Are you in need of configuring crypto or schannel (IIS) settings on more than a few Windows virtual machines? The Set-Crypto PowerCLI script might be of interest to use in your VMware environment. Recently I had to configure all the Windows servers in our VMware environment to use the correct crypto/schannel settings. The gold standard for Windows/IIS administrators for configuring crypto is a program called IISCrypto .
I have been using IISCrypto for a few years now and it is hands down the easiest way to configure your Windows vms using the schannel settings you choose. It also has built-in ‘best practices’ settings for general security as well as pci and fips requirements. This is a great tool for setting one server at a time but I needed to do this en masse. I thought wouldn’t it be great if they had a command-line tool. Well it turns out that they do have a command-line tool. It allowed me to create a script to configure all my servers for crypto/schannel settings.
The schannel PowerCLI script Set-Crypto utilizes IISCrypto command-line, batch files, and template profiles created ahead of time based on ‘best practices’ for 2012R2 Windows Server and 2016 Windows Server respectively. You can also go to my Pastebin Set-Crypto folder to get the needed batch files and template profile files. You will need to get IISCrypto from Nartac software. It is free to use but their site does not explain their licensing model so I do not know the implications of using their software. Please contact Nartac software for more information regarding licensing. Please read the assumptions at the beginning of the script. Always be sure to read and understand any code you download from the internet before running in a production environment.
Feel free to comment and give suggestions on how to improve this script or any others I have shared. If you like this script you may want to check out one of my previous scripts Powershell SSL Certificate Script .