Skip to content

Fix TLS 1.3 support detection in Health Checker#2551

Merged
dpaulson45 merged 1 commit into
mainfrom
dpaul-HCTls13Fix
Jun 11, 2026
Merged

Fix TLS 1.3 support detection in Health Checker#2551
dpaulson45 merged 1 commit into
mainfrom
dpaul-HCTls13Fix

Conversation

@dpaulson45

@dpaulson45 dpaulson45 commented Jun 11, 2026

Copy link
Copy Markdown
Member

Summary

Fixes TLS 1.3 support detection in Invoke-AnalyzerSecuritySettings so that the warning message is only displayed when the OS/Exchange version does not support TLS 1.3.

Changes

  • PS 5.1 .Count fix: Wrapped Where-Object filter results in @() array subexpression to ensure .Count returns a reliable value in PowerShell 5.1 (single objects don't have a .Count property in 5.1, causing the filter to silently return \).
  • TLS 1.3 warning guard: Added (-not \ -or -not \) check to the TLS 1.3 warning block (line 233) so the error message only fires when TLS 1.3 is not supported on the current OS and Exchange version combination. Previously this warning fired unconditionally whenever TLS 1.3 was not disabled, even on supported configurations (e.g., Exchange SE RTM on Windows Server 2025).
  • Write-Verbose: Added debug logging for key TLS 1.3 support variables to assist with future troubleshooting.

@dpaulson45
Fix TLS 1.3 support detection in Invoke-AnalyzerSecuritySettings
a7768f7 
- Wrap Where-Object results in @() for reliable .Count in PS 5.1
- Add support check to TLS 1.3 warning so it only fires on unsupported OS/Exchange
- Add Write-Verbose for TLS 1.3 support variable debugging
Copilot AI review requested due to automatic review settings June 11, 2026 15:44
@dpaulson45 dpaulson45 requested a review from a team as a code owner June 11, 2026 15:44
@dpaulson45

dpaulson45 commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

/azp run

@azure-pipelines

azure-pipelines Bot commented Jun 11, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates HealthChecker’s Invoke-AnalyzerSecuritySettings TLS 1.3 detection so the “TLS 1.3 not disabled” warning is only emitted when the current OS and/or Exchange build does not support TLS 1.3, preventing false-positive warnings on supported configurations.

Changes:

  • Adds verbose logging to surface OS/Exchange TLS 1.3 support inputs during troubleshooting.
  • Makes several Where-Object result counts deterministic by wrapping results in @(...) before using .Count.
  • Guards the “TLS 1.3 not disabled” warning so it triggers only when TLS 1.3 is enabled/not disabled on an unsupported OS/Exchange combination.

Comment thread Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecuritySettings.ps1
@dpaulson45 dpaulson45 merged commit ab4ccfe into main Jun 11, 2026
8 checks passed
@dpaulson45 dpaulson45 deleted the dpaul-HCTls13Fix branch June 11, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lusassl-msft lusassl-msft lusassl-msft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dpaulson45 @lusassl-msft