CipherSuites: Using 'Absent' for named CipherSuites on default installations does not work.

[holentommy]

We were considering to use the 'CipherSuites' resource to remove unwanted ciphersuites due to regulatory requirements. Unfortunately, we ran into some issues.

Using 'Absent' for named CipherSuites on a default Windows installation does not work for Windows installations where CipherSuites have not been previously configured. I believe it is caused by the registry key HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002:Functions is non-existent when the OS is in default configuration.

Registry: DSC verbose output:

Since the registry property does not exist the TestScript will not return $False, as the unwanted cipersuites are not present.

I was thinking the Get-TlsCipherSuite, Disable-TlsCipherSuite, and Enable-TlsCipherSuite commands should work better than editing the registry. But these commandlets are not compatible with Windows Server 2012 R2 and older, albeit that should not be the worst issue after October 10th.

[johlju]

I would be okay by using those commands and publish the module as a new major version that removes support for Windows Server 2012 R2 and older. If using older OS those configurations can pin an older version of the module.