You updated systems from win7 to win10, and the computer self-certificate is still showing sha1 encryption. Your vulnerbility scanners are picking up the error as a MED vulnerbilty. Well with a simple powershell command you can you update it with one command. If you are running Sqlexpress there a few extra steps to make sure Sqlexpress is using the new updated SHA256 certificate
Create the new Self-CERTIFICATE in Powershell run as admin (change computer name)
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "MyComputerName.domain.internal" -FriendlyName “CertName" -NotAfter (Get-Date).AddYears(10)
That is it, if you use RDP it will read the new updated certtificate
For MSSQL Otherwise, Copy the Thumbprint from the powershell window to text file (will use later for SQL part)
example thumbprint: c2b819f3b0f760e6496dfe310843f7fa52449a2f
Go to: Search type in "cert" select: Manage Computer Certificates
Personal / Certificates / Right click on cert / all tasks / managed keys / add both LOCAL users (Network Service and the SQLServerMSSQLUser...) READ ONLY
If the service don’t start add local "users" and "Interactive" accounts as READ ONLY
Add thumbprint from certifciate to this registry key "Certificate" in one of these locations:
"Certificate"="c2b819f3b0f760e6496dfe310843f7fa52449a2f"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQLServer\SuperSocketNetLib]
OR
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQLServer\SuperSocketNetLib]
Looks something like this:
"ForceEncryption"=dword:00000000
"HideInstance"=dword:00000000
"Certificate"="c2b819f3b0f760e6496dfe310843f7fa52449a2f"
"ExtendedProtection"=dword:00000000
"AcceptedSPNs"=hex(7):00,00
"DisplayName"="SQL Server Network Configuration"
Restart the SQL service to apply.