BizTalk 2016 Administrator fails with forced tls1.1+

Question

We have a requirements to use TLS1.2 on all servers. This means forcing TLS1.2 system wide using the registry settings below. When I set these settings and reboot the server, I get the below error message when expanding the BizTalk Group menu in BizTalk Administrator. In this particular environment, everything is running all on one operating system/server. Keep in mind, that if I enable TLS1.0 in the registry, everything works fine.

I've read several articles stating that ever since .NET 4.5, TLS1.1/1.2 are supported so...whats the issue here?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

OS:Windows Server 2016 SQL Version:SQL Server 2016 BizTalk Version:BizTalk Enterprise 2016 CU3 .NET Version 4.7

Answer 1

Update: With Feature Pack 2 for BizTalk 2016 or CU5 it is supported.

Original answer Unfortunately you cannot do that, as per the answer by Rajshekher-BT from Microsoft in Does BizTalk Server 2013 support TLS1.2? see below.

I raised it on User Voice (but that site is gone now)

BizTalk core engine needs TLS 1.0 to operate the host so you cannot disable TLS in registry. However you can have both TLS 1.0 and TLS 1.2 enabled and let .NET/WCF-based adapters prefer to use TLS 1.2 with SchUseStrongCrypto=1 registry key.

Some web servers may try to negotiate, while others fail on first attempt. In case you have different TLS settings in different WCF http end points, you can use WCF custom behaviour to set. You should then keep all TLS 1.0 in one host and all TLS 1.2 integration end points in another host using.
1. Make sure to keep both TLS 1.0 and TLS 1.2 enabled
2. Don’t set SchUseStrongCrypto registry key.
3. The default behavior at this point will TLS 1.0 (with fallback to SSL3) so for any WCF send port that needs TLS 1.2, set the System.Net.ServicePointManager.SecurityProtocol property using a custom endpoint behavior within a WCF-Custom send port.

If you want to allow fallback logic, you can OR it as follows: System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Ssl3;
It is probably best to have one custom behavior for TLS 1.0 and one for TLS 1.2 so you are explicit and know what you use and it fails when something changes. Make sure to not mix the different WCF behaviors in the same host as ServicePointManager is a global process setting.

Personally I've used a configurable End Point behaviour as detailed in Salesforce disabling TLS 1.0 – How to get it working for API calls via BizTalk