Restrict TFS to only allow connections from clients with VS SP1

You can control which clients get rejected when trying to connect to your TFS.

Scenario

You are running TFS 2010 SP1 and want to make sure that all clients have (VS) SP1 (at minimum) applied.

Luckily, you can configure which clients get rejected when trying to connect to your TFS. You can even provide the message that will be displayed to users whose clients get rejected:

image BlockNonSP1Clients_Sorry1

Solution

It’s easy, you have to add two values to the TFS registry (and restart TFS):

  • Key: /Configuration/Application/DisabledUserAgents/TFS10SP1
    Value: "Team Foundation (*.exe, 10.0.<40219.1)"
  • Key: /Configuration/Application/DisabledUserAgents/TFS10SP1/Message
    Value: "Sorry, you have to install Visual Studio 2010 Service Pack 1."

How to do that

Use the tfsreg.exe tool and run this two commands:

tfsreg.exe /server:http://servername:8080/tfs /path:/Configuration/Application/DisabledUserAgents/TFS10SP1 /value:"Team Foundation (*.exe, 10.0.<40219.1)"
tfsreg.exe /server:http://servername:8080/tfs /path:/Configuration/Application/DisabledUserAgents/TFS10SP1/Message /value:"Sorry, you have to install Visual Studio 2010 Service Pack 1."

Note: Replace the blue URI with your TFS’ server URI.

Or download the ready-to-use BlockNonSP1Clients.bat (.ZIP)

Caution: Always remember do not directly edit the TFS registry entries by editing TFS’ SQL databases manually. Always use the registry service (client or server) or the tfsreg.exe tool mentioned above (which does that) to modify TFS registry entries.

Future Compatibility Note: This mechanism might change or be implemented differently in future versions of TFS, there’s no compatibility guarantee.

Update (2 Oct 2011): In TFS 2010 older clients (VS 2005 and VS 2008) that do not have Service Pack 1 and the appropriate Forward Compatibility Upgrade installed, will be rejected by default using this technique.

(Thanks to Philip Kelley, Taylor Lafrinere, and Buck Hodges from Microsoft for this tip).

2 thoughts on “Restrict TFS to only allow connections from clients with VS SP1”

  1. Useful. Presumably this could be adapted to support multiple client blocking, e.g., also running the following:

    tfsreg.exe /server:http://localhost:8080/tfs /path:/Configuration/Application/DisabledUserAgents/TFS9SP1 /value:”Team Foundation (*.exe, 9.0.<30729.1)"

    ... and...

    tfsreg.exe /server:http://localhost:8080/tfs /path:/Configuration/Application/DisabledUserAgents/TFS8SP1 /value:”Team Foundation (*.exe, 9.0.<50727.867)”

  2. @Al Feersum: There’s no need to, because for Team Explorer 2005/2008 this is already pre-set in the system, because out-of-the-box TFS 2010 requires all pre 2010 clients to have the Forward Compatibility Patch installed. And this one requires VS 2005 respectively 2008 SP1.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>