Search code examples
azure-devopsgoogle-compute-engineazure-devops-self-hosted-agent

powershell@2 task download is failing on self hosted gcp windows 2022 agents

We're facing an error for powershell@2 task on GCP VM. Our VM running windows 2022 with TLS 1.2 support are failing to download PowerShell with below error:

Downloading task: PowerShell (2.237.5) ##[warning]Failed to download task 'PowerShell'. Error Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.. ##[warning]Inner Exception: An existing connection was forcibly closed by the remote host. ##[warning]Back off 13.619 seconds before retry.

Whereas powershell@1 is working fine.

Agent Version: 3.238.0

Can you please advise what can be the issue here?

(Invoke-WebRequest -Uri status.dev.azure.com -UseBasicParsing).StatusDescription

This request given to check TLS 1.2 support is working good.

For now, we're using Powershell@1 version as it's working.

Solution

  • You can try to re-enable TLS 1.2 on the Windows agent machine with the following steps to fix the issue:

    1. Run the PowerShell scripts in "TLS 1.2 enforcement" to check and enable TLS 1.2 by updating the registry.

    2. Enable each of below cipher suites in registry. See here.

      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (*)
      • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)

      For example, to enable the cipher "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)", open registry and go to the path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\". Right-click on Ciphers and add a new key named "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)", right-click on this new key and add a DWORD Value (Name: Enabled, Data: 0x00000001 (1)).

      enter image description here

    3. Search and open 'Gpedit.msc' (Local Group Policy Editor). Navigate to "Computer Configuration" > "Administrative Templates" > "Network" > "SSL Configuration Settings" > "SSL Cipher Suite Order". Check "Enabled" option, and under the "Options:" section, ensure above 4 cipher suites are listed in the "SSL Cipher Suites" field. If any of them is not existing, add it to the field and use commas to separate them. Apply and save the update.

      enter image description here

    4. Open PowerShell as Admin and run the command "GPupdate.exe /force".

    5. Reboot the machine.