Datto RMM: How do I configure the Datto RMM Agent to use the TLS 1.1 or TLS 1.2 protocol?

Follow

Question

How do I configure the Datto RMM Agent to use the TLS 1.1 or TLS 1.2 protocol?

Environment

  • Datto RMM

Answer

To enable legacy systems (Windows NT 5 or older) to connect to the Datto RMM Web Portal, the Datto RMM Agent uses the TLS 1.0 protocol.

Use of TLS 1.0 in the Datto RMM solution is scheduled for discontinuation. See our Discontinuation of support for Windows XP and Windows Server 2003 content in the Datto RMM Online Help for further information.

Datto's recommended best practice is to configure the RMM agent to use TLS 1.1 or 1.2 on systems which support it before the discontinuation of support. To do so, perform the steps described in the following sections of this article.

Prerequisite

Before following this procedure, make sure .NET 4.5 is present on the device.

Datto RMM requires .NET Framework 4.5 because .NET 4.0.3 does not include TLS 1.1 and 1.2.

Procedure

Create the registry keys

1. In Windows, from the Start Menu, launch RegEdit.

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

3. Under Protocols, add the following entries:

  • New Key to be named: TLS 1.1
  • New Key to be named: TLS 1.2

4. Under TLS 1.1 and TLS 1.2 add the following:

  • New Key to be named: Client

5. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\

Client, add the following:

New → DWORD (32-bit) Value
Named = DisabledByDefault
Value = 0
New → DWORD (32-bit) Value
Named = Enabled
Value = 1

6. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\

Client, add the following:

New → DWORD (32-bit) Value
Named = DisabledByDefault
Value = 0
New → DWORD (32-bit) Value
Named = Enabled
Value = 1

7. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, add the following:

New → DWORD (32-bit) Value
Named = SchUseStrongCrypto
Value = 1

Enable the registry keys

1. In the endpoint's registry, enable TLS Protocols as a Client.

mceclip0.pngFigure 1: TLS protocols enabled in the Registry (click to enlarge)

2. In the endpoint's registry, enable Strong Encryption (SchUseStrongCrypto) as a client.

mceclip1.pngFigure 2: SchUseStrongCrypto enabled in the Registry (click to enlarge)

3. Reboot the device for the changes to take effect.

The entries required in the registry are not present by default; you must manually add them. Contact Datto RMM Support for assistance if you have any difficulty adding these entries. 

Additional Resources


Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage