Problem with elseif?

I am working on this script, but its not working and I dont know why.
Something wrong with my elseif statements:

#This script will check if TLS 1.0 and 1.1 are enabled or disabled
$RemoteComputer = Read-Host -Prompt "Please enter computer name to CHECK TLS 1.0 and 1.1 on"

Invoke-Command -ComputerName $RemoteComputer -ScriptBlock {
$TLS10 = Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
$TLS11 = Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
$DisabledByDefault = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault")
$Enabled = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled")

if ($TLS10 -like 'False') {"No key found, TLS 1.0 is Enabled"}
elseif ("$DisabledByDefault.DisabledByDefault" -eq 0 -and "$Enabled.Enabled" -ne 0) {"TLS 1.0 is Enabled"}
elseif ("$DisabledByDefault.DisabledByDefault" -eq 1 -and "$Enabled.Enabled" -eq 0) {"TLS 1.0 is Disabled"}
else {"This should not print"}


This should not print

I was expecting the output to be:
TLS 1.0 is Disabled

Thanks for any pointers.

I’m actually not sure if I really got the logic and you’re actually just checking for TLS1.0. You just checked if the key for TLS1.1 existed and not the according values.

Try this …

$RemoteComputer = Read-Host -Prompt 'Please enter computer name to CHECK TLS 1.0 and 1.1 on'
Invoke-Command -ComputerName $RemoteComputer -ScriptBlock {
    if (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server') {
        $DisabledByDefault = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault')
        $Enabled = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled')
        if ($($DisabledByDefault.DisabledByDefault) -eq 0 -and $($Enabled.Enabled) -eq 1) {
            'TLS 1.0 is Enabled'
        elseif ($($DisabledByDefault.DisabledByDefault) -eq 1 -and $($Enabled.Enabled) -eq 0) {
            'TLS 1.0 is Disabled'
        else {
            'Either ("DisabledByDefault = 1" AND "Enabled = 1") OR ("DisabledByDefault = 0" AND "Enabled = 0")'
    else {
        'No key found, TLS 1.0 is not configured'

Thanks Olaf, Ill try that.

I had not gotten to the TLS 1.1 part yet, the 1.0 part was failing so wanted that to work first.

The other thing I found in my testing, on a fresh Windows 2019 server deploy with all current updates, the TLS 1.0 and 1.1 keys do not exist, but IISCrypto and other tools say it is still enabled.

If you explicitly set those keys to disabled, it disabled the protocols.

That code works, can you tell me what this does:

else {
            'Either ("DisabledByDefault = 1" AND "Enabled = 1") OR ("DisabledByDefault = 0" AND "Enabled = 0")'

Thank You

Then your method might not be suitable to detect if the desired protocols are active or not.

That’s actually not code. It is just a string and will be send to the console when none of the conditions is true. :wink: