TLS/SSL Hardening

docs/ninjaone/automations/enforce-tls-ssl-hardnening.md

@@ -9,12 +9,12 @@ tags: ['tls','windows']
 draft: false
 unlisted: false
 last_update:
-  date: 2026-04-10
+  date: 2026-06-10
 ---
 
 ## Overview
 
-This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server and client levels. Additionally, it disables below Cipher Suites:
+Enforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the `Reboot Pending Prompt` solution to notify users that a restart is required for the changes to take effect. It disables below Cipher Suites:
 
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 - TLS_RSA_WITH_AES_256_CBC_SHA256
@@ -23,14 +23,25 @@ This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server
 - TLS_RSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 
-**NOTE:** `A system reboot is required for all changes to take full effect.`
+**NOTE:** `A system reboot is required for all changes to take full effect. Either use 'Force Reboot' paramter to immediately restart the machine after hardening so the TLS/SSL changes are fully applied. Or enable  'cPVAL Enable Reboot Prompts' custom field to send user prompts for Reboot. 'Reboot Pending Prompt' solution must be enabled in the environment to use this feature.`
 
 ## Sample Run
 
 `Play Button` > `Run Automation` > `Script`  
 
 ![SampleRun1](../../../static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp)
 
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+- [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb)
+
+## Parameters
+
+| Name | Example | Accepted Values | Required | Default | Type | Description |
+| ---- | ------- | --------------- | -------- | ------- | ---- | ----------- |
+|Force Reboot| - | - | False | Not selected | Check-box |Select it to immediately reboot the machine after applying the TLS Hardening.|
+
 ## Automation Setup/Import
 
 [Automation Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/scripts/enforce-tls-ssl-hardening.ps1)
@@ -41,6 +52,13 @@ This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server
 
 ## Changelog
 
+### 2026-06-10
+
+- Updated the script to configure .NET Framework strong cryptography settings, helping maintain application compatibility when legacy protocols are disabled and modern TLS versions are enforced.
+- Added a Force Reboot parameter that can immediately restart the machine after hardening so the TLS/SSL changes are fully applied.
+- Added an option for reboot prompts through the `cPVAL Enable Reboot Prompts` custom field. When enabled, the script sets `cPVAL Pending Reboot` to trigger user notifications. This feature requires the `Reboot Pending Prompt` solution to be enabled in the environment.
+
+
 ### 2026-04-10
 
 - Initial version of the document.

docs/ninjaone/automations/tls-enabled-list-audit.md

@@ -9,7 +9,7 @@ tags: ['tls', 'audit']
 draft: false
 unlisted: false
 last_update:
-  date: 2026-04-15
+  date: 2026-06-10
 ---
 
 ## Overview
@@ -42,6 +42,10 @@ Click `Run`
 
 ## Changelog
 
+### 2026-06-10
+
+- Updated script to include SSL 3.0 as well.
+
 ### 2026-04-15
 
 - Initial version of the document

docs/ninjaone/automations/validate-tls-ssl-hardnening.md

@@ -4,17 +4,17 @@ slug: /f4505cf9-915f-464f-ab45-95f9eaea7a8d
 title: 'Validate TLS SSL Hardening'
 title_meta: 'Validate TLS SSL Hardening'
 keywords: ['tls','ssl','validate','disable']
-description: 'This script validates whether insecure SSL/TLS protocols and specified weak TLS 1.2 cipher suites have been successfully disabled on the target system.'
+description: 'This script validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes.'
 tags: ['tls','windows']
 draft: false
 unlisted: false
 last_update:
-  date: 2026-04-10
+  date: 2026-06-10
 ---
 
 ## Overview
 
-This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disabled at both the server and client levels. Additionally, it checks if below cipher suites are disabled:
+This script validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes.
 
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 - TLS_RSA_WITH_AES_256_CBC_SHA256
@@ -29,6 +29,10 @@ This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disable
 
 ![SampleRun1](../../../static/img/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d/validate.webp)
 
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
 ## Automation Setup/Import
 
 [Automation Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/scripts/validate-tls-ssl-hardening.ps1)
@@ -39,6 +43,10 @@ This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disable
 
 ## Changelog
 
+### 2026-06-10
+
+- Updated the script to validate that TLS 1.2 and TLS 1.3 are enabled when supported by the operating system. The script now updates the `cpvalTlsSslHardeningRequired` custom field if any insecure protocol is enabled, any weak cipher suite is present, or if TLS 1.2 and/or TLS 1.3 are not enabled when supported.
+
 ### 2026-04-10
 
 - Initial version of the document.

docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-servers.md

@@ -0,0 +1,37 @@
+---
+id: '93609405-1ef4-4aaa-b421-4f86a7e51145'
+slug: /93609405-1ef4-4aaa-b421-4f86a7e51145
+title: 'Execute - Enforce TLS SSL Hardening - Servers'
+title_meta: 'Execute - Enforce TLS SSL Hardening - Servers'
+keywords: ['tls','ssl','disable']
+description: 'Triggers `Enforce TLS SSL Hardening` script on opted windows servers.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+
+Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to  `Enforce and Validation (servers)`,`Enforce and Validation (Both)`.
+
+## Details
+
+- **Name:** `Execute - Enforce TLS SSL Hardening`
+- **Description:** `Triggers 'Enforce TLS SSL Hardening' script on opted windows servers.`
+- **Recommended Agent Policies:** `Windows servers`
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Compound Condition Creation 
+
+- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-enforce-tls-ssl-hardening-servers.toml)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document

docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.md

@@ -0,0 +1,37 @@
+---
+id: '52a43eef-d4d7-4f91-b8c1-cb6e786ddcce'
+slug: /52a43eef-d4d7-4f91-b8c1-cb6e786ddcce
+title: 'Execute - Enforce TLS SSL Hardening - Workstations'
+title_meta: 'Execute - Enforce TLS SSL Hardening - Workstations'
+keywords: ['tls','ssl','disable']
+description: 'Triggers `Enforce TLS SSL Hardening`script on opted windows workstations.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+
+Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to  `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`.
+
+## Details
+
+- **Name:** `Execute - Enforce TLS SSL Hardening`
+- **Description:** `Triggers 'Enforce TLS SSL Hardening' script on opted windows workstations.`
+- **Recommended Agent Policies:** `Windows Workstations`
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Compound Condition Creation 
+
+- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.toml)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document

docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-servers.md

@@ -0,0 +1,37 @@
+---
+id: '79c1901b-3e55-42e3-8152-360605a4dbce'
+slug: /79c1901b-3e55-42e3-8152-360605a4dbce
+title: 'Execute - Validate TLS SSL Hardening - Servers'
+title_meta: 'Execute - Validate TLS SSL Hardening - Servers'
+keywords: ['tls','ssl','disable']
+description: 'Triggers `Validate TLS SSL Hardening`script on opted windows Servers.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+
+Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d)  on windows Servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to  `Validation (Both)`, `Validation (Servers)`, `Enforce and Validation (Servers)`,`Enforce and Validation (Both)`.
+
+## Details
+
+- **Name:** `Execute - Validate TLS SSL Hardening`
+- **Description:** `Triggers 'Validate TLS SSL Hardening' script on opted windows Servers.`
+- **Recommended Agent Policies:** `Windows Servers`
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Compound Condition Creation
+
+- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-validate-tls-ssl-hardening-servers.toml)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document

docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-workstations.md

@@ -0,0 +1,37 @@
+---
+id: '28f17281-2502-43a0-8d4d-5da2b06580f8'
+slug: /28f17281-2502-43a0-8d4d-5da2b06580f8
+title: 'Execute - Validate TLS SSL Hardening - Workstations'
+title_meta: 'Execute - Validate TLS SSL Hardening - Workstations'
+keywords: ['tls','ssl','disable']
+description: 'Triggers `Validate TLS SSL Hardening`script on opted windows workstations.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+
+Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to  `Validation (Both)`, `Validation (Workstations)`, `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`.
+
+## Details
+
+- **Name:** `Execute - Validate TLS SSL Hardening`
+- **Description:** `Triggers 'Validate TLS SSL Hardening' script on opted windows workstations.`
+- **Recommended Agent Policies:** `Windows Workstations`
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Compound Condition Creation 
+
+- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-validate-tls-ssl-hardening-workstations.toml)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document

docs/ninjaone/custom-fields/cpval-enable-reboot-prompts.md

@@ -0,0 +1,40 @@
+---
+id: '6f8d4110-f4ee-4965-8853-8b4a7b03bda5'
+slug: /6f8d4110-f4ee-4965-8853-8b4a7b03bda5
+title: 'cPVAL Enable Reboot Prompts'
+title_meta: 'cPVAL Enable Reboot Prompts'
+keywords: ['tls','ssl','disable']
+description: 'Enables reboot prompts following TLS Hardening. Requires the Reboot Pending Prompt solution to be enabled in the environment.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+Enables reboot prompts following TLS Hardening. Requires the [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb)  to be enabled in the environment.
+
+## Details
+
+| Label | Field Name | Definition Scope | Type | Required | Default Value | Options | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text |  Custom Field Tab Name |
+| ----- | ---- | ---------------- | ---- | -------- | ------------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- |
+| cPVAL Enable Reboot Prompts | cpvalEnableRebootPrompts | `Organization`,`Location`,`Device` | CheckBox | False | - | - | Editable | Read_Write | Read_Write | Enables reboot prompts following TLS Hardening. Requires the Reboot Pending Prompt solution to be enabled in the environment. | Select it to display reboot prompts on the machine after TLS Hardening has been applied. Requires the 'Reboot Pending Prompt solution' to be enabled in the environment. | Select it to display reboot prompts on the machine after TLS Hardening has been applied.| TLS/SSL |
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Custom Field Creation
+
+[Custom Field Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/custom-fields/cpval-tls-ssl-hardening-required.toml)
+
+## Sample Screenshot
+
+![Image1](../../../static/img/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5/image1.webp)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document

docs/ninjaone/custom-fields/cpval-tls-client-enabled.md

@@ -9,7 +9,7 @@ tags: ['tls', 'audit']
 draft: false
 unlisted: false
 last_update:
-  date: 2026-04-15
+  date: 2026-06-10
 ---
 
 ## Summary
@@ -20,7 +20,7 @@ This stores the enabled TLS Client versions on an endpoint.
 
 | Label | Field Name | Definition Scope | Type | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text |  Custom Field Tab Name |
 | ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- |
-| cPVAL TLS Client Enabled | cpvalTlsClientEnabled | Device | Text | False |  | Read Only | Read/Write | Read/Write | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | TLS Audit |
+| cPVAL TLS Client Enabled | cpvalTlsClientEnabled | Device | Text | False |  | Read Only | Read/Write | Read/Write | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | TLS/SSL |
 
 ## Dependencies
 

docs/ninjaone/custom-fields/cpval-tls-hardening.md

@@ -0,0 +1,42 @@
+---
+id: '6959568a-a814-4c96-8b5a-d83e315c637d'
+slug: /6959568a-a814-4c96-8b5a-d83e315c637d
+title: 'cPVAL TLS Hardening'
+title_meta: 'cPVAL TLS Hardening'
+keywords: ['tls','ssl','disable']
+description: 'Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.'
+tags: ['tls','windows']
+draft: false
+unlisted: false
+last_update:
+  date: 2026-06-10
+---
+
+## Summary
+
+Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.
+
+## Details
+
+| Label | Field Name | Definition Scope | Type | Option Value | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name |
+| ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- |----------- | ---- | 
+| cPVAL TLS Hardening | cpvalTlsHardening | `Organization`, `Location`, `Device` | DropDown | `Validation (Both)`, `Validation (Servers)`, `Validation (Workstations)`,`Disabled`,`Enforce and Validation (Servers)`,`Enforce and Validation (Workstations)`,`Enforce and Validation (Both)` | True | - | Editable | Read/Write | Read/Write | Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.| Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly. | Enables TLS hardening for workstations and servers. | TLS/SSL |
+
+## Dependencies
+
+- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb)
+
+## Custom Field Creation
+
+- [Custom Field Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/custom-fields/cpval-tls-hardening.toml)
+
+## Sample Screenshot
+
+![Image1](../../../static/img/docs/6959568a-a814-4c96-8b5a-d83e315c637d/image1.webp)
+
+## Changelog
+
+###  2026-06-10
+
+- Initial version of the document
+

docs/ninjaone/custom-fields/cpval-tls-server-enabled.md

@@ -9,7 +9,7 @@ tags: ['tls', 'audit']
 draft: false
 unlisted: false
 last_update:
-  date: 2026-04-15
+  date: 2026-06-10
 ---
 
 ## Summary
@@ -20,7 +20,7 @@ This stores the enabled TLS Server versions on an endpoint.
 
 | Label | Field Name | Definition Scope | Type | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text |  Custom Field Tab Name |
 | ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- |
-| cPVAL TLS Server Enabled | cpvalTlsServerEnabled | Device | Text | False |  | Read Only | Read/Write | Read/Write | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | TLS Audit |
+| cPVAL TLS Server Enabled | cpvalTlsServerEnabled | Device | Text | False |  | Read Only | Read/Write | Read/Write | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | TLS/SSL |
 
 ## Dependencies