How to resolve Azure Site Recovery agent issues after disabling TLS 1.0 for PCI compliance

S'aplica a: Azure Backup

Introduction


This article describes how to resolve issues that you may experience when you use Azure Site Recovery in situations in which the following security protocol settings are made to achieve security hardening for Peripheral Component Interconnect (PCI) compliance:

  • Transport Layer Security (TLS) 1.0 is disabled
  • TLS 1.1 and TLS 1.2 are enabled

To update TLS settings, refer to this article.  

Symptoms


After you disable TLS 1.0, you may experience one or more of the following issues:

  • Ongoing protection starts to fail.

  • Scale-out Process Server (PS) registrations fail.

  • Mobility service installations fail.

  • Services that are related to the Azure Site Recovery agents do not stop or start as usual.

Cause


These issues can occur for the following reasons:

  • The .NET Framework version 4.6 or a later version is not available.

  • The .NET Framework version 4.6 or a later version is available but strong cryptography (SchUseStrongCrypto) is disabled.

Resolution


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

 

322756 How to back up and restore the registry in Windows

To fix these issues, make sure that the .NET Framework 4.6 or a later version is installed and TLS 1.2 is enabled as the default protocol. To enable TLS 1.2, follow these steps:

  1. Open a Command Prompt window as an administrator.
  2. At the elevated command prompt, run the following command:
    net stop obengine
  3. Start Registry Editor, and then navigate to the following registry subkeys:
     
    • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\.NETFramework

    • HKEY_LOCAL_MACHINE \Software\Microsoft\.NETFramework

  4. Under each of these registry keys, locate the subkeys that indicate a version.

    Note These subkeys appear in the "v<VersionNumber>" format.

    Subkeys
  5. For each of these subkeys, add a DWORD Value that is named SchUseStrongCrypto, and set its value to 1.

    DWORD Value
  6. Repeat step 5 for all the subkeys that have the "v<VersionNumber>" format.
  7. Exit Registry Editor.
  8. At an elevated command prompt, run the following command:
    net start obengine

After you complete these steps, you should be able to install and use Azure Site Recovery as expected.