How to do it...

To enable TLS protocol version 1.2, follow these steps:

1. Make sure that you are running Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 and that it is up-to-date with the latest security fixes.  
2. Make sure that .NET version 4.6 is installed on all of your machines (DPM server, protected servers) .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine whether .NET has been installed: Get-WindowsFeature NET*:

1. For the DPM database and for all SQL Servers that you intend to protect with DPM, you need to make sure that you are running a SQL Server that supports TLS 1.2. You can  follow the instructions described here to find out whether you need this update: https://support.microsoft.com/en-in/help/3135244/tls-1-2-support-for-microsoft-sql-server.
2. You need to make sure that SQL Server 2012 Native client 11.0 is installed on the DPM Management Server. You can verify whether SQL Native client 11.0 is installed by running the following PowerShell command on SQL Server: Get-odbcdriver -name "SQL Server Native Client*". You can download Microsoft SQL Server 2012 Native client 11.0 from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=50402.

1. Make sure that you are running a DPM server that supports TLS 1.2. Starting with DPM 2012 R2 Update Rollup 14, DPM 2016 Update Rollup 4 including DPM 1801, DPM 1807, DPM 2019, and DPM 1901, the DPM team added TLS version 1.2 support.
2. System Center components now generate both SHA1 and SHA2 self-signed certificates. This is a requirement for enabling TLS1.2. If case CA signed certificates are used for workgroup machines or untrusted domains, please ensure that they are either SHA1 or SHA2. In other words, TLS 1.2 supports only SHA1 and SHA2 certificates. Hence, all of the certificates must be updated to be SHA1 or SHA2.
3. You need to implement these settings on all of the Windows machines in the environment on which System Center Data Protection agent is installed, including the DPM management server. Follow these steps to disable all of the SCHANNEL protocols except TLS 1.2 system-wide so that only TLS 1.2 protocol is used for communication. Making these registry changes does not affect the use of Kerberos or NTLM protocols:
   1. Open the registry on your server(s) by running regedit in the run window and navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
   2. Add the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys under Protocol.
   3. Now, create two keys called Client and Server under the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys.
4. Now create two REG_DWORD values under the Server and Client keys if you want to enable the TLS 1.2 protocol: set the DisabledByDefault value to 0 and the Enabled value to 1. You will now have something that looks as follows:

1. If you want to disable the protocol, you can set the DisabledByDefault value to 1 and the Enabled value to 0.
2. After we have enabled the TLS 1.2 protocol on all systems, we need to set DPM to use only TLS 1.2. The following settings should be implemented on the DPM management server and all other servers on which DPM agents are installed, that is, Hyper-V hosts, File Server, SQL, Exchange, SharePoint, and so on. Follow these steps to create these settings:
   1. Open the registry on your server by running regedit in the run window and navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.3031.
   2. Now, create the REG_DWORD value under the registry: SchUseStrongCrypto [Value = 1].
   3. Navigate to the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.
   4. Now, create the same REG_DWORD value under the preceding registry as well: SchUseStrongCrypto [Value = 1].
3. Finally, you need to restart the system (DPM server and the protected server).