Microsoft Win 11 Compatibility Checker

Posted on  by admin
Microsoft this week announced that the Windows 10 release date is July 29th.
Azure DevOps team needed to partially rollback the previous release of TLS 1.0/1.1 deprecation that was run on Jan 31st, 2022. This was due to unexpected issues caused by the change. Here’s a link to the previous blog post related to that release.

TLS 1.0/1.1 deprecation applies to all HTTPS connections to Azure DevOps Services including web API, and git connections to https://dev.azure.com/orgname and https://orgname.visualstudio.com. This does not apply and will not impact the Self-Hosted product: Azure DevOps Server.

Currently, connections to IPv6 endpoints of our services are already on enforced TLS 1.2 so the deprecation is targeting IPv4 endpoints only.

We anticipate minimal impacts to our customers as more than 99.5% of connections made to Azure DevOps Services already use TLS 1.2. Clients have TLS 1.2-compatibility issues because of obsolete OS version or if available updates are not applied (applies for all Windows, macOS and Linux) or legacy .NET Framework installation or OS configuration prohibiting certain TLS cipher suites.

Important Dates

To help our customers identify Azure DevOps-facing TLS 1.2-incompatible software in their systems, we will temporarily disable support for TLS 1.0/1.1 for 12 hours on:

  • Here’s a look at how to test your system to see if it can run the upgrade. Update: Windows 10 has been out long enough now that most modern PCs are going to be fine running the new OS. In fact, most if not all PCs for consumers will come with it preinstalled.

  • This article is meant for older computers that were running Windows 7 or 8.1 — both of which are no longer supported by Microsoft. Microsoft this week announced that the Windows 10 release date is July 29th, and it also pushed out the Windows 10 upgrade app to all Windows 7 and Windows 8.1 users.

We will be starting permanent rollout from March 31, 2022

How to enable TLS 1.2?

As a key area of focus we recommend Self-Hosted Agents and tooling that calls Azure DevOps Services APIs.

Check these red flags first when looking for TLS 1.2-incompatible flows: – Windows Server 2012 R2 or lower used – .NET Framework 4.7+ not installed on computer where PowerShell or .NET applications call Azure DevOps API

It is key that on the OS one of the four TLS 1.2 cipher suites below is enabled:

  • This utility allows you to reserve your Windows 10 upgrade.
  • But first, you might want to check if your computer can run the new version.
  • While some people are annoyed by the upgrade utility, it does have more value than just reminding you about Windows 10 and reserving your free copy of Windows 10.
  • The minimum system requirements (listed below) are essentially the same as Windows 8.1, of course, the minimums are just that, and you’ll want more horsepower under the hood.

NOTE: (*) Cipher suites supported by Windows Server 2012 R2

Quick check of TLS 1.2 compatibility

Following checks are based on querying site status.dev.azure.com. For this domain, the TLS 1.0/1.1 protocols have already been deprecated. Note that checking accessibility of this domain by browser instead of PowerShell is not equivalent. Browsers often use crypto libraries (such as OpenSSL) and thus circumvent the classic HTTP/TLS stack that other software uses.

Manual PowerShell

Run this code in PowerShell console:

You have the problem if the above fails with “The underlying connection was closed: An unexpected error occurred on a send.”

YAML

To check your pipeline agents: create testing pipeline OR add this step to existing pipelines:

Pipeline task

This shows a release pipeline task that can be added to perform a check for TLS 1.2 readiness on your Self-Hosted Agents. If the check fails, the task will throw an error that can be actioned.

Troubleshooting

For Windows OS, TLS 1.2 is natively supported by all versions from Windows 7 / Windows Server 2008 SP2. However, even at TLS 1.2-compatible OS, issues may be caused by misconfigurations such as when all cipher suites accepted by Azure DevOps are disabled. This may be set up locally or via domain Group Policies.

At application level, capabilities provided by the OS may be narrowed down making the app to use less secure TLS setting. For example, .NET apps which are built against legacy .NET Framework versions may require certain measures to be taken to ensure that TLS 1.2 is favoured.

Based on learnings from supporting our customers, we’ve put together a troubleshooting script which performs TLS 1.2 probe, identifies most common misconfigurations and provides mitigation advice.

You can find the script on GitHub:

The project is work in progress; feel free to contribute with PR or open an issue.

Conclusion

We apologize for any disruption this may cause and appreciate your support to improve our security posture. As always, if you have any questions or concerns related to this announcement, please do not hesitate to reach out to us on Developer Community or by posting your comments below.