Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to resolve Azure backup agent issues when disabling TLS 1.0 for PCI Compliance


View products that this article applies to.

This article describes issues that you may encounter in Microsoft Azure Recovery Services (MARS) agent if the TLS 1.0 security protocol is disabled and only TLS 1.1 and TLS 1.2 are enabled to achieve security hardening for PCI compliance.

↑ Back to the top


Symptoms

When TLS 1.0 is disabled, one or more of the following issues may occur:

  • Server backups fail.
  • The MARS Agent console doesn’t start successfully.
  • Services that are related to the MARS Agent don’t stop or start as usual.

↑ Back to the top


Cause

These issues occur because the .NET Framework 4.5 has a default preference of TLS 1.0, although it supports up to TLS 1.2.

↑ Back to the top


Resolution

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows


To resolve these issues, change the default preference of the .NET Framework 4.5 from TLS 1.0 to TLS 1.2. To do this, follow these steps:

  1. Open a Command Prompt window as an administrator.

  2. At the elevated command prompt, run the following command:
    net stop obengine
  3. Open Registry Editor, and then navigate to the following registry subkeys:

    • HKLM\software\Wow6432Node\Microsoft\.NETFramework\
    • HKLM\software\microsoft\.NETFramework\
  4. Under each of these registry keys, locate the subkeys that indicate a version.

    Note These subkeys appear in the "v<Version Number>" format.

    Locate the subkeys that denote a version under .NETFramework

     
  5. For each of these subkeys, add a DWORD Value that is named SchUseStrongCrypto, and set its value to 1.

    Add the SchUseStrongCrypto key
     
  6. Repeat step 5 for all the subkeys that have the "v<Version Number>" format.
  7. Close Registry Editor.
  8. At an elevated command prompt, run the following command:
    net start obengine

After you complete these steps, you should be able to start the MARS Agent console as expected.

↑ Back to the top


Keywords: disable tls v1 azure backup

↑ Back to the top

Article Info
Article ID : 4022913
Revision : 9
Created on : 5/15/2017
Published on : 5/15/2017
Exists online : False
Views : 830