This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 2%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi,
I've created a new VM in Azure of type "Windows Server 2022 Datacenter Azure Edition" - Core - and disabled weak cipher suites using PowerShells Disable-TlsCipherSuite.
The VM is behind an azure LoadBalancer.
Afterwards I checked with ssllabs.com. But it showed me, that there are still some weak cipher suites active.
So I went ahead and tried to explicitly disable the two weak cipher suites again using Disable-TlsCipherSuite.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
But PowerShell showed me, that these are already disabled.
When doing this in Server 2019 we had no problems at all. What am I missing here?
Any help appreciated.
You still need to capture TLS handshake packets on this VM to see whether it sends those cyphers in the hello message first. If it does then you know Disable-TlsCipherSuite failed. If it doesn't, you know you should move to elsewhere on the wire.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 72%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Even if you do not have a domain policy, check this anyway:
HKLM\SOFTWARE*Policies*\Microsoft\Cryptography\Configuration\SSL\00010002
Apparently some Win2022 SKUs come with this prepopulated. Remove both EccCurves and Functions, so that the only value in the key is "(Default)"
Then reboot and try again
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 24%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
If anyone else is having this issue it seams Microsofta "Azure Edition" of Server 2022 has a policy set limiting the TLS Cipher Suites to ten different suites and the TLS ECC Curves to two different ones.
I managed to work around the "Azure Edition" policy using a domain Group Policy, but I would guess a local policy should override it as well.
Policy settings are found at: Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
I have not yet figured out how Microsoft is deploying their limiting policy or found any documentation about it.