GitHub has turned off support for TLS versions before 1.2, on all of https://github.com - https://githubengineering.com/crypto-removal-notice/
The Azure VM Agents plugin hardcodes a URL on github.com in its Windows SSH init script, and downloads it using System.Web.WebClient - https://github.com/jenkinsci/azure-vm-agents-plugin/blob/0e57250114b29b14ae787928b6debeafbf9d67ff/src/main/resources/scripts/sshInit.ps1#L3
Unless directed otherwise, PowerShell will always use TLS 1.0 - https://blog.pauby.com/post/force-powershell-to-use-tls-1-2/
As a result, initialization of Windows SSH agents is 100% broken, as of yesterday, because the sshInit.ps1 script does not override the TLS version on WebClient to 1.2, causing the script to fail. This cannot be worked around, without a custom compile of the plugin with a fixed PowerShell script.