The DSC configuration that is used to reproduce the issue (as detailed as possible)
# Enable KeyExchangeAlgoritm 'Diffie-Hellman'
Invoke-DscResource -Name KeyExchangeAlgorithm -ModuleName SChannelDsc -Method Set -Property @{
KeyExchangeAlgorithm = 'Diffie-Hellman'
State = 'Enabled'
} -Verbose
# Apply SChannelSettings
Invoke-DscResource -Name SChannelSettings -ModuleName SChannelDsc -Method Set -Property @{
IsSingleInstance = 'Yes'
TLS12State = 'Enabled'
DiffieHellmanMinClientKeySize = 2048
DiffieHellmanMinServerKeySize = 2048
EnableFIPSAlgorithmPolicy = $false
} -Verbose
# Test KeyExchangeAlgoritm 'Diffie-Hellman' will result 'Not Compliant'
Invoke-DscResource -Name KeyExchangeAlgorithm -ModuleName SChannelDsc -Method Test -Property @{
KeyExchangeAlgorithm = 'Diffie-Hellman'
State = 'Enabled'
} -Verbose
After the above steps Enabled key has disappeared from 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman'
The operating system the target node is running
OsName : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.4104.amd64fre.rs1_release.201202-1742
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version of Windows that is used (e.g. Windows Server 2016)
Microsoft Windows Server 2016 Datacenter
Version and build of PowerShell the target node is running
Details of the scenario you tried and the problem that is occurring
Running SChannelSettings will reset the 'Diffie-Hellman' item properties.
Verbose logs showing the problem
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceSet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer computer with user sid S-1-5-21-2840980517-3310870045-718054483-2602. VERBOSE: [computer]: LCM: [ Start Set ] [[KeyExchangeAlgorithm]DirectResourceAccess] VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Setting configuration for key exchange algorithm Diffie-Hellman VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Enabling KeyExchangeAlgorithm Diffie-Hellman VERBOSE: [computer]: LCM: [ End Set ] [[KeyExchangeAlgorithm]DirectResourceAccess] in 0.0660 seconds. VERBOSE: [computer]: LCM: [ End Set ] in 0.8320 seconds. VERBOSE: Operation 'Invoke CimMethod' complete.
RebootRequired : False
VERBOSE: Time taken for configuration job to complete is 1.074 seconds VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceSet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer computer with user sid S-1-5-21-2840980517-3310870045-718054483-2602. VERBOSE: [computer]: LCM: [ Start Set ] [[SChannelSettings]DirectResourceAccess] VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Setting SChannel configuration settings VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting SChannel configuration settings VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting TLS v1.2 state VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] .NET Framework 4.6 or higher detected. Configuration of TLS v1.2 not necessary VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting Diffie Hellman Key Size VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting Kerberos Supported Encryption Types VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting WinHTTP Default Secure Protocols VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Getting FIPS Algorithm Policy VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] .NET Framework 4.6 or higher detected. Configuration of TLS v1.2 not necessary VERBOSE: [computer]: [[SChannelSettings]DirectResourceAccess] Configuring Diffie Hellman Min Client Key Size VERBOSE: [computer]: LCM: [ End Set ] [[SChannelSettings]DirectResourceAccess] in 0.2170 seconds. VERBOSE: [computer]: LCM: [ End Set ] in 0.5010 seconds. VERBOSE: Operation 'Invoke CimMethod' complete. False
VERBOSE: Time taken for configuration job to complete is 0.667 seconds VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceTest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer computer with user sid S-1-5-21-2840980517-3310870045-718054483-2602. VERBOSE: [computer]: LCM: [ Start Test ] [[KeyExchangeAlgorithm]DirectResourceAccess] VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Testing configuration for key exchange algorithm Diffie-Hellman VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Getting configuration for key exchange algorithm Diffie-Hellman VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Current Values: KeyExchangeAlgorithm=Diffie-Hellman; State=Default VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] Target Values: KeyExchangeAlgorithm=Diffie-Hellman; State=Enabled; Verbose=True VERBOSE: [computer]: [[KeyExchangeAlgorithm]DirectResourceAccess] KeyExchangeAlgorithm Diffie-Hellman not compliant. VERBOSE: [computer]: LCM: [ End Test ] [[KeyExchangeAlgorithm]DirectResourceAccess] False in 0.0580 seconds. VERBOSE: [computer]: LCM: [ End Set ] in 0.2250 seconds. VERBOSE: Operation 'Invoke CimMethod' complete.
InDesiredState : False
VERBOSE: Time taken for configuration job to complete is 0.4 seconds
Suggested solution to the issue
In line 461 a new-item is forced resulting in removal of all item properties.
https://github.com/dsccommunity/SChannelDsc/blob/4ff5166537f61f377c942285139e6beeb5f62e7a/source/Modules/SChannelDsc.Util/SChannelDsc.Util.psm1#L453-L474
Following code should fix the issue.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
After the above steps Enabled key has disappeared from 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman'
The operating system the target node is running
OsName : Microsoft Windows Server 2016 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsBuildLabEx : 14393.4104.amd64fre.rs1_release.201202-1742 OsLanguage : en-US OsMuiLanguages : {en-US}
Version of Windows that is used (e.g. Windows Server 2016)
Microsoft Windows Server 2016 Datacenter
Version and build of PowerShell the target node is running
Name Value
PSVersion 5.1.14393.3866
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.3866
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
Version 1.2.0