Link to home
Start Free TrialLog in
Avatar of bankadmin
bankadminFlag for United States of America

asked on

Problems with GPO registry settings

Server 2008 r2, workstations are 7. We have been attempting to apply a GPO that contains a registry setting but its not applying the setting we are attempting to change is turning off SSL 3, SSL 2 and TLS 1. We triple checked and the settings were are applying are correct and yet they are not applying to workstations however we disabled RC4 protocol the same way (registry settings via GPO) and they apply with no issues. Any ideas would be appreciated.
Avatar of Lionel MM
Lionel MM
Flag of United States of America image
Did you test the registry setting manfully on one of the Windows 7 PC to make sure it will work? If you did and it does work please post it here as well what the exact setting you have in GPO -- thanks!
Avatar of arnold
arnold
Flag of United States of America image
When you create the GPO are you changing/updating or creating an entry?
Run gpo results from gpmc and look at the detail..

Are you applying the GPO to the user/computer just not to overlook the obvious possibility
Avatar of Coralon
Coralon
Flag of United States of America image
Just to be sure.. the registry keys should be:  (SSL 2.0 should already be disabled by default)

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\DisabledByDefault = 0x1 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client\Enabled = 0x0 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server\Enabled = 0x0 (REG_DWORD)

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\DisabledByDefault = 0x1 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client\Enabled = 0x0 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server\Enabled = 0x0 (REG_DWORD)

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\DisabledByDefault = 0x1 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client\Enabled = 0x0 (REG_DWORD)
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server\Enabled = 0x0 (REG_DWORD)

Open in new window


And of course the GPO needs to be applied to the Machine's OU...

Coralon
Avatar of bankadmin
bankadmin
Flag of United States of America image

ASKER

Yes Lionel.  I did test the settings on a pc first.  The settings Coralon mentioned are the exact same as what I am doing.

Arnold.  I am updating the entry.  I have also tried creating the entry.  This is being applied to the machine.

I am entering them in Computer config > Preferences > registry > new > registry item

User generated image
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Coralon
Coralon
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bankadmin
bankadmin
Flag of United States of America image

ASKER

The GPResult helped me see that it was not applying so I checked the OU it was in.  The PC I was testing on was in the wrong OU.  The settings are now working.