0

Is there any CLI/CMD way to check the supported (RDP) TLS version on Windows 10? I don't know if the RDP TLS will be equal to that of Windows SSP TLS, but I suppose yes. By default, Windows should apply the highest supported TLS encryption to RDP, should it?

I used this reference sheet with the SSP version matrix

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

The problem is this sheet does not contain the latest Windows 22H2 version and does not make distinction between the Home/Pro/Enterprise versions. I have 22H2 build 19045.2965 Enterprise version and its features may differ from that of Home edition.

I found this question Checking the encryption level of Remote Desktop on Windows Server 2012, but since pktmon is prohibited in our corporate environment this way of checking is unachievable for me. Is there a more conventional way?

Improve this question
3
  • Unless you disable them, it supports all versions of TLS. What is used depends on the remote server and what it supports.
    – DubStep
    Jun 13 at 23:01
  • my question was not about the negotiated version between host and client, but rather about the highest supported version by 2H22 RDP client
    – Suncatcher
    Jun 20 at 3:21
  • 1
    The highest would be 1.3, but what is used is up to which is configured in Windows. I don't think TLS 1.3 is enabled by default, so if you haven't changed it, it's gonna use 1.2 in that case. So the highest supported is 1.3, but what is used really depends on what is configured in the registry. At work we only have TLS 1.2 enabled for example.
    – DubStep
    Jun 29 at 16:28

1 Answer 1

Reset to default
1

Windows uses the operating system setting for the Remote Desktop Session Host encryption configuration. Each side provides a list of the protocols that are supported, then negotiates starting from the highest.

This is different from previous versions, which was hardcoded to only supported TLS 1.0 regardless of the system TLS versions supported.

I'm not aware of a command line utility that will display the TLS version negotiated for RDP or other network protocol. It should be viewable during session setup in a packet capture, and if the server is configured to disable TLS 1.0 and 1.1, it must be assumed to be using 1.2.

Improve this answer
1
  • ok, so no handy way except sniffing the traffic?
    – Suncatcher
    Jun 20 at 3:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .