Audits TLS/SSL configuration for all SQL Server instances on one or more computers: certificate thumbprint, ForceEncryption, cert expiry/trust/SAN, and SCHANNEL TLS 1.0–1.3 protocol state. Works locally and remotely via WinRM. No dbatools required.
Execution Flow
Synopsis
Reads SQL Server TLS/SSL configuration entirely from the Windows Registry and certificate store — no SQL connection, no dbatools needed. For each instance, the certificate thumbprint bound in SuperSocketNetLib is resolved against Cert:\LocalMachine\My, chain-validated, and its expiry and SAN entries are recorded. SCHANNEL TLS protocol state (TLS 1.0–1.3) is read per computer. Remote execution uses Invoke-Command (WinRM).
No dbatools required. Remote access via WinRM (Invoke-Command). Use -Credential for non-default remote credentials. Certificate chain validation uses RevocationMode=NoCheck to avoid network dependency.
Status Logic
Status
Condition
Critical
Cert thumbprint set but not found in LocalMachine\My, OR cert chain not trusted, OR cert expired.
Warning
Cert expires within WarnDaysBeforeExpiry days, OR ForceEncryption=0, OR TLS 1.0/1.1 Enabled, OR no cert bound (self-signed auto-cert).
Target computer(s). Pipeline-capable. For remote: WinRM must be enabled.
-Credential
PSCredential
—
Credential for Invoke-Command on remote computers.
-OutputPath
String
C:\System\WinSrvLog\MSSQL
Directory for CSV and TXT report files.
-WarnDaysBeforeExpiry
Int
60
Certificate expiry warning threshold in days.
-NoOpen
Switch
false
Suppress automatic report opening.
Return Value
Property
Description
ComputerName
Source computer.
InstanceName
SQL Server instance name (e.g. MSSQLSERVER or NAMED).
ForceEncryption
0 = optional, 1 = required.
CertThumbprint
Thumbprint from SuperSocketNetLib. Empty = auto self-signed.
CertSubject
Certificate Subject CN.
CertExpiry / CertDaysLeft
Expiry date and days remaining.
CertTrusted / CertInStore
Chain validation result; whether cert was found in store.
SANEntries
Subject Alternative Name extension text.
HasPrivateKey
Boolean — true if private key is present.
TLS10 / TLS11 / TLS12 / TLS13
Enabled / Disabled / NotConfigured per SCHANNEL Server key.
Status / StatusDetail
OK / Warning / Critical with pipe-separated detail text.
Examples
# Audit local machineGet-sqmTlsStatus# Multiple servers, save to custom pathGet-sqmTlsStatus-ComputerName"SQL01","SQL02"-OutputPath"D:\Reports"# Filter non-OK results, remote with credentials
$cred = Get-CredentialGet-sqmTlsStatus-ComputerName"SQL01"-Credential $cred | Where-Object Status -ne"OK"