This PowerShell script helps administrators audit TLS protocol settings and supported cipher suites on Windows systems. It is especially useful in Snow Inventory Server environments when troubleshooting secure communications, such as agent upload failures or SSL handshake issues. The script checks registry-based TLS settings, lists available cipher suites, and tests TLS version support by making HTTPS requests, helping ensure that the system complies with security protocols required for agent-server communication.

Use cases

• Validate registry-based TLS settings for server or agent machines
• Confirm support for TLS 1.2 or 1.3 before enabling enforcement
• Audit cipher suites when troubleshooting SSL/TLS errors
• Investigate why an agent may fail to communicate with the Snow Inventory Server securely

Applies to

• Windows-based systems used with Snow Inventory Server
• Snow agents that rely on secure HTTPS for inventory uploads

# Function to get available TLS settings from the registry
function Get-TlsSettings {
    $protocolsKeyPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
    $protocols = Get-ChildItem -Path $protocolsKeyPath | ForEach-Object {
        $protocolName = $_.PSChildName
        $clientEnabled = (Get-ItemProperty -Path "$protocolsKeyPath\$protocolName\Client" -ErrorAction SilentlyContinue).Enabled
        $serverEnabled = (Get-ItemProperty -Path "$protocolsKeyPath\$protocolName\Server" -ErrorAction SilentlyContinue).Enabled
        [PSCustomObject]@{
            Protocol = $protocolName
            ClientEnabled = if ($null -eq $clientEnabled) { 'Not Set' } else { $clientEnabled }
            ServerEnabled = if ($null -eq $serverEnabled) { 'Not Set' } else { $serverEnabled }
        }
    }
    return $protocols
}
 
# Function to get available cipher suites
function Get-CipherSuites {
    if (Get-Command -Name Get-TlsCipherSuite -ErrorAction SilentlyContinue) {
        $cipherSuites = Get-TlsCipherSuite
    } else {
        Write-Error "The Get-TlsCipherSuite cmdlet is not available on this system."
        return @()
    }
    return $cipherSuites
}
 
# Get TLS settings
$tlsSettings = Get-TlsSettings
 
# Get Cipher Suites
$cipherSuites = Get-CipherSuites
 
# Output results
Write-Output "TLS Settings:"
$tlsSettings | Format-Table -AutoSize
 
Write-Output "`nCipher Suites:"
$cipherSuites | Format-Table -AutoSize
 
function Test-TlsSupport {
    param (
        [string]$Server = 'https://example.com',
        [int]$Port = 443
    )
 
    # Map TLS versions to .NET SecurityProtocolType values
    $tlsVersions = @{
        'TLS 1.0' = [System.Net.SecurityProtocolType]::Tls
        'TLS 1.1' = [System.Net.SecurityProtocolType]::Tls11
        'TLS 1.2' = [System.Net.SecurityProtocolType]::Tls12
        'TLS 1.3' = [System.Net.SecurityProtocolType]::Tls13
    }
 
    $results = foreach ($tls in $tlsVersions.GetEnumerator()) {
        try {
            # Set the security protocol
            [System.Net.ServicePointManager]::SecurityProtocol = $tls.Value
 
            # Make a simple HTTPS request
            $response = Invoke-WebRequest -Uri $Server -UseBasicParsing -TimeoutSec 10
 
            [PSCustomObject]@{
                TLSVersion = $tls.Key
                Supported  = $true
                StatusCode = $response.StatusCode
            }
 
        } catch {
            [PSCustomObject]@{
                TLSVersion = $tls.Key
                Supported  = $false
                Error      = $_.Exception.Message
            }
        }
    }
 
    return $results
}
Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name
 
# Test TLS Support
$testResults = Test-TlsSupport -Server 'https://google.com'
 
# Output results
Write-Output "`nTLS Support Test Results:"
$testResults | Format-Table -AutoSize
 
# Optionally export results
# $testResults | Export-Csv -Path ".\TLS_Test_Results.csv" -NoTypeInformation