Windows 2008 R2 - WinRM and disabling TLS 1.0

Recently, I’ve undertaken the task of PCI Compliance for several servers I manage. One of the recurring recommendations is to disable TLS 1.0 in favor of TLS 1.1/1.2.

The good news… Disabling TLS 1.0 on a group of servers is super easy using Ansible! Sadly, one of the side effects of disabling is that the WinRM connection in my Ansible scripts becomes completely broken afterward. After disabling, connecting to Windows servers results in the following error:

fatal: [10.0.20.20]: FAILED! => {“failed”: true, “msg”: “ERROR! ssl: 500 WinRMTransport. [Errno 54] Connection reset by peer”}

Re-enabling TLS 1.0 will correct the issue, but obviously it’s not ideal and I’m wondering what can be done… So, some questions:

  1. Is TLS 1.0 required in Windows, or is it something in pywinrm package?
  2. If TLS 1.0 must be used, is there an interim solution where it can be disabled for IIS (port 443) only? The only solutions I have found online disable it in the SCHANNEL/Protocols registry key, which then disables it system-wide in Windows
  3. Has anyone run into this problem or discovered another workaround?

Thanks, looking forward to discussing!

-chris

Not hit this myself, but seems likely its coming for many of us.

Just wondering if bouncing the winrm service might fix this? or a Restart-Computer (I’d recommend the win_reboot role on galaxy if it really does need a reboot) - so many things in windows still need a reboot :frowning:

I guess it will need to renegotiate after a change like this has been made.

Noticed this when I was searching around - https://support.microsoft.com/en-us/kb/3080079 if remote desktop needed a change then maybe winrm does too? No idea at this point if they share any logic.

Please let us know if the restart does the trick

Jon

Hi Chris,

I am having the same issue. Were you able to work around this

-yinidu