diff --git a/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs b/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs
index a64c9d3c2b..6324ae8221 100644
--- a/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs
+++ b/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs
@@ -193,7 +193,7 @@ private RSA GetKeyFromFile()
                 return GetKeyFromNamedContainer();
             }
 
-            var rsa = new RSACryptoServiceProvider();
+            var rsa = new RSACng(2048);
             rsa.ImportParameters(result.rsaParameters);
             return rsa;
         }
diff --git a/src/Agent.Listener/MessageListener.cs b/src/Agent.Listener/MessageListener.cs
index eebca9d1f7..76367eba20 100644
--- a/src/Agent.Listener/MessageListener.cs
+++ b/src/Agent.Listener/MessageListener.cs
@@ -338,7 +338,7 @@ private ICryptoTransform GetMessageDecryptor(
                 var keyManager = HostContext.GetService<IRSAKeyManager>();
                 using (var rsa = keyManager.GetKey())
                 {
-                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA1), message.IV);
+                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA256), message.IV);
                 }
             }
             else
diff --git a/src/Microsoft.VisualStudio.Services.Agent/Capabilities/AgentCapabilitiesProvider.cs b/src/Microsoft.VisualStudio.Services.Agent/Capabilities/AgentCapabilitiesProvider.cs
index eca3e34c74..d43e4b1c11 100644
--- a/src/Microsoft.VisualStudio.Services.Agent/Capabilities/AgentCapabilitiesProvider.cs
+++ b/src/Microsoft.VisualStudio.Services.Agent/Capabilities/AgentCapabilitiesProvider.cs
@@ -7,6 +7,7 @@
 using System;
 using System.Collections.Generic;
 using System.Runtime.Versioning;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -38,6 +39,7 @@ public Task<List<Capability>> GetCapabilitiesAsync(AgentSettings settings, Cance
             Add(capabilities, "Agent.Version", BuildConstants.AgentPackage.Version);
             Add(capabilities, "Agent.ComputerName", Environment.MachineName ?? string.Empty);
             Add(capabilities, "Agent.HomeDirectory", HostContext.GetDirectory(WellKnownDirectory.Root));
+            Add(capabilities, "Listener.RSAEncryptionMode", nameof(RSAEncryptionPadding.OaepSHA256));
             return Task.FromResult(capabilities);
         }