Update Admx Files

simeononsecurity · Jul 25, 2020 · 81ccc61 · 81ccc61
1 parent c081a82
commit 81ccc61
Show file tree

Hide file tree

Showing 7 changed files with 7,202 additions and 0 deletions.
diff --git a/PolicyDefinitions/chromium.admx b/PolicyDefinitions/chromium.admx
diff --git a/PolicyDefinitions/en-US/chromium.adml b/PolicyDefinitions/en-US/chromium.adml
diff --git a/PolicyDefinitions/en-US/msedge.adml b/PolicyDefinitions/en-US/msedge.adml
diff --git a/PolicyDefinitions/en-US/msedgeupdate.adml b/PolicyDefinitions/en-US/msedgeupdate.adml
diff --git a/PolicyDefinitions/en-US/schannel.adml b/PolicyDefinitions/en-US/schannel.adml
@@ -80,6 +80,13 @@ Changing this setting will require a restart of the computer before the setting
 Changing this setting will require a restart of the computer before the setting will take effect.
             </string>
 
+            <!-- TLSv1.3 -->
+            <string id="TLSv13">TLS 1.3 [EXPERIMENTAL]</string>
+            <string id="TLSv13_Help">Enables or disables the use of TLS 1.3.  TLS 1.3 is without known security issues.
+
+This setting is only compatible on Windows 10 1903 and above and does not require a reboot to take effect.
+            </string>
+
             <!-- DTLSv1.0 -->
             <string id="DTLSv10">DTLS 1.0</string>
             <string id="DTLSv10_Help">Enables or disables the use of DTLS 1.0.  Windows 7 and Windows Server 2008 R2 and above.
@@ -415,13 +422,17 @@ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
             <string id="dotnet4_Help">Enables or disables the use of TLS 1.1 and TLS 1.2 in .NET Framework 4.
 
 If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be enabled by default for applications targeting .NET Framework 4.6 or higher and disabled otherwise.
+
+https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
             </string>
 
             <!-- .NET Framework 2 -->
             <string id="dotnet2">.NET Framework 2 Strong Crypto</string>
             <string id="dotnet2_Help">Enables or disables the use of TLS 1.1 and TLS 1.2 in .NET Framework 2.
 
 If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be disabled by default.
+
+https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
             </string>
 
         </stringTable>
@@ -465,6 +476,10 @@ If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be disabled by de
             <presentation id="TLSv12">
                 <checkBox refId="TLSv12_ClientCheckbox" defaultChecked="true">Enable Client-side TLS 1.2 (eg., Internet Explorer)</checkBox>
                 <checkBox refId="TLSv12_ServerCheckbox" defaultChecked="true">Enable Server-side TLS 1.2 (eg., IIS)</checkBox>
+            </presentation>
+            <presentation id="TLSv13">
+                <checkBox refId="TLSv13_ClientCheckbox" defaultChecked="true">Enable Client-side TLS 1.3 (eg., Edge)</checkBox>
+                <checkBox refId="TLSv13_ServerCheckbox" defaultChecked="true">Enable Server-side TLS 1.3 (eg., IIS)</checkBox>
             </presentation>
              <presentation id="DTLSv10">
                 <checkBox refId="DTLSv10_ClientCheckbox" defaultChecked="true">Enable Client-side DTLS 1.0 (eg., Internet Explorer)</checkBox>

diff --git a/PolicyDefinitions/msedge.admx b/PolicyDefinitions/msedge.admx
diff --git a/PolicyDefinitions/schannel.admx b/PolicyDefinitions/schannel.admx
@@ -383,6 +383,53 @@
             </elements>
         </policy>
 
+        <!-- TLSv1.3 -->
+        <policy name="TLSv13" class="Machine" displayName="$(string.TLSv13)"
+                explainText="$(string.TLSv13_Help)"
+                presentation="$(presentation.TLSv13)"
+                key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3">
+            <parentCategory ref="Protocols" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS6_NOSERVER" />
+            <elements>
+                <boolean id="TLSv13_ClientCheckbox" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" valueName="Enabled">
+                    <trueList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client">
+                        <item valueName="Enabled">
+                            <value><decimal value="1" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="0" /></value>
+                        </item>
+                    </trueList>
+                    <falseList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client">
+                        <item valueName="Enabled">
+                            <value><decimal value="0" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="1" /></value>
+                        </item>
+                    </falseList>
+                </boolean>
+                <boolean id="TLSv13_ServerCheckbox" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" valueName="Enabled">
+                    <trueList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server">
+                        <item valueName="Enabled">
+                            <value><decimal value="1" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="0" /></value>
+                        </item>
+                    </trueList>
+                    <falseList defaultKey="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server">
+                        <item valueName="Enabled">
+                            <value><decimal value="0" /></value>
+                        </item>
+                        <item valueName="DisabledByDefault">
+                            <value><decimal value="1" /></value>
+                        </item>
+                    </falseList>
+                </boolean>
+            </elements>
+        </policy>
+
         <!-- DTLSv1.0 -->
         <policy name="DTLSv10" class="Machine" displayName="$(string.DTLSv10)"
                 explainText="$(string.DTLSv10_Help)"
@@ -897,6 +944,16 @@
                         <decimal value="1" />
                     </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="1" />
+                    </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="1" />
+                    </value>
+                </item>
             </enabledList>
             <disabledList>
                 <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SchUseStrongCrypto">
@@ -909,6 +966,16 @@
                         <decimal value="0" />
                     </value>
                   </item>
+                  <item key="SOFTWARE\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="0" />
+                    </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" valueName="SystemDefaultTlsVersions">
+                    <value>
+                        <decimal value="0" />
+                    </value>
+                  </item>
             </disabledList>
         </policy>
 
@@ -929,6 +996,16 @@
                     <decimal value="1" />
                   </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="1" />
+                  </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="1" />
+                  </value>
+                </item>
             </enabledList>
             <disabledList>
                 <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SchUseStrongCrypto">
@@ -941,6 +1018,16 @@
                     <decimal value="0" />
                   </value>
                 </item>
+                <item key="SOFTWARE\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="0" />
+                  </value>
+                </item>
+                <item key="SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" valueName="SystemDefaultTlsVersions">
+                  <value>
+                    <decimal value="0" />
+                  </value>
+                </item>
             </disabledList>
         </policy>
     </policies>