simeononsecurity
diff --git a/‎PolicyDefinitions/chromium.admx‎
Lines changed: 3636 additions & 0 deletions b/‎PolicyDefinitions/chromium.admx‎
Lines changed: 3636 additions & 0 deletions
diff --git a/‎PolicyDefinitions/en-US/chromium.adml‎
Lines changed: 3464 additions & 0 deletions b/‎PolicyDefinitions/en-US/chromium.adml‎
Lines changed: 3464 additions & 0 deletions
diff --git a/‎PolicyDefinitions/en-US/msedge.adml‎
24.9 KB b/‎PolicyDefinitions/en-US/msedge.adml‎
24.9 KB
diff --git a/‎PolicyDefinitions/en-US/msedgeupdate.adml‎
638 Bytes b/‎PolicyDefinitions/en-US/msedgeupdate.adml‎
638 Bytes
diff --git a/‎PolicyDefinitions/en-US/schannel.adml‎
Lines changed: 15 additions & 0 deletions b/‎PolicyDefinitions/en-US/schannel.adml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎PolicyDefinitions/msedge.admx‎
21 KB b/‎PolicyDefinitions/msedge.admx‎
21 KB
diff --git a/‎PolicyDefinitions/schannel.admx‎
Lines changed: 87 additions & 0 deletions b/‎PolicyDefinitions/schannel.admx‎
Lines changed: 87 additions & 0 deletions
@@ -80,6 +80,13 @@ Changing this setting will require a restart of the computer before the setting
 Changing this setting will require a restart of the computer before the setting will take effect.
             </string>
 
+            <!-- TLSv1.3 -->
+            <string id="TLSv13">TLS 1.3 [EXPERIMENTAL]</string>
+            <string id="TLSv13_Help">Enables or disables the use of TLS 1.3.  TLS 1.3 is without known security issues.
+
+This setting is only compatible on Windows 10 1903 and above and does not require a reboot to take effect.
+            </string>
+
             <!-- DTLSv1.0 -->
             <string id="DTLSv10">DTLS 1.0</string>
             <string id="DTLSv10_Help">Enables or disables the use of DTLS 1.0.  Windows 7 and Windows Server 2008 R2 and above.
@@ -415,13 +422,17 @@ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
             <string id="dotnet4_Help">Enables or disables the use of TLS 1.1 and TLS 1.2 in .NET Framework 4.
 
 If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be enabled by default for applications targeting .NET Framework 4.6 or higher and disabled otherwise.
+
+https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
             </string>
 
             <!-- .NET Framework 2 -->
             <string id="dotnet2">.NET Framework 2 Strong Crypto</string>
             <string id="dotnet2_Help">Enables or disables the use of TLS 1.1 and TLS 1.2 in .NET Framework 2.
 
 If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be disabled by default.
+
+https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
             </string>
 
         </stringTable>
@@ -465,6 +476,10 @@ If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be disabled by de
             <presentation id="TLSv12">
                 <checkBox refId="TLSv12_ClientCheckbox" defaultChecked="true">Enable Client-side TLS 1.2 (eg., Internet Explorer)</checkBox>
                 <checkBox refId="TLSv12_ServerCheckbox" defaultChecked="true">Enable Server-side TLS 1.2 (eg., IIS)</checkBox>
+            </presentation>
+            <presentation id="TLSv13">
+                <checkBox refId="TLSv13_ClientCheckbox" defaultChecked="true">Enable Client-side TLS 1.3 (eg., Edge)</checkBox>
+                <checkBox refId="TLSv13_ServerCheckbox" defaultChecked="true">Enable Server-side TLS 1.3 (eg., IIS)</checkBox>
             </presentation>
              <presentation id="DTLSv10">
                 <checkBox refId="DTLSv10_ClientCheckbox" defaultChecked="true">Enable Client-side DTLS 1.0 (eg., Internet Explorer)</checkBox>
 
@@ -383,6 +383,53 @@
             </elements>
         </policy>
 
+        <!-- TLSv1.3 -->
+        <policy name="TLSv13" class="Machine" displayName="$(string.TLSv13)"
+                explainText="$(string.TLSv13_Help)"
+                presentation="$(presentation.TLSv13)"
+                key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3">
+            <parentCategory ref="Protocols" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS6_NOSERVER" />
+            <elements>
+                <boolean id="TLSv13_ClientCheckbox" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" valueName="Enabled">
+                    <trueList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client">
+                        <item valueName="Enabled">
+                            <value><decimal value="1" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="0" /></value>
+                        </item>
+                    </trueList>
+                    <falseList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client">
+                        <item valueName="Enabled">
+                            <value><decimal value="0" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="1" /></value>
+                        </item>
+                    </falseList>
+                </boolean>
+                <boolean id="TLSv13_ServerCheckbox" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" valueName="Enabled">
+                    <trueList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server">
+                        <item valueName="Enabled">
+                            <value><decimal value="1" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="0" /></value>
+                        </item>
+                    </trueList>
+                    <falseList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server">
+                        <item valueName="Enabled">
+                            <value><decimal value="0" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="1" /></value>
+                        </item>
+                    </falseList>
+                </boolean>
+            </elements>
+        </policy>
+        
         <!-- DTLSv1.0 -->
         <policy name="DTLSv10" class="Machine" displayName="$(string.DTLSv10)"
                 explainText="$(string.DTLSv10_Help)"
@@ -897,6 +944,16 @@
                         <decimal value="1" />
                     </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="1" />
+                    </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="1" />
+                    </value>
+                </item>
             </enabledList>
             <disabledList>
                 <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SchUseStrongCrypto">
@@ -909,6 +966,16 @@
                         <decimal value="0" />
                     </value>
                   </item>
+                  <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="0" />
+                    </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="0" />
+                    </value>
+                  </item>
             </disabledList>
         </policy>
 
@@ -929,6 +996,16 @@
                     <decimal value="1" />
                   </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="1" />
+                  </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="1" />
+                  </value>
+                </item>
             </enabledList>
             <disabledList>
                 <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SchUseStrongCrypto">
@@ -941,6 +1018,16 @@
                     <decimal value="0" />
                   </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="0" />
+                  </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="0" />
+                  </value>
+                </item>
             </disabledList>
         </policy>
     </policies>