I installed Azure DevOps Server 2020.1.1 (Product Version: 18.181.31527.1, ADS 2020 Update 1.1, Release date: 8/17/2021) on an application server and configured it successfully. My security guy ran a Nessus vulnerability scan and Nessus reports that the app server fails Security Updates for Microsoft Team Foundation Server and Azure DevOps Server (April 2021) (Nessus vulnerability check #148714). In other words, it seems I need to install a patch from April 2021 for ADS 2020 Update 0.1 to cure a vulnerability for ADS 2020 Update 1.1 released in August 2021
The Nessus solution says this:
Microsoft has released the following updates:
- Azure DevOps Server 2019 Update 1.1 with patch 8
- Azure DevOps Server 2020 Update 0.1 with patch 2
Additionally, Team Foundation Server 2017 Update 3.1 through Azure DevOps 2020.0.1 require resource group task(s) to be manually applied.
So, this Nessus description says the fix for my ADS 2020 instance is to apply Azure DevOps Server 2020 Update 0.1 patch 2 and it provides a link to April patches for Azure DevOps Server and Team Foundation Server. The description for ADS 2020 0.1 with patch 2 includes VERY involved tasks AzureResourceGroupDeploymentV2 and AzureResourceGroupDeploymentV3.
Why would a version of ADS 2020 released August 2021 require patches published for a prior version of ADS 2020. This makes no sense.
p.s. I put this same question on the Microsoft Developer Community board 3 weeks ago but have not received an answer/solution
Microsoft has performed a re-release of the 2020.1.1 version with an increased version number; 18.181.31527.1. The solution is to repair the Azure DevOps installation, then update to the re-release version and then apply patch 1. I have a full overview of all versions of Azure DevOps Server and TFS (https://github.com/FokkoVeegens/AzureDevOpsServerVersions), which I will update accordingly, so thanks for your question ;).