Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225

Asked 9/12, 2020 at 8:47 Answered 20/12, 2023 at 6:22

When I disable the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 in powershell of windows server, I got this error message

Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225
At line:1 char:1
+ Disable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Disable-TlsCipherSuite], COMException
    + FullyQualifiedErrorId : Exception from HRESULT: 0xD0000225,Microsoft.WindowsAuthenticationProtocols.Commands.RemoveTlsCipherSuiteCommand

What does the error mean and how to fix it? Thank you for any suggestion.

Samarium answered 9/12, 2020 at 8:47 Comment(2)

Interesting. HRESULT is interpreted as 0xD (severe failure, NT status bit set) and the error is 0x0225 which is stated to be [ERROR_INSTRUCTION_MISALIGNMENT (0x225)] aka some code is not properly aligned in memory. Either you've discovered a bug in cryptography which is masked because the ciphersuite affected is not used in favor of AES256/SHA384, or there is some internal protection at work, like if disabling this ciphersuite would seriously break say Microsoft signature verification or similar Windows-important process. – Foliation 9/12, 2020 at 13:2

Anyone? Im getting same error with this Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA" – Passerine 16/2, 2021 at 3:26

The error simply indicate the cipher is already disabled....

try Enable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and Disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 no error should appear

Spohr answered 16/2, 2021 at 13:44 Comment(5)

My question is why Get-TlsCipherSuite still returns it if it's disabled – Decompensation 19/3, 2021 at 19:45

I have the same question – Dimple 13/4, 2021 at 5:51

Run the Powershell as administrator and try it. – Collect 13/7, 2021 at 18:2

@IgorPashchuk What if you first enable the Group Policy variable for the cipher suite order? If it's disabled, I don't think changes will be applied—the default order and all available ciphers will be used. Its hierarchy is: Local Computer Policy › Administrative Template › Network › SSL Configuration Settings › SSL Cipher Suite Order – Kirkman 23/10, 2021 at 21:36

It returns if it is disabled because the cipher suite may be installed but not in use. I do think the Powershell cmdlet for this should simply return an informative message like "Suite disabled" rather than the cryptic 0xD0000225. – Lymphocyte 30/11, 2022 at 12:39

Run the Powershell as administrator and try it

It worked for me.

Collect answered 13/7, 2021 at 18:3 Comment(0)

The same error 0x0000225 occurred when trying to disable some cipher suites. It turned out that the cipher suites were explicitly specified in the Local Computer policy. Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings >> SSL cipher suite order. Here you need to specify the required cipher suites, separated by commas. After this request Get-TlsCipherSuite | ft name produced the required result.

Clarsach answered 20/12, 2023 at 6:22 Comment(0)

Recommended topics

Hot tags