| title | description | ms.date | ms.service | ms.author | author | ms.reviewer | ms.custom |
|---|---|---|---|---|---|---|---|
How to resolve Azure Site Recovery agent issues after disabling TLS 1.0 for PCI compliance |
Describes how to resolve issues that you may encounter when you use Azure Site Recovery if the TLS 1.0 security protocol is disabled and only TLS 1.1 and TLS 1.2 are enabled to achieve security hardening for PCI compliance. |
08/14/2020 |
site-recovery |
genli |
genlin |
manayar, anoopkv |
sap:I need help getting started with Site Recovery |
Original product version: Azure Backup
Original KB number: 4033999
This article describes how to resolve issues that you may experience when you use Azure Site Recovery in situations in which the following security protocol settings are made to achieve security hardening for Peripheral Component Interconnect (PCI) compliance:
- Transport Layer Security (TLS) 1.0 is disabled
- TLS 1.1 and TLS 1.2 are enabled
To update TLS settings, refer to this article.
After you disable TLS 1.0, you may experience one or more of the following issues:
- Ongoing protection starts to fail.
- Scale-out Process Server (PS) registrations fail.
- Mobility service installations fail.
- Services that are related to the Azure Site Recovery agents do not stop or start as usual.
These issues can occur for the following reasons:
- The .NET Framework version 4.6 or a later version is not available.
- The .NET Framework version 4.6 or a later version is available but strong cryptography (SchUseStrongCrypto) is disabled.
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
To fix these issues, make sure that the .NET Framework 4.6 or a later version is installed and TLS 1.2 is enabled as the default protocol. To enable TLS 1.2, follow these steps:
-
Open a Command Prompt window as an administrator.
-
At the elevated command prompt, run the following command:
net stop obengine -
Start Registry Editor, and then navigate to the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\.NETFrameworkHKEY_LOCAL_MACHINE \Software\Microsoft\.NETFramework -
Under each of these registry keys, locate the subkeys that indicate a version.
[!NOTE] These subkeys appear in the "v<VersionNumber>" format.
:::image type="content" source="media/asr-agent-disable-tls-pci-compliance/registry-key.png" alt-text="Screenshot of subkeys in Registry Editor.":::
-
For each of these subkeys, add a DWORD Value that is named SchUseStrongCrypto, and set its value to 1.
:::image type="content" source="media/asr-agent-disable-tls-pci-compliance/dword-value.png" alt-text="Screenshot of adding a DWORD Value that is named SchUseStrongCrypto.":::
-
Repeat step 5 for all the subkeys that have the "v<VersionNumber>" format.
-
Exit Registry Editor.
-
At an elevated command prompt, run the following command:
net start obengine
After you complete these steps, you should be able to install and use Azure Site Recovery as expected.
[!INCLUDE Azure Help Support]