How to check for TLS1.2 Readiness on Azure DevOps Build/Release agents (Self hosted agents)

Microsoft has recently announced that all connections to Azure DevOps would be switched to TLS 1.2 from older versions like TLS1.0, TLS1.1 which are not more secure when compared with TLS1.2, so let us see below how to check for whether our hosted agents are able to connected to Azure DevOps using TLS1.2

Step 1: Add a new build definition that can run on your self hosted agents

Step 2: Download/Copy the PowerShell script and add it to one of your repos

Step 3: Add a Powershell task and choose the script as shown below. This powershell task would be running on the agent machine

Step 4: Run the build as shown and if the Powershell task didn’t fail then self hosted agents already have TLS1.2 enabled and we need not take any further actions except in some extreme cases.

Step 5: Check whether TLS connection to Azure DevOps sites is successful, if it’s successful then we need not worry about our agents as this proves our agents are TLS1.2 compliant

Step 6: Then next check for Analysis of TLS1.2 compatibility : OS (If all of the the below client usage, CipherSuite Check and Group policy check passes then no actions are required, but if any of these actions fail then some actions are required from our side)

Step 7: Then check for compatibility with .NET framework, TLS1.2 is enabled by default for 4.7+ and above so no actions are required from our side. but if TLS1.2 is not enforced for applications targeting 3.5,4.0/4.5.x then we may need to set some registry values for enable TLS1.2 (This doesn’t have any impact on functioning of Azure DevOps agents)