We're facing an error for powershell@2 task on GCP VM. Our VM running windows 2022 with TLS 1.2 support are failing to download PowerShell with below error:
Downloading task: PowerShell (2.237.5) ##[warning]Failed to download task 'PowerShell'. Error Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.. ##[warning]Inner Exception: An existing connection was forcibly closed by the remote host. ##[warning]Back off 13.619 seconds before retry.
Whereas powershell@1 is working fine.
Agent Version: 3.238.0
Can you please advise what can be the issue here?
(Invoke-WebRequest -Uri status.dev.azure.com -UseBasicParsing).StatusDescription
This request given to check TLS 1.2 support is working good.
For now, we're using Powershell@1 version as it's working.
You can try to re-enable TLS 1.2 on the Windows agent machine with the following steps to fix the issue:
Run the PowerShell scripts in "TLS 1.2 enforcement" to check and enable TLS 1.2 by updating the registry.
Enable each of below cipher suites in registry. See here.
For example, to enable the cipher "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)", open registry and go to the path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
". Right-click on Ciphers
and add a new key named "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)", right-click on this new key and add a DWORD Value (Name: Enabled
, Data: 0x00000001 (1)
).
Search and open 'Gpedit.msc
' (Local Group Policy Editor). Navigate to "Computer Configuration" > "Administrative Templates" > "Network" > "SSL Configuration Settings" > "SSL Cipher Suite Order". Check "Enabled" option, and under the "Options:" section, ensure above 4 cipher suites are listed in the "SSL Cipher Suites" field. If any of them is not existing, add it to the field and use commas to separate them. Apply and save the update.
Open PowerShell as Admin and run the command "GPupdate.exe /force
".
Reboot the machine.