Recently a coworker modified one registry key on 8 of our Windows Server 2019 Core servers. The change was not saved properly on 2 of them, but was on the other 6, and it broke our application as well as Remote Desktop on the 6. The key that was updated was: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions. The only change was one cipher was removed. On the 2 systems, the cipher never got removed/did not get saved at all. On the other 6, the cipher was removed, but it was not saved properly - all of the ciphers were saved as one cipher. See attached "bad.png". There were no errors encountered in WAC when modifying the keys. The fix was, we removed all ciphers but one, then added each back via PowerShell Enable-TlsCipherSuite. Unfortunately this broke our application, causing a 6h downtime. It also broke Remote Desktop. We also frequently got Websocket stream errors while troubleshooting this via WAC registry editor. The whole tool seems flaky.
To Reproduce
Steps to reproduce the behavior:
Use registry editor to modify a key on a server
Verify the change looks like it was made
Check ciphers via Get-TlsCipherSuite and it shows they were not saved properly
Expected behavior
Each cipher is saved as an individual cipher. All ciphers are not "lumped" into one cipher.
Screenshots & Additional context
If applicable, add screenshots to help explain your problem.
Add any other context about the problem here.
Recently a coworker modified one registry key on 8 of our Windows Server 2019 Core servers. The change was not saved properly on 2 of them, but was on the other 6, and it broke our application as well as Remote Desktop on the 6. The key that was updated was: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions. The only change was one cipher was removed. On the 2 systems, the cipher never got removed/did not get saved at all. On the other 6, the cipher was removed, but it was not saved properly - all of the ciphers were saved as one cipher. See attached "bad.png". There were no errors encountered in WAC when modifying the keys. The fix was, we removed all ciphers but one, then added each back via PowerShell Enable-TlsCipherSuite. Unfortunately this broke our application, causing a 6h downtime. It also broke Remote Desktop. We also frequently got Websocket stream errors while troubleshooting this via WAC registry editor. The whole tool seems flaky.
To Reproduce Steps to reproduce the behavior:
Expected behavior Each cipher is saved as an individual cipher. All ciphers are not "lumped" into one cipher.
Screenshots & Additional context If applicable, add screenshots to help explain your problem. Add any other context about the problem here.
