Contents
Introduction
This PowerShell script will allow you to enforce TLS 1.2 & TLS 1.3 in your SCOM Environment to help you to secure your environment. (A big thank you to Kevin Holman for the original creation of his TLS 1.2 enforcement script, which this script originated from.) It will attempt to auto download the prerequisites if they are not present in the local directory (or if you set the parameter DirectoryForPrerequisites to another path it will check there). The script from a high level will do the following:
- Creates a log file to Program Data (
C:\ProgramData\SCOM_TLS_1.2_-_<Month>-<Day>-<Year>.log). - Locate or Download the prerequisites for TLS 1.2 Enforcement.
- Checks the SCOM Role (Management Server, Web Console, ACS Collector).
- Checks the version of System Center Operations Manager to confirm supportability of TLS enforcement.
- Checks the .NET version to confirm you are on a valid version.
- Checks the SQL version (on both the Operations Manager and Data Warehouse Database Instances) to confirm your version of SQL supports TLS enforcement.
- Checks and/or installs the (prerequisite software) MSOLEDB driver (or SQL Client).
- Checks and/or installs the (prerequisite software) ODBC driver.
- Checks and/or modifies the registry to enforce TLS 1.2 (If your using Window Server 2022 (or newer) or Windows 11 (or newer) it will attempt to enforce TLS 1.2 and TLS 1.3).
- Ask to reboot the machine to finalize the configuration.
Argument List
| Parameter | Alias | ValueFromPipeline | Type | Description |
|---|---|---|---|---|
| AssumeYes | yes | Switch | The script will not ask any questions. Good for unattended runs. | |
| DirectoryForPrerequisites | dfp | String | The directory to save / load the prerequisites from. Default is the current directory. | |
| ForceDownloadPrerequisites | fdp | Switch | Force download the prerequisites to the directory specified in DirectoryForPrerequisites. | |
| SkipDotNetCheck | sdnc | Switch | Skip the .NET Check step. | |
| SkipDownloadPrerequisites | sdp | Switch | Skip downloading the prerequisite files to current directory. | |
| SkipModifyRegistry | smr | String | Skip any registry modifications. | |
| SkipRoleCheck | src | Switch | Skip the SCOM Role Check step. | |
| SkipSQLQueries | ssq | Switch | Skip any check for SQL version compatibility. | |
| SkipSQLSoftwarePrerequisites | sssp | Switch | Skip the ODBC, MSOLEDBSQL, and/or Microsoft SQL Server 2012 Native Client. | |
| SkipVersionCheck | svc | Switch | Skip SCOM Version Check step. |
Note
You may edit line 1904 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.
How to get it
You can get a copy of the script here:
Invoke-EnforceSCOMTLS1.2.ps1 
Direct Download Link
or
Personal File Server - Invoke-EnforceSCOMTLS1.2.ps1 Alternative Download Link
or
Personal File Server - Invoke-EnforceSCOMTLS1.2.txt Text Format Alternative Download Link
How to use it
Example 1
Normal run:
.\Invoke-EnforceSCOMTLS1.2.ps1Example 2
Set the prerequisites folder:
.\Invoke-EnforceSCOMTLS1.2.ps1 -DirectoryForPrerequisites "C:\Temp"Example 3
Assume yes to all questions asked by script:
.\Invoke-EnforceSCOMTLS1.2.ps1 -AssumeYes
Check TLS Configuration
You can run the following PowerShell script to gather your current TLS configuration:
How to get it
Get-TLSRegistryKeys.ps1 Direct Download Link
or
Personal File Server - Get-TLSRegistryKeys.ps1 Alternative Download Link
or
Personal File Server - Get-TLSRegistryKeys.txt Text Format Alternative Download Link
Leave some feedback if this helped you! 
Share on:
