Remotely Disable a Windows Firewall (command line)

On a computer in the domain, hit Start, Run, Type:

runas /user:an-administrator@YourDomain cmd "CMD will start with domain admin privliges "

in the CMD window, run:
psxec \\yourremotecomputername cmd

Now run:
netsh firewall set opmode disable "To disable firewall"

Or if you have access to GPO you can do this in the GPO with a GPP

Download PSExec here:  http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

2012 r2 support TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.

TL;DR: TLS 1.1 and TLS 1.2 are supported, but disabled by default for most “WinHTTP” client applications, including .NET and hence PowerShell. 

Your Server 2012 r2 should be updated to change the defaults or this issue will reoccur, often.

Background information:

Microsoft .NET supports TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.

• Hence PowerShel
• For custom PowerShell scripts, there’s a workaround to enable modern protocols (see snippet below).
• For .NET applications in general, a registry change is required. See: https://support.microsoft.com/en-us/help/3155464/ms16-065-description-of-the-tls-ssl-protocol-information-disclosure-vu
• This enables TLS 1.0, TLS 1.1, and TLS 1.2, but does not “enforce” TLS 1.2.
• WinHTTP applications in general have the same issue. See: Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

Technical Recommendations:

Add the following registry keys to your Windows Server instances. Either save this is a “.reg” file, or alternatively deploy the 4 values using Group Policy Preferences.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000a80

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000a80

For servers where PowerShell has TLS 1.2 issues, but enabling it at the registry level causes incompatibility issues, the following snippet can be used:

# EITHER: Enable all current TLS variants:

[System.Net.ServicePointManager]::SecurityProtocol = 'Tls,Tls11,Tls12'

# OR: Enforce TLS 1.2 only and also check Certificate Revocation Lists (CRLs):

[System.Net.ServicePointManager]::SecurityProtocol = 'Tls12'

[System.Net.ServicePointManager]::CheckCertificateRevocationList  = $true