Azure Windows VMs management via PowerShell Remoting

20 october 2024

Azure Windows VMs management via PowerShell Remoting

When it comes to accessing Azure virtual machines running Windows, most people immediately think of the familiar Remote Desktop Protocol (RDP). However, in automation, CI/CD, and DevOps scenarios, a more flexible and automated approach is often required. PowerShell Remoting provides a convenient and secure alternative to traditional RDP, enabling fast, secure, and automated VM management. In this article, you'll learn how to configure and use PowerShell Remote to efficiently manage Azure Windows VMs.

Automating virtual machine management is one of the key aspects of resource efficiency in Azure. RDP sessions are suitable for manual administration, but are not always convenient in automation scenarios where you need to perform a large number of tasks simultaneously on multiple virtual machines or integrate management with CI/CD tools.

Using PowerShell Remoting allows administrators and DevOps engineers to run automated commands and scripts on remote machines without establishing a graphical connection. This significantly speeds up and makes it more flexible and convenient to deploy applications, configure systems and perform various administrative tasks.

This is especially important in the context of DevOps, where automation and process integration play a crucial role. PowerShell Remoting allows you to include remote virtual machine management scripts in Azure DevOps pipelines, enabling seamless integration and minimizing manual configuration time.

Theoretical steps.

By default, PowerShell Remoting access to Azure Windows virtual machines is disabled for security reasons. The following steps are required to enable and configure it:

Enable WinRM (Windows Remote Management) on the virtual machine.
Enable the connection via PowerShell Remoting
Configure the necessary firewall rules to allow remote connections.

You can configure WinRM with different types of authentication and other settings. We will use admin login/password authentication and use HTTPS protocol to encrypt the connection.

Azure PowerShell script to configure PowerShell Remote.

To perform these steps using PowerShell you need to use the following commands.

Create a self-signed certificate to configure DNS connection encryption:

$cert = New-SelfSignedCertificate -DnsName <VM DNS name> -CertStoreLocation cert:\LocalMachine\My

Enable PowerShell Remoting

$cert = New-SelfSignedCertificate -DnsName <VM DNS name> -CertStoreLocation cert:\LocalMachine\My
Включить PowerShell Remoting
Enable-PSRemoting -force

Create a WinRM listener that will accept incoming connections over HTTPS

winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=""<VM DNS name>"";CertificateThumbprint=""$($cert.ThumbPrint)""}"

where

Address=*: Specifies that the listener is available on all network interfaces on the machine.
Transport=HTTPS: Specifies that the listener will use a secure HTTPS connection.
Hostname: Specifies the DNS name of the virtual machine.
CertificateThumbprint: Binds a previously created certificate to this listener.

Add a new rule to Windows Firewall to allow inbound TCP connections on port 5986.

netsh advfirewall firewall add rule name=”WinRM-HTTPS” dir=in localport=5986 protocol=TCP action=allow

Configuring PowerShell Remote in Azure DevOps Pipelines

If we go back to the question of automating the process of configuring PowerShell Remote for Azure Windows VM (which is exactly what we need for automated virtual machine management), then we have the question of how do we execute Powershell commands on the remote machine if PowerShell Remote is not enabled on it yet.

For this we can use the Azure PowerShell cmdlet Invoke-AzVMRunCommand.

Next I will give an example of an AzurePowerShell task that enables PowerShell Remote on the remote machine.

- task: AzurePowerShell@5
            displayName: Configure Azure VM
            inputs:
              azureSubscription: '${{ parameters.AzureSubscription }}'
              ScriptType: 'InlineScript'
              Inline: |
                $vmname = “<VM NAME IN AZURE>”
                $vmdnsname = "<VM DNS NAME>"
                $params=@{
                    "vmdnsname" = $vmdnsname
                }
                Invoke-AzVMRunCommand `
                    -ResourceGroupName '${{ parameters.ResourceGroupName }}' `
                    -VMName $vmname `
                    -CommandId 'RunPowerShellScript' `
                    -Parameter $params `
                    -ScriptString ' `
                        Param(
                            [string]$vmdnsname
                        )
                        $cert = New-SelfSignedCertificate -DnsName $vmdnsname -CertStoreLocation cert:\LocalMachine\My
                        Enable-PSRemoting -force
                        winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=""$vmdnsname"";CertificateThumbprint=""$($cert.ThumbPrint)""}"
                        netsh advfirewall firewall add rule name=”WinRM-HTTPS” dir=in localport=5986 protocol=TCP action=allow'

Note that $vmdnsname is passed in the Invoke-AzVMRunCommand as a PowerShell script parameter with the appropriate syntax.

Connecting to Azure Windows VM via PowerShell Remote

After following the above steps, you can connect to the Azure Windows VM using PowerShell Remote for example as follows:

$vmdnsname = <VmDnsName>
$vmusername = <vmcred.VmUsername>
$vmpassword = <vmcred.VmPassword>
# Convert Password
$securePassword = ConvertTo-SecureString $vmpassword -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($vmusername, $securePassword)
# Connect to the machine
$soptions = New-PSSessionOption -SkipCACheck
$session = New-PSSession -ComputerName $vmdnsname -Port 5986 -Credential $cred -SessionOption $soptions -UseSSL
Invoke-Command -Session $session -ScriptBlock {<Inline Powershell commands>}

When connecting, we use SSL and do not validate the virtual machine certificate, as it is self-signed. The login/password pair is used for authorization.

So now we can automate the management and configuration of Azure Windows VM. For example, the following script can be used to install the DotNet SDK:

$vmdnsname = $vmcred.VmDnsName
$vmusername = $vmcred.VmUsername
$vmpassword = $vmcred.VmPassword
# Convert Password
$securePassword = ConvertTo-SecureString $vmpassword -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($vmusername, $securePassword)
# Connect to the machine
$soptions = New-PSSessionOption -SkipCACheck
$session = New-PSSession -ComputerName $vmdnsname -Port 5986 -Credential $cred -SessionOption $soptions -UseSSL
Invoke-Command -Session $session -ScriptBlock {
Invoke-WebRequest -Uri https://dot.net/v1/dotnet-install.ps1 -OutFile dotnet-install.ps1
./dotnet-install.ps1 -Channel LTS -InstallDir 'C:\Program Files\dotnet'
}