How to resolve Azure backup agent issues when disabling TLS 1.0 for PCI Compliance

Applies to: Windows Server

This article describes issues that you may encounter in Microsoft Azure Recovery Services (MARS) agent if the TLS 1.0 security protocol is disabled and only TLS 1.1 and TLS 1.2 are enabled to achieve security hardening for PCI compliance.

Symptoms


When TLS 1.0 is disabled, one or more of the following issues may occur:

  • Server backups fail.
  • The MARS Agent console doesn’t start successfully.
  • Services that are related to the MARS Agent don’t stop or start as usual.

Cause


These issues occur because the .NET Framework 4.5 has a default preference of TLS 1.0, although it supports up to TLS 1.2.

Resolution


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows


To resolve these issues, change the default preference of the .NET Framework 4.5 from TLS 1.0 to TLS 1.2. To do this, follow these steps:

  1. Open a Command Prompt window as an administrator.

  2. At the elevated command prompt, run the following command:
    net stop obengine
  3. Open Registry Editor, and then navigate to the following registry subkeys:

    • HKLM\software\Wow6432Node\Microsoft\.NETFramework\
    • HKLM\software\microsoft\.NETFramework\
  4. Under each of these registry keys, locate the subkeys that indicate a version.

    Note These subkeys appear in the "v<Version Number>" format.

    subkeys under .NETFramework that denote a version

     
  5. For each of these subkeys, add a DWORD Value that is named SchUseStrongCrypto, and set its value to 1.

    add SchUseStrongCrypto

     
  6. Repeat step 5 for all the subkeys that have the "v<Version Number>" format.
  7. Close Registry Editor.
  8. At an elevated command prompt, run the following command:
    net start obengine

After you complete these steps, you should be able to start the MARS Agent console as expected.