What's new in Azure Sphere

Azure Sphere is updated on an ongoing basis. Feature releases support new functionality and include both the Azure Sphere OS and the SDK. Quality releases include bug fixes and performance enhancements, and typically include only the Azure Sphere OS. For all releases, the updated OS is automatically downloaded from the cloud to Azure Sphere devices that are connected to the internet. Release numbers are typically in year.month format, so 19.11 identifies the release in November, 2019.

If your devices are connected to the internet, they should receive the OS update from the cloud. However, if you have an early Seeed MT3620 Development Kit that has not been used, you might need to update manually, as described in Update the OS on an early dev kit.

To verify the installed OS version on an attached device, use the following command:

azsphere device show-os-version

To check which version of the SDK is installed on your local computer, use the following command:

azsphere show-version

Devices that receive the Retail Evaluation release of the OS will be updated to the final Retail OS within 24 hours after it is released. The Retail Evaluation release is available for backward compatibility testing 14 days before the Retail OS release. If you are not familiar with the Retail Evaluation program, see Set up devices for OS evaluation to find out how to participate.

If critical bugs are discovered during the Retail Evaluation period, we may release an updated OS on the Retail Evaluation feed and, in turn, may restart or extend the evaluation period. As possible, we will post notifications on Azure Updates and the Azure Sphere IoT Tech Community blog. The version number of the final retail OS release will reflect any such updates.

About the 20.07 feature release

The 20.07 feature release contains new features for application development and tenant certificate renewal, additional promotions of Beta features to long-term stable (LTS), and enhancement to improve stability and troubleshooting of device connections on Windows platforms.

New and changed features in the 20.07 release

The 20.07 feature release contains new features and improvements to networking, application development, analog-to-digital converter (ADC) and pulse-width modulation (PWM) support, management of tenant certificate authority (CA) certificates, and client-side TLS in wolfSSL.

Networking features

This release adds new and enhanced foundational networking features:


You can now build Azure Sphere apps in containers, thus providing a reproducible build environment. A preconfigured container image for Azure Sphere is available from the Microsoft Container Registry (MCR).

Templates in Visual Studio and Visual Studio Code

Both Visual Studio and Visual Studio Code now support updated templates:

  • The Blink template, intended for validating that the local development environment is set up correctly, supports additional Azure Sphere development boards.
  • New blank templates for both high-level and real-time capable applications, which enable you to create an application with minimal removal of unneeded code.

Tenant certificate renewal

Azure Sphere tenant certificates are valid for a period of two years, so tenant certificates for some early users are beginning to expire. Manage tenant certificate in the online documentation describes how and when to renew a certificate.

The Azure Sphere CLI and public API now support features for viewing and renewing tenant CA certificates.

In the azsphere CLI, the new azsphere ca-certificate command supports management and renewal of tenant CA certificates. This command replaces azsphere tenant download-ca-certificate, azsphere tenant download-ca-certificate-chain, and azsphere tenant download-validation-certificate.


New tenant CA certificates that were created between June 16, 2020 21:00 UTC, and July 28, 2020 00:15 UTC, may result in a verification failure with Open SSL. The failure is due to a mismatched signature algorithm identifier in the certificate. The error does not compromise the security of these certificates.

If you created a new tenant during this period, or if you created your tenant during the summer of 2018 and now need to verify a new tenant certificate, you may have one of these malformed certificates. To resolve this problem, we are regenerating all certificates that were created during this period.

To find out what you need to do to ensure your certificates are correct, see Azure Sphere tenant CA certificate rotation in the Microsoft Tech Community Internet of Things blog.


Azure Sphere applications can now use the wolfSSL client-side TLS API. Starting with the 20.07 release, Azure Sphere supports wolfSSL version 4.4. This version includes numerous important changes, including some security features that resolve CVEs.

PC-to-device communication stability

The 20.07 feature release contains bug fixes and enhancements to ensure greater PC-to-device communication stability issues that are related to the FTDI driver on Windows. See Windows-specific problems for details. The new azsphere device rescan-attached command helps in troubleshooting device connection problems on Windows.

Public API

The Azure Sphere public API (PAPI) supports several new operations.

Operation Function
Delete a device group Device Group-Delete
Delete a product Product-Delete
Get tenant certificate Tenants-Get Certificate
Get tenant certificate chain Tenants-Get Certificate Chain
Get proof of possession certificate Tenants-Get Proof Of Possession
List tenant certificates Tenants-List Certificates


The analog-to-digital converter (ADC) and pulse-width modulation (PWM) APIs have been promoted to long-term stable (LTS) from Beta.

In addition, Azure Sphere now includes limited ioctl support for both ADC and PWM.

Real-time application development

Real-time application support has been promoted to LTS. It is no longer considered Beta. Along with this change, the application.h API has also been promoted to LTS.

In addition, this release fixes a bug with the value of the reset vector of the M4 to enable the use of the M4 watchdog timer.

Hardware definitions

The Azure Sphere SDK now contains default hardware definitions for common Azure Sphere boards and dev kits, in both header file (.h) and JSON format. The GitHub sample apps also use hardware definitions to create a "sample appliance" abstraction that enables them to run unchanged across many boards, and to illustrate how you can create a similar abstraction for your own usage scenarios.

Application deployments and updates

Cloud deployments for Azure Sphere applications are set per device group. If you move a device from one device group to another, the next device update will deliver the application package that is currently set for the new device group. If no deployment is set for the device group, any applications that are currently on the device will be deleted.

This behavior is changed from previous releases, which did not remove applications that weren't part of the current device group's deployment. Use the following commands to determine which deployments target a particular group or device:

See Deployment basics for more information about creating, configuring, and updating deployments.

Sample applications

The Azure IoT sample applications for Azure Sphere have been updated to accommodate changes in Azure IoT Hub and Azure IoT Central. The samples also now support Linux as a development platform.

Boot timing

Boot performance in the 20.07 release has improved by approximately 750ms overall.

GNU Arm path discovery

The Azure Sphere extensions for both Visual Studio and Visual Studio Code now use the same internal mechanism to discover the location of the GNU Arm path. Previously, Visual Studio looked only within the Visual Studio installation directory. Now it looks first in the ARM_GNU_PATH environment variable, then in the registry (on Windows), and then in the Visual Studio installation directory.

Manufacturing samples

Sample code for building iPerf3, a network performance testing tool, has been added to the manufacturing samples package.

The RF Tools have been updated to fix the handling of certain buffer bin values. This change allows additional e-fuse values to be set using a buffer bin file. In addition, we have addressed a bug in the 20.04 RF Tools that caused the tools to fail when a Wi-Fi network was already configured on the device.

Azure IoT C SDK support

Azure Sphere now supports the lts_02_2020 branch of the Azure IoT C SDK.

Linux kernel

The Linux kernel underlying the Azure Sphere OS has been updated to version 5.4.

Known issues in the 20.07 release

If you try to use an unknown client identity to authenticate to an EAP-TLS network, the WifiConfig_GetNetworkDiagnostics function does not return AuthenticationFailed (5) in the current release. Instead, it returns only the ConnectionFailed (1) error, which is a regression from the previous release. We expect to correct this in an upcoming release.

What's new in the 20.06 quality release

The 20.06 quality release includes an OS update with the following enhancements:

  • Fixed a problem that caused a segmentation fault in the wpa_supplicant.
  • Fixed a problem that caused device recovery to fail on a device if the real-time clock (RTC) was disabled.
  • Reduced resets triggered by RTC time-outs during OS installation.

Windows SDK 20.04 Update 2

An updated Azure Sphere SDK for Windows, version 20.04 Update 2, is now available. If you're experiencing intermittent login problems, install this SDK and use the new --usedevicecode parameter, which opens a browser window and provides an authorization code with which you can log in.

To download and install the updated SDK, follow the installation instructions. You can find more information about this new parameter in azsphere login and Troubleshoot cloud issues.

Ubuntu 20.04 LTS support

An updated Azure Sphere SDK for Linux, version 20.04 Update 1, is now available. This updated SDK supports Ubuntu 20.04 LTS. Follow the installation instructions to download and install this updated SDK if you use Linux to develop Azure Sphere applications.

What's new in the 20.05 quality release

The 20.05 quality release of the Azure Sphere OS includes changes to strengthen OS security by reducing the denial-of-service attack surface.

In addition, a new sample is now available that shows how to use Azure Sphere and Azure RTOS to implement a real-time capable application.

Independent of this release, we have also published a new paper, Best practices for implementing seven properties in Azure Sphere. This paper describes practices that the Azure Sphere team learned and applied during the development of Azure Sphere.

About the 20.04 feature release

The 20.04 release of Azure Sphere OS includes new features to support EAP-TLS networking and certificate management. A single Windows SDK now supports both Visual Studio and Visual Studio Code; each has its own extension, which is installed separately. Further changes in the 20.04 SDK provide simpler configuration of CMake for building applications on all platforms.

New and enhanced features in the 20.04 release

The 20.04 release supports the new user-visible features that are described in the following sections. The release also includes improvements to ensure a more sustainable infrastructure.

Enterprise connectivity features

The 20.04 release supports Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to connect to Wi-Fi networks. EAP-TLS provides certificate-based authentication for secure connections to enterprise networks.

See Use EAP-TLS in the online documentation for details about the Azure Sphere EAP-TLS platform and the requirements for local network administrators. EAP-TLS is not supported over Ethernet.

As part of EAP-TLS support, this release also supports:

  • A new CertStore API, which provides an interface to store and manage Root CA and client certificates on an Azure Sphere device
  • New WifiConfig API features, which enable programmatic configuration, setup, and management of an EAP-TLS network
  • Enhanced azsphere CLI commands, so that network administrators can manage certificates and configure EAP-TLS networks from the command line

Because EAP-TLS network configurations require more storage space than other networks, the limit of 37 networks no longer applies. The number of networks you can store on an Azure Sphere device is resource dependent.

Single Windows SDK

The 20.04 release provides a single Windows SDK, which works with Visual Studio, Visual Studio Code, or on the Windows command line. Windows SDK installation now involves downloading and installing this SDK. If you installed the 20.01 SDK or an earlier version, you can install the new SDK without uninstalling the old version.

Separate extensions for Visual Studio and Visual Studio Code that work with this SDK are available in the Marketplace. Both Visual Studio and Visual Studio Code will notify you when an updated extension is available.

CMake improvements

The CMake interface for configuring and building Azure Sphere projects has been simplified to provide greater consistency across development environments and command-line interfaces. Configure Builds with CMake describes the new features.

If you already have an Azure Sphere application that was built with CMake prior to the 20.04 SDK, you should convert it to use these new features. You can still build such applications unchanged for now, but support for them is deprecated and may be removed in a future release.


You can use a single instance of Visual Studio or Visual Studio Code to simultaneously debug applications for both the high-level and real-time cores.


The new Certificates sample shows how to store and manage certificates for use in EAP-TLS authentication.

The IntercoreComms sample has been updated to support simultaneous debugging of both the high-level application and the RTApp. The RTApp now sends a message to the high-level app every second and displays any messages that it receives.

The WiFi_HighLevelApp sample has been extended to demonstrate configuration of EAP-TLS networks. See the README.md file for the sample to find out how to modify the sample to configure an EAP-TLS network from a high-level app.

Public API

Azure Sphere provides a public API through which you can request and receive data from devices in the field. The Azure Sphere public API uses the REpresentational State Transfer (REST) HTTP protocol to request and receive data formatted in JavaScript Object Notation (JSON). See Azure Sphere Public API for more information.

Changes in the 20.04 release

The Application_Socket Beta function in the Application API has been deprecated. It has been replaced by the Application_Connect function, which is also in Beta.

Fixed bugs and common vulnerabilities in the 20.04 release

The 20.04 release includes updates to mitigate against the following CVEs:

  • CVE-2019-15601
  • CVE-2020-5235

What's new in the 20.03 quality release

The 20.03 quality release includes only the Azure Sphere OS. It incorporates the following changes and bug fixes:

  • Updated the Linux kernel to 4.9.213 LTS.
  • Fixed a bug where PWM settings were not updated after PWM output was disabled, the period and duty cycle were changed, and then output was re-enabled.
  • Fixed a bug where the network interface status was incorrectly reported as "Connected" after the network was disabled by a call to Networking_SetInterfaceState.
  • Fixed SPI bugs that could result in kernel crashes.
  • Fixed an issue that could cause the device to run out of memory after repeatedly deleting an application.
  • Fixed a problem that could cause an OS update to loop.

For those who have a valid Azure Sphere OEM Customer License Agreement (CLA), 20.03 is a required Update and use is subject to the terms and conditions of such agreement.

What's new in the 20.01 feature release

The 20.01 release of Azure Sphere includes new features to support power management, error reporting, and to provide better management of data returned by the Azure Sphere Security Service. In addition, this release incorporates enhancements to the OS and SDK to further strengthen the security of devices at customer sites and ensure supportability.

Although our goal is to avoid the introduction of breaking changes and incompatibility between releases, in a few situations, action may be required to ensure that your devices and applications continue to work as intended. Please read Changes in the 20.01 release carefully to learn about changes that might affect you.

To update to the latest OS and SDK

If your devices are connected to the internet, they should receive the OS update from the cloud. However, if you have an older Seeed MT3620 Development Kit that has not been used, you might need to update manually, as described in Update the OS on an early dev kit.

After your devices receive the 20.01 OS, they will be unable to recover or roll back to an earlier Preview release. See Return to earlier Public Preview versions unavailable for more information.

Earlier versions of the SDK do not work with the 20.01 release, and will return Unexpected error or a similar message. To update to the latest SDK, download and install the latest version:


If you installed the 20.01 evaluation SDK during the Retail Evaluation period, you must now install the final SDK so that you can use new features.

To verify the installed OS version on an attached device, use the following command:

azsphere device show-os-version

To check which version of the SDK is installed on your local computer, use the following command:

azsphere show-version

We introduced a new cloud management model with the 19.10 SDK. See About migration for additional information if you have not yet completed the migration to this model.

Important information about devices that have the 20.01 Retail Evaluation OS

Devices that are running the 20.01 Retail Evaluation OS may encounter errors if you move them to a device group that receives the Retail OS feed. Symptoms of this problem are that azsphere continually reports that an OTA update is in progress, but the update never completes; you cannot sideload images from the command line or from an IDE; the device reboots every few minutes.

To prevent this problem:

  • Do not use the azsphere device enable-development command on a device that is in the "Field Test OS Evaluation" or "Production OS Evaluation" group, or in a custom group that receives the RetailEval OS feed. This command moves the device to a group that receives the Retail OS feed.
  • If your device is currently in a device group that receives the RetailEval OS feed, leave it there. We recommend retaining at least one device in such a group at all times.

To resolve this problem:

Recover the device to the 20.01 OS, even if it has already received the 20.01 OS through the RetailEval feed, by using the following command:

azsphere device recover

New features in the 20.01 release

The 20.01 release supports the new user-visible features that are described in the following sections. The release also includes numerous security and infrastructure improvements that are not visible.

Tighter security for deployed devices

Connected device manufacturers and OEMs can disable computer-to-device communications to prevent malicious use by those who have physical access to the device.

Disabling such access is part of device finalization. Finalization is typically performed on the factory floor before the connected device manufacturer ships their product to an end user site, but some dev kit manufacturers may finalize devices as well. After finalization, a user will be able to get the device ID over computer-to-device connection, but all other operations require a device capability.

Field support technicians who need computer-to-device communications for set-up and servicing can download the fieldServicing device capability. Using this capability, a technician can create a servicing session that provides temporary access from a computer. For application developers, the azsphere device enable-development command (which applies the appDevelopment capability) will continue to work as in preview releases.

Power management API

This release includes a new power management API, which enables applications to put the device into the power-down state. See Manage Power Down state for Azure Sphere devices for an overview of its use and Powerdown in the Azure Sphere Samples repo on GitHub for a sample application.

Error reporting

You can now download data about errors and other events that affect your devices by using the azsphere tenant download-error-report command. The downloaded information contains data for all devices in a tenant and can be viewed with Excel or other tools. See Collect and interpret error data for details.

Paged display of device information

The Azure Sphere CLI now supports paging for commands that return large amounts of data. This feature is useful for gathering information about tenants that contain many devices. Display device information describes how to use this feature.

Changes in the 20.01 release

Changes in the 20.01 release affect recovery and rollback, Visual Studio support, and support for several SDK features that may require you to rebuild your applications. Carefully read the following sections to ensure that you take the appropriate measures.

Return to earlier Public Preview versions unavailable

As part of our defense-in-depth against rollback attacks, recovery and rollback to earlier Public Preview versions of the Azure Sphere OS will be unavailable on devices that have already updated to the 20.01 release.

After a device updates to the 20.01 release, it will no longer be able to run an earlier release of the Azure Sphere OS. This means that you will be unable to recover a device to an earlier Public Preview release after it has received the 20.01 update. The 20.01 release will become the earliest release that can be installed on the device.

Visual Studio support

Development of Azure Sphere applications with Visual Studio 2017 is no longer supported starting with the 20.01 release. We released support for Visual Studio Code and Linux in the fall of 2019, and we continue to support Visual Studio 2019. Both Visual Studio 2019 and Visual Studio Code provide additional support for CMake beyond what is available in Visual Studio 2017.

In addition, development with Visual Studio 2019 now requires version 16.4 or more recent.

On Windows, you can compile, build, and debug Azure Sphere apps with Visual Studio 2019, with Visual Studio Code, or the command line.

On Linux, you can compile, build, and debug Azure Sphere apps with Visual Studio Code or the command line.

TLS versions

Libcurl on Azure Sphere supports TLS 1.2 and has deprecated TLS 1.0 and TLS 1.1 in alignment with the broader Microsoft TLS security strategy.

Deprecation of Visual Studio projects

Since the 19.10 SDK release, all new Azure Sphere apps are built using CMake by default. CMake is a cross-platform build system that you can use for all your development: for high-level apps and real-time capable apps; for Windows and Linux; and for development in Visual Studio, Visual Studio Code, or the command line.

The 20.01 SDK release does not support the use of Visual Studio projects (.vcxproj and msbuild). You will need to convert any existing apps to build with CMake. See Convert a Visual Studio project to CMake for guidance.

Deprecation of sysroots 1 and 2

The 20.01 SDK release does not include sysroots 1 and 2, or their corresponding API sets. If you have an app that uses one of these older API sets, you'll need to rebuild it using the 20.01 SDK and retarget it to use API set 3, 4, or 4+Beta2001.

Beta API promotions

In the 20.01 release, the following APIs are promoted from Beta to long-term stable (LTS). For more information on Beta APIs, see Application runtime version, sysroots, and Beta APIs.

Header file API changes from Beta to LTS
eventloop.h EventLoop_RegisterIo parameter type change; function signature unchanged, so existing code should continue to run
networking.h All promoted; interfaceNameLength removed from Networking_NetworkInterface struct
rtc.h No changes; all promoted
storage.h No changes; all promoted
sysevent.h SysEvent_RegisterForEventNotifications parameter type change; function signature unchanged, so existing code should continue to run
stdlib.h getenv, setenv, unsetenv promoted
mman.h memfd_create promoted
tlsutils/deviceauth_curl.h DeviceAuth_SslCtxFunc promoted; DeviceAuth_CurlSslFunc supported as an inline function

Removal of default CA certificates

Starting with the 20.01 release, the Azure Sphere OS no longer contains default CA certificates.

Preview releases of Azure Sphere included several CA certificates for use in authenticating HTTPS servers, and the cURL library was configured to look for these certificates on the device. To provide a more sustainable security environment, the Azure Sphere OS no longer contains these certificates.

Applications that rely on the presence of one or more of these default certificates will require changes. To authenticate a server, you'll need to add the required certificate to the application image package. For details, see Server Authentication.

Default device groups and OS feeds

The new cloud management model includes five default device groups: Development, Field Test, Production, Field Test OS Evaluation, and Production OS Evaluation. We strongly recommend that you maintain at least one device in a device group that receives the RetailEval OS feed, as a best practice. See Set up devices for OS evaluation for details.

Your Development device groups should receive the Retail OS feed. Follow these steps to check the OS Feed Type for your Development device group:

  1. List all products in your tenant:

    azsphere product list

    If your tenant has no products, you can skip the remaining steps; you don't need to change the feed.

  2. For each product, look at the details of the Development device group:

    azsphere device-group show --productname <product> --devicegroupname "Development"

    If the Development device group doesn't exist for this product, use this command to create it now. You can then skip the last step.

    azsphere product device-group create-defaults --productname <product>

  3. If the OS Feed Type is RetailEval, change it to Retail:

    azsphere device-group update --productname <product> --devicegroupname "Development" --osfeed "Retail"


Most of the real-time capable application (RTApp) samples that Microsoft provided for earlier Preview releases have been removed at this release. Additional drivers and samples for the M4 real-time cores on the MT3620 chip are available on GitHub from Azure Sphere partners MediaTek and Codethink.

Fixed bugs and common vulnerabilities in the 20.01 release

The 20.01 release includes changes to mitigate against the following CVEs for wolfSSL:

  • CVE-2019-19960
  • CVE-2019-19962
  • CVE-2019-19963

Although Microsoft does not believe that Azure Sphere is exploitable as a result of these vulnerabilities, we have nevertheless prioritized mitigation.

Known issues in the 20.01 release

This section lists known issues in the current release.

One-time failures after update

After a device updates to the 20.01 OS, the first attempt to sideload a board configuration image or enable functionality with a capability (such as by using the azsphere device enable-development command) will fail. Retrying this operation should succeed and the operation will no longer fail in the future.

Number of Wi-Fi networks reported

Azure Sphere currently supports a maximum of 37 Wi-Fi networks. Attempts to store more than 37 networks may result in undefined behavior.

CMake path lengths

If the length of your starting directory path is long, CMake returns an error when you open the folder. To avoid this problem, use short paths when developing with CMake.

Inaccurate clock on real-time cores

The GPT0 and GPT1 timers that are built into the real-time cores should use a 32 KHz clock source, but currently they do not run at the correct frequency. Consequently, applications that use these timers will get inaccurate timeouts. For example, a request for a 1-second delay could actually delay for 1.5 seconds. GPT3 has higher resolution, but if your scenario requires more than one timer, you may need to use GPT0 or GPT1. You can work around this issue by implementing a timer queue and running all the timers from GPT3.

Determine where an RTApp runs

By default, the RTApp is deployed to the first available real-time core on the device. To find out which core the application is running on, use the azsphere device app start command to start the application. The azsphere device app show-status command does not currently display this information.

You cannot choose which of the two real-time cores an RTApp runs on.

CMake startup item

When you're developing RTApps with Visual Studio or Visual Studio Code, the Select Startup Item menu may reset, resulting in an error when you try to start the application. This tends to occur when you regenerate the CMake cache. Before starting the application, ensure that the menu specifies GDB Debugger (RTCore):

startup item menu

Information for manufacturers about the 20.01 release

This release includes several changes that may affect manufacturers of finished goods:

  • Manufacturers of finished goods have finer-grained options for protecting the software and device from end-user modification. The new Module1Complete and DeviceComplete manufacturing states enable manufacturers to restrict the kinds of modifications users can make to radio settings and device software, respectively. See Set the device manufacturing state for additional details.

    • Module1Complete. The Module1Complete manufacturing state is designed to limit the adjustments users can make to radio configuration settings such as maximum transmit power levels and allowed frequencies. RF commands can be used until Module1Complete is set. Restricting end-user access to these settings may be required to satisfy regulatory policies around radio hardware. This setting primarily affects manufacturers who need to test and calibrate radio operating parameters.

      Microsoft recommends that you set this manufacturing state after radio testing and calibration have been completed; RF commands cannot be used after it is set. The Module1Complete state protects the device against changes that may disrupt proper operation of the radio and other wireless devices in the vicinity.

    • DeviceComplete. The Device Complete manufacturing state allows manufacturers of finished products to secure devices that are deployed in the field against changes. Once a device is placed into the DeviceComplete state, a device-specific capability file is needed to perform any software loading and configuration tasks.

      Do not set DeviceComplete for unfinished devices or modular devices (Wi-Fi modules, development boards, and so forth) that may be used as part of a larger system; this state limits manufacturing activities such as production-line testing, software installation, and configuration.

  • To better serve different manufacturing roles and needs, our manufacturing resources have now been split into three packages. Tools for communicating with attached Azure Sphere devices, loading software, and claiming are distributed as part of the Azure Sphere SDK. The Manufacturing Samples package contains scripts and apps for device manufacturers, and the RF Tools package contains low-level radio tuning and calibration tools intended for Wi-Fi module manufacturers. The Manufacturing Samples and RF Tools packages are available by request from Microsoft.

We recommend that you follow the OS version migration checklist to verify your manufacturing and factory procedures with the new OS and SDK.