Symptoms

• Upgrade fails with key‑exchange errors
• PVS servers cannot establish secure communication
• Event logs show TLS handshake failures
• No server is identified as the initiator of key rotation
• Upgrade may roll back or leave PVS in a partially upgraded state

From ConfigWizard.log  the following exception:

WARNING:KEY-EXCHANGE(Peer-to-Peer):GetEncryptionKeysInternal : Encryption keys not found in server. Error = (GeneralCommunicationException) : KeyExchangeSoapClient.KeyExchangeSoapException: CommunicationObjectFaultedException: The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state. at P2PKeyExchangeController.P2PKeyExchangeController.GetEncryptionKeysHelper

ERROR:KEY-EXCHANGE(Peer-to-Peer) GetEncryptionKeysInternal: No server found who initiated key rotation . Error = Server initiated key rotation is blank 

ERROR:KEY-EXCHANGE: Failed to obtain encryption keys for epoch , Exception: No server found who initiated key rotation . Error = Server initiated key rotation is blank 

ERROR:KEY-EXCHANGE: Failed to Register or obtain encryption keys. Error= (%s)

These software applications are provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities.NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.

The failure is triggered by Windows cryptographic settings that still include RC4 cipher suites.

RC4 is deprecated and insecure, but if present, Windows may still attempt to negotiate RC4 during TLS handshake.

Citrix PVS 2507 CU1 LTSR does not support RC4.

As a result:

• TLS negotiation fails
• Key rotation cannot be initiated
• Peer‑to‑peer communication breaks
• The upgrade process aborts

RC4 must be fully removed from the Windows cryptographic configuration.

This can be done via:

• Group Policy
• Local Security Policy
• Registry configuration
• Microsoft Security Baselines
• 3rd party tools  IIS Crypto can be used and you can enable recommended(Best Practise) ciphers 

During an upgrade of Citrix Provisioning (PVS) servers from 2402 to 2507 CU1 LTSR, the process may fail with a key‑exchange error.