System Center Orchestrator /Operations Manager 2016 & TLS 1.2

I deleted and re-wrote this blog post since the other one was out of date.  The backstory to this post starts back in July 2018 when we disabled TLS 1.0 across the whole organization.  Much fun ensued and we were running around trying to update the SQL native client and other software to get TLS 1.2 compliant.  One of the things that stopped working were the integration packs that we installed on System Center Orchestrator (SCORCH).  

I opened a premier support case with Microsoft and the first solution was to re-enable FIPS.  However, we later found out that enabling FIPS is really re-enabling TLS 1.0.  We left the registry entries that disabled TLS 1.0 and the ones that enabled FIPS.  The case was left open for Microsoft to figure out how to get TLS 1.2 working. The November 2018 security patches came out from Microsoft and the integration packs on SCORCH broke, AGAIN!  Another premier case was opened with Microsoft. 

After 2 hours of running Procmon and Wireshark, a solution was found.

Here are the steps you need to take:

On the SCORCH server:

1. Remove the SCOM console (If Any).
2. Uninstall SM and OM integration packs from control panel.
3. Reboot the server.
4. Un-deploy the existing SCOM IP from the designer/runbook servers.
5. Unregister the IP. 

6. Download and install the 
System Center 1801+ – Orchestrator Integration Packs (yes, even for SCORCH 2016!)
7.Re-register the IP and redeploy it (NOTE: Before re-registering the IPs again, make sure that the “Microsoft.EnterpriseManagement.Core.dll” and “Microsoft.EnterpriseManagement.OperationsManager.dll” are no longer present in either “c:\windows\assembly” or “c:\windows\\assembly\gac_msil”).

8. Re-install SCOM console (be sure to apply latest UR)

Add these registry entries to each SCOM server: 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /t REG_DWORD /d 00000001 /f

Add these to each SCORCH server (management/runbook):

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

Enjoy TLS 1.2 with SCORCH/SCOM.  Note you can check for TLS 1.2 communication by loading Wireshark on the SCORCH management server, then go into the IP pack for SCOM and do a test connection and look for TLS 1.2 in the log.

  • Soli Deo Gloria