Issue
On Windows devices, scans and policies fail and return the following error:
The request was aborted: Could not create SSL/TLS secure channel.
This error prevents the scan/policy from completing successfully.
Environment
Windows devices
Occurs during scan execution
Requires local administrator access to remediate
Cause and Validation
The Windows system is not configured correctly in order to securely connect to Automox's platform. At least one of the following are the cause:
Does not have TLS 1.3 enabled.
.NET applications do not have TLS 1.2 enforced.
Does not have ECDH Key Exchange enabled.
The necessary cipher suites are not enabled.
This manifests with the following error when attempting to connect to an Automox endpoint via PowerShell:
Invoke-WebRequest "https://api.automox.com"This error indicates that something went wrong with the TLS handshake. If TLS 1.2 is enabled, it's most likely not being enforced in Powershell. Forcing it with the following command will work in that session, but not for Powershell as a whole:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
If that resolves the behavior, you can force Powershell to use TLS1.2 persistently by following this article: Force PowerShell to Use TLS 1.2
If that does not resolve the behavior, it may be a result of cipher suites necessary for a secure connection to Automox not being available on the device.
Use SSL Labs to validate the necessary Cipher Suites for Automox download URLs:
https://www.ssllabs.com/ssltest/analyze.html?d=api.automox.com
https://www.ssllabs.com/ssltest/analyze.html?d=storage-cdn.prod.automox.com
Example SSL Labs output (as of 12/18/2025):
If ECDH is not enabled
Running this PowerShell command gets us the available Cipher Suites:
$(Get-tlsciphersuite) | Select-Object Name, exchange, protocolsExample output:
Name Exchange Protocols
---- -------- ---------
TLS_CHACHA20_POLY1305_SHA256 {772}
TLS_AES_256_GCM_SHA384 {772}
TLS_AES_128_GCM_SHA256 {772}
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH {771, 65277}
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH {771, 65277}
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH {771, 65277}
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH {771, 65277}
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH {771, 65277}
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH {771, 65277}
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDH {771, 65277}
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDH {771, 65277}The Protocols are correlated from their decimal translated value:
0x0303: "TLS_1_2", # 771
0x0304: "TLS_1_3", # 772
0xfefd: "DTLS_1_1", # 65277If TLS 1.3 is not enabled, the only Cipher Suites available are used with ECDH.
If ECDH Key Exchange is not enabled, we have no viable Cipher Suites.
If TLS 1.3 Cipher Suites are not enabled
Similarly, if TLS 1.3 is enabled, but the only Cipher Suites available do not match what is required by api.automox.com, then the TLS handshake can fail.
Note that none of the available Cipher Suites match what is accepted from the SSL Labs output.
Resolution
There are multiple paths depending on the operating system.
-
Windows 11/Server 2022 or newer:
Does not have TLS 1.3 enabled.
Does not have ECDH Key Exchange enabled.
The necessary cipher suites are not enabled.
-
Windows 10/Server 2019 or older:
Does not have ECDH Key Exchange enabled.
The necessary cipher suites are not enabled.
Enable ECDH Key Exchange
PowerShell Method to Enable ECDH
Note: When making any Registry edits, we recommend taking a backup using your preferred method.
Step 1: Open an elevated PowerShell session
Log in to the affected device.
Open PowerShell as Administrator.
Step 2: Enable ECDH Key Exchange in SCHANNEL
You can run the following script:
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH'
$valueName = 'Enabled'
if (Test-Path $regPath) {
$item = Get-Item -Path $regPath
if ($null -ne $item.GetValue($valueName, $null) -and '0' -ne $item.GetValue($valueName, $null)) {
Write-Output "No changes required. ECDH already enabled."
} else {
Write-Output "ECDH not enabled. Creating registry key: $regPath\$valueName"
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" `
-Name Enabled -Value 0xffffffff -PropertyType DWord -Force
}
} else {
Write-Output "ECDH not enabled. Creating registry key: $regPath\$valueName"
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH" `
-Name Enabled -Value 0xffffffff -PropertyType DWord -Force
}A reboot should not be necessary, but can be helpful to ensure the settings are configured.
Step 3: Test on the device
Open a fresh PowerShell terminal, and run the command:
Invoke-WebRequest "https://api.automox.com"IIS Crypto Method to Enable ECDH
Step 1: Install IIS Crypto
- Download the ISSCrypt tool: https://www.nartac.com/Products/IISCrypto
- Launch the tool as an Administrator.
Step 2: Take a backup of the Registry
- Open the Advanced tab.
- Click Backup Registry.
Step 3: Open IIS Crypto on the device and verify the current configuration
- Click the Schannel tab.
- Note the Server Protocols, Client Protocols, and Key Exchanges sections.
Step 4: Enable ECDH and click Apply
- On the Schannel tab, check the "ECDH" checkbox in the Key Exchanges section.
- IIS Crypto will recommend a reboot, but this is not strictly necessary (though recommended).
Add Missing Cipher Suites
PowerShell Method to Enable Necessary Cipher Suites
Step 1: Open an elevated PowerShell session
Log in to the affected device.
Open PowerShell as Administrator.
Step 2: Run the following script:
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
$regName = "Functions"
# Required cipher suites
$requiredCiphers = @(
"TLS_AES_256_GCM_SHA384", #TLS1.3
"TLS_AES_128_GCM_SHA384", #TLS1.3
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", #TLS1.2 ECDH
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", #TLS1.2 ECDH
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", #TLS1.2 DHE
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" #TLS1.2 DHE
)
# Get current Functions value
$currentValue = Get-ItemPropertyValue -Path $regPath -Name $regName
# Convert comma-separated string to array and trim whitespace
$currentCiphers = $currentValue -split "," | ForEach-Object { $_.Trim() }
# Determine missing cipher suites
$missingCiphers = $requiredCiphers | Where-Object { $_ -notin $currentCiphers }
if ($missingCiphers.Count -gt 0) {
# Merge existing and missing cipher suites
foreach($i in $missingCiphers){
$missingCiphersString += $i + ","
}
$updatedCiphers = $missingCiphersString + $currentCiphers
# Write back to registry
Set-ItemProperty -Path $regPath -Name $regName -Value $updatedCiphers
Write-Output "Added missing cipher suites:"
$missingCiphers
} else {
Write-Output "No changes required. All required cipher suites are already present."
} IIS Crypto Method to Enable Cipher Suites
Step 1: Install IIS Crypto
- Download the ISSCrypt tool: https://www.nartac.com/Products/IISCrypto
- Launch the tool as an Administrator.
Step 2: Take a backup of the Registry
- Open the Advanced tab.
- Click Backup Registry.
Step 3: Open IIS Crypto on the device and verify the current configuration
- Click the Cipher Suites tab.
- Note the enabled Cipher Suites.
Step 4: Enable the necessary Cipher Suites and click Apply
Validation
Scan the device again from the Devices or Device Details page.
The scan should complete successfully without returning the SSL/TLS secure channel errors.
If it is still unsuccessful, a reboot may be necessary.
Notes
Modifying the Windows registry requires administrative privileges.
Incorrect registry changes can impact system stability. Apply only the keys described above.