/
Enabling Support for TLS 1.2 on Windows

Enabling Support for TLS 1.2 on Windows

In some environments, you may run into issues where the installation of the Microsoft Monitoring Agent (MMA) fails. If the installation logs indicate that it failed to create a secure TLS channel with the Log Analytics workspace, it is likely that support for TLS 1.2 has not been enabled for the host.

This is a prerequisite when using the Microsoft Monitoring Agent (MMA), as it requires TLS 1.2 to communicate with the Log Analytics endpoint. In order to enable support for TLS 1.2, we would need to create a few registry keys and values using the Registry Editor or PowerShell.

Registry Editor - regedit.exe

  1. Locate the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  2. Create a subkey under Protocols for TLS 1.2 HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

  3. Create a Client subkey under the TLS 1.2 protocol version subkey you created earlier. For example, HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client.

  4. Create the following DWORD values under HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client:

    • Enabled [Value = 1]

    • DisabledByDefault [Value = 0]

Configure .NET Framework 4.6 or later to support secure cryptography, as by default it is disabled. The strong cryptography uses more secure network protocols like TLS 1.2, and blocks protocols that are not secure.

  1. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.

  2. Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.

  3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.

  4. Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.

  5. Restart the system for the settings to take effect.

PowerShell

For larger environments, it may be easier to automate the process using the PowerShell script below. The script requires Administrative privileges so you will need to run it with an elevated PowerShell session.

# Enable TLS 1.2 on Windows and .NET via Registry # Create reg key under SecurityProviders $TLSpath = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" New-Item -Path $TLSpath -Force # Create Dwords New-ItemProperty -Path $TLSpath -Name "Enabled" -PropertyType DWord -Value 1 New-ItemProperty -Path $TLSpath -Name "DisabledByDefault" -PropertyType DWord -Value 0 # Create Dwords under .NET Framework registry path $dotnetpath1 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" New-ItemProperty -Path $dotnetpath1 -Name "SchUseStrongCrypto" -PropertyType Dword -Value 1 $dotnetpath2 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" New-ItemProperty -Path $dotnetpath2 -Name "SchUseStrongCrypto" -PropertyType Dword -Value 1

References

  1. Install Log Analytics agent on Windows computers - Configure Agent to use TLS 1.2 | Microsoft Docs