Environment
- Carbon Black Cloud: LiveQuery search
Question
How do I interpret the results of the Audit & Remediation query for TLS settings?
Answer
For the Audit & Remediation query as follows
SELECT
reg.key,
reg.name,
reg.data as Value,
CASE
WHEN reg.data = 1 THEN 'TLS 1.2 Protocol disabled'
WHEN reg.data = 0 THEN 'TLS 1.2 not disabled by default'
ELSE 'Registry key not found' END DisabledByDefault
FROM registry reg WHERE PATH LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault';
the results mean
| 0 | TLS 1.2 is not disabled on this Device |
| 1 | TLS 1.2 is disabled on the Device |
| "Registry key not found" | This OS does not have this registry key by default |
Additional Notes
A number of Operating Systems do not have a registry value created for disabling TLS 1.2 as listed in the query but they are shown in the article linked to the FAQ in Related Links. These should show the value of "Registry key not found".
It is much clearer to use the following search terms on
Inventory →
Endpoints or
Inventory →
VM Workloads
tlsVersion:TLSv1 OR tlsVersion:TLSv1.1
Related Content
