How to check the TLS version of 2H22 RDP?

Suncatcher

6/13/24, 6:32 PM

Is there any CLI/CMD way to check the supported (RDP) TLS version on Windows 10? I don't know if the RDP TLS will be equal to that of Windows SSP TLS, but I suppose yes. By default, Windows should apply the highest supported TLS encryption to RDP, should it?

I used this reference sheet with the SSP version matrix

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

The problem is this sheet does not contain the latest Windows 22H2 version and does not make distinction between the Home/Pro/Enterprise versions. I have 22H2 build 19045.2965 Enterprise version and its features may differ from that of Home edition.

I found this question Checking the encryption level of Remote Desktop on Windows Server 2012, but since pktmon is prohibited in our corporate environment this way of checking is unachievable for me. Is there a more conventional way?

261

1 + 3

windows

ssl

rdp

ssp

windows-10

DubStep

6/13/24, 11:01 PM

Unless you disable them, it supports all versions of TLS. What is used depends on the remote server and what it supports.

Suncatcher

6/20/24, 3:21 AM

my question was not about the negotiated version between host and client, but rather about the *highest supported version* by 2H22 RDP client

DubStep

6/29/24, 4:28 PM

The highest would be 1.3, but what is used is up to which is configured in Windows. I don't think TLS 1.3 is enabled by default, so if you haven't changed it, it's gonna use 1.2 in that case. So the highest supported is 1.3, but what is used really depends on what is configured in the registry. At work we only have TLS 1.2 enabled for example.

Score:1

Server

Greg Askew

6/13/24, 6:55 PM

Windows uses the operating system setting for the Remote Desktop Session Host encryption configuration. Each side provides a list of the protocols that are supported, then negotiates starting from the highest.

This is different from previous versions, which was hardcoded to only supported TLS 1.0 regardless of the system TLS versions supported.

I'm not aware of a command line utility that will display the TLS version negotiated for RDP or other network protocol. It should be viewable during session setup in a packet capture, and if the server is configured to disable TLS 1.0 and 1.1, it must be assumed to be using 1.2.

+ 1

Suncatcher

6/20/24, 3:20 AM

ok, so no handy way except sniffing the traffic?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to check the TLS version of 2H22 RDP?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.