts

If you're still using weak ciphers in 2023, consider this your wake-up call. Use the above PowerShell script to disable weak ciphers in Windows environments and take a concrete step towards bolstering your cybersecurity infrastructure. 

You wouldn't use a rusty old lock to secure a vault; don't use outdated ciphers to protect your data. Time to modernize and secure your network. And if you ever find yourself wondering how to disable weak ciphers in Windows again, just remember—this blog post has got you covered.  

Disclaimer: Always test scripts and changes in a controlled environment before deploying them into production.  

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

NinjaOne Rated #1 in RMM, Endpoint Management and Patch Management

Monitor, manage, and secure any device, anywhere

NinjaOne gives you complete visibility and control over all your devices for more efficient management.

Too many tools in too many places?

See how tool sprawl impacts IT and what you can do to solve it.