Skip to content

SChannelSettings

Jump to bottom
dscbot edited this page Mar 31, 2026 · 6 revisions

Parameters

Parameter Attribute DataType Description Allowed Values
IsSingleInstance Key String Specifies the resource is a single instance, the value must be 'Yes' Yes
DiffieHellmanMinClientKeySize Write UInt32 Minimum client key size for the Diffie-Hellman key exchange algorithm 1024, 2048, 3072, 4096
DiffieHellmanMinServerKeySize Write UInt32 Minimum server key size for the Diffie-Hellman key exchange algorithm 1024, 2048, 3072, 4096
EnableFIPSAlgorithmPolicy Write Boolean Specifies if the FIPS Algorithm Policy is enabled
KerberosSupportedEncryptionType Write StringArray[] Specifies the supported Kerberos Encryption Types DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC-MD5, AES128-HMAC-SHA1, AES256-HMAC-SHA1
RebootWhenRequired Write Boolean Specifies if a reboot will be performed when required (Default: False)
TLS12State Write String Specifies the state of TLS 1.2 for the .Net Framework 3.5 and 4.* Enabled, Disabled, Default
WinHttpDefaultSecureProtocols Write StringArray[] Specifies the WinHTTP Default Secure Protocols SSL2.0, SSL3.0, TLS1.0, TLS1.1, TLS1.2

Description

This resource is responsible for configuring various Secure Channel settings.

TLS 1.2 and the .Net Framework: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

Kerberos Supported Encryption Types: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

WinHTTP Default Secure Protocols: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

FIPS Compliance: https://docs.microsoft.com/en-us/dotnet/standard/security/fips-compliance https://support.microsoft.com/en-us/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi

Examples

Example 1

This example shows how to configure SChannel.

Configuration Example
{
    param ()

    Import-DscResource -ModuleName SChannelDsc

    node localhost
    {
        SChannelSettings 'ConfigureSChannel'
        {
            IsSingleInstance              = 'Yes'
            TLS12State                    = 'Enabled'
            DiffieHellmanMinClientKeySize = 4096
            DiffieHellmanMinServerKeySize = 4096
            EnableFIPSAlgorithmPolicy     = $false
        }
    }
}

Example 2

This example shows how to configure the Kerberos Supported Encryption Types.

Configuration Example
{
    param ()

    Import-DscResource -ModuleName SChannelDsc

    node localhost
    {
        SChannelSettings 'ConfigureKerberosEncrTypes'
        {
            IsSingleInstance                = 'Yes'
            KerberosSupportedEncryptionType = @("RC4-HMAC-MD5","AES128-HMAC-SHA1","AES256-HMAC-SHA1")
        }
    }
}

Example 3

This example shows how to configure the WinHTTP Default Secure Protocols.

Configuration Example
{
    param ()

    Import-DscResource -ModuleName SChannelDsc

    node localhost
    {
        SChannelSettings 'ConfigureWinHTTPProtocols'
        {
            IsSingleInstance              = 'Yes'
            WinHttpDefaultSecureProtocols = @("TLS1.1", "TLS1.2")
        }
    }
}

Home

Commands

Resources

Clone this wiki locally