How can I start a service on an Azure VM remotely? It seems impossible to do without Powershell being "Run as Administrator". Is there a way to launch as admin?
(I would pass in Get-Credential parameter, but unfortunately the 5.1 version Set-Service command does not accept that as a parameter like it does in Powershell version 7.x, and i am limited to 5.1 for now.)
My credentials do have admin level rights on the VM, but i can't seem to figure out a way to pass that via a command.
I am triggering the call like this, where $action is either 'stop' or 'start':
$runCommand = Invoke-AzVMRunCommand `
-ResourceGroupName $rg `
-VMName $vm `
-CommandId 'RunPowerShellScript' `
-ScriptPath $scriptPath `
-Parameter #{action = $action}
The linked script would then execute something like this:
$serviceNames = #("service1, service2")
foreach($serviceName in $serviceNames){
$service = Get-Service -Name $serviceName
if($service){
if($action -ieq "start"){
Set-Service -InputObject $service -Status "Running"
}
}
else{
Write-Output "Service $serviceName not found!"
}
}
When i run from my laptop - it hangs.
When i run from Azure portal via "Run Command" - it hangs.
When i run from the VM itself - it says:
"Service '' cannot be configured due to the following error:
Access is denied
When i run from the VM itself but start Powershell as admin - It works!
Make sure you have to connect with local administrator password which you already configured with your VM.
If you are not able to connect the VM you need to reset your local administrator password/ Remote Desktop Service Configuration as per MS-DOC. We can reset either Azure Portal / VM Access extension and PowerShell.
If you want to connect the Azure VM from your local, you have to signed in with respective Azure subscription.
Use Set-AzVMAccessExtension to reset the local administrator account password.
VM has a single Access Agent. Use the same VM Access Agent which you used earlier.
Workaround
Way 1
Add the user to your VM
$Uname = "<UserName>"
$password = "<Password>"
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
New-LocalUser $Uname -Password $securePassword -FullName $Uname -Description "test admin account"
Add-LocalGroupMember -Group "Administrators" -Member $Uname
Way 2
Reset the local Administrator password
$vm = Get-AzVM -ResourceGroupName "<ResourceGroup Name>" -Name "<Resource name>"
$Uname = "<UserName>"
$password = "<Password>"
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credentials= New-Object System.Management.Automation.PSCredential ($Uname, $securePassword)
Set-AzVMAccessExtension -Credential $credentials -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Location $vm.Location -Name VMAccessAgent -TypeHandlerVersion "2.0"
Access the Script file using specific login
Connect-AzAccount
$vm = Get-AzVM -Name "<your vm name>" -ResourceGroupName "<your vm resource group>"
$runCommand = Invoke-AzVMRunCommand `
-ResourceGroupName $rg `
-VMName $vm `
-CommandId 'RunPowerShellScript' `
-ScriptPath $scriptPath `
-Parameter #{action = $action}
I have following code to loop all my vms in all subscriptions but for some reason Runbook never goes to my loop and therefore does nothing. This managed identity has VM contributors role from the root so permission is not the issue right now.
# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process | Out-Null
Write-Output "Connecting to azure via Connect-AzAccount -Identity"
Connect-AzAccount -Identity
Write-Output "Successfully connected with Automation account's Managed Identity"
Set-AzContext -SubscriptionId "0000-xxxx"
$Subscriptions = Get-AzSubscription
foreach ($sub in $Subscriptions) {
# suppress output on this line
Write-Host Working with Subscription $sub.Name
$null = Get-AzSubscription -SubscriptionName $sub.Name | Set-AzContext
$vms = Get-AzVM
foreach ($vm in $vms) {
Write-Host Working with virtual Machine $vm.Name in resource group $vm.ResourceGroupName
stop-azvm -Name $vm.Name -ResourceGroup $vm.ResourceGroupName
}
}
If I put Get-AzVM or Get-AzSubscription command before loop it will show all my subscriptions or vms that are in context subscriptions so I know the commands work.
Script usually run like 5 minutes and then just goes to complied without doing really anything.
If I run the code from my computer in Visual Studio Code it goes fine trough but now am I missing now.
I need to execute PowerShell on VMs from an Azure Automation Runbook, akin to a WinRm execution/PowerShell Remoting.
I have created an Azure Runbook through the Azure Automation GUI, and am trying to run a script that works perfectly against physical and virtual machines to get key system information and ports. I am able to authenticate in Azure and it appears that I can execute some aspects of the script (unless it's only running against the Azure Automation Worker) via the Azure Runbook, such as getting the installed PowerShell Version of the targeted VMs using: $PSVersionTable.PSVersion so I am not having issues with security/access from what I can tell.
However, several other components fail as follows, and I don't know if I need to import a Module to Azure Automation and if so, which ones. Or if this is failing because it is running against the Worker and not the VMs.
Here are some of the code snippets I am running:
$computerSystem = Get-CimInstance Win32_ComputerSystem
"CPU: " + $computerCPU.Name
Get-WmiObject -Class Win32_LogicalDisk |
Where-Object {$_.DriveType -ne 5} |
Sort-Object -Property Name |
Select-Object Name, VolumeName, FileSystem, Description, `
#{"Label"="DiskSize(GB)";"Expression"={"{0:N}" -f ($_.Size/1GB) -as [float]}}, `
#{"Label"="FreeSpace(GB)";"Expression"={"{0:N}" -f ($_.FreeSpace/1GB) -as [float]}}, `
#{"Label"="%Free";"Expression"={"{0:N}" -f ($_.FreeSpace/$_.Size*100) -as [float]}} |
Format-Table -AutoSize
Get-NetAdapter -Name "*" | Format-Table
Get-NetOffloadGlobalSetting | Format-List
Test-NetConnection -Port 80
Here are the error messages, which I strongly suspect are EITHER due to missing PowerShell Modules that I need to upload, but am unsure where to find these OR is this a situation where I am not targeting the VM correctly and instead running this against the AZ Host? (if so, any good examples of how to target a single VM):
Get-CimInstance : The specified service does not exist as an installed
service.
Get-WmiObject : The specified service does not exist as an installed
service.
Get-NetAdapter : The term 'Get-NetAdapter' is not recognized as the
name of a cmdlet, function, script file, or operable program.
Get-NetOffloadGlobalSetting : The term 'Get-NetOffloadGlobalSetting'
is not recognized as the name of a cmdlet, function, script file, or
operable program.
Test-NetConnection : The term 'Test-NetConnection' is not recognized
as the name of a cmdlet, function, script file, or operable program.
If it is an issue with targeting the VM properly, I need some guidance. I suspect that I am targeting the Worker running the Runbooks and not the actual VMs. I am using the RunAs account/the new Azure Automation security methods (not classic) so I don't believe certificates come into play. Here is how I am trying to target the VM (which I suspect is incorrect/should be changed):
$Resources = Get-AzureRmResource -ResourceType "Microsoft.Compute/virtualMachines" -ResourceGroupName "MyTestGroup" -ResourceName "MyTestVM"
ForEach ($Resource in $Resources)
{
# PowerShell Code from Above here
}
UPDATE 1:
Now that we have determined that I am not targeting the VM properly, I tried Joe's recommendation, but when I try to run the following I get an error on the WinRm. I found the Connect-AzureVM.ps1, but am unsure if this is old or aligns to the newer RunAs Connection I am using. Here is my current script that attempts to connect to the VM and Invoke PowerShell.
param(
[parameter(Mandatory=$true)][String] 'https://myvmname.eastus.cloudapp.azure.com:5986,
[parameter(Mandatory=$true)][String] 'MyVMName'
)
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
# Get credentials to Azure VM
$Credential = Get-AutomationPSCredential -Name $VMCredentialName
Invoke-Command -ConnectionUri $Uri -Credential $Credential -ScriptBlock {
# My PowerShell Here
}
This is the error the script produces. I suspect its because I need to import/create a WinRM certificate on the VM I am targeting, but unsure if the Connect-AzureVM.ps1 is the right script to use or if there is another/more updated method to use for WinRM access:
[myvmname.eastus.cloudapp.azure.com] Connecting to remote server
myvmname.eastus.cloudapp.azure.com failed with the following error
message : WinRM cannot complete the operation. Verify that the
specified computer name is valid, that the computer is accessible
over the network, and that a firewall exception for the WinRM service
is enabled and allows access from this computer. By default, the
WinRM firewall exception for public profiles limits access to remote
computers within the same local subnet. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (myvmname.eastus.cloudapp.azure.com:String) [],
PSRemotingTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionStateBroken
Run this inside the VM at an elevated prompt
https://gist.github.com/jeffpatton1971/2321f0db8025e48ad8ec13c243153045
From inside your Runbook do whatever you normally to wire it up but create some session options to pass along your invoke-command.
$SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Invoke-Command -ComputerName $VMname -Credential $Credential -UseSSL -SessionOption $SessionOption -ScriptBlock { }
You need to either add the VMs you want to run these scripts on as Azure Automation hybrid workers, so that you can target the script to run on them, or you need to, from your runbook running on Azure Automation's own workers, remote into each VM and from within the remoting block run the commands.
For the former, see: https://learn.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
For the ladder:
Invoke-Command -ConnectionUri $Uri -Credential $Credential -ScriptBlock {
$computerSystem = Get-CimInstance Win32_ComputerSystem
"CPU: " + $computerCPU.Name
Get-WmiObject -Class Win32_LogicalDisk |
Where-Object {$_.DriveType -ne 5} |
Sort-Object -Property Name |
Select-Object Name, VolumeName, FileSystem, Description, `
#{"Label"="DiskSize(GB)";"Expression"={"{0:N}" -f ($_.Size/1GB) -as [float]}}, `
#{"Label"="FreeSpace(GB)";"Expression"={"{0:N}" -f ($_.FreeSpace/1GB) -as [float]}}, `
#{"Label"="%Free";"Expression"={"{0:N}" -f ($_.FreeSpace/$_.Size*100) -as [float]}} |
Format-Table -AutoSize
Get-NetAdapter -Name "*" | Format-Table
Get-NetOffloadGlobalSetting | Format-List
Test-NetConnection -Port 80
}
I'm quite new to Azure but I'm banging my head against something that seems simple. I've read a ton of resources that suggest this should be easy but I simply cannot get a runbook in the new portal (ARM) to start a specific VM. It runs and states "Completed" but nothing happens.
Here is the script:
Updated following Jack Zeng's comment which unfortunately changed little.
workflow StartDEVTC1
{
$VerbosePreference = "Continue"
$ErrorActionPreference = "Stop"
$WarnPreference = "Continue"
Write-Output "Getting credential..."
$cred = Get-AutomationPSCredential -Name 'AutomationPowershellCred1'
Write-Output "Adding account..."
Add-AzureRmAccount -Credential $cred
Write-Output "Getting VM..."
$VM = Get-AzureRmVM -ResourceGroupName "myResourceGroup" -Name "DEVTC1" -Status
$vmName = $VM.Name
$vmRG = $VM.ResourceGroupName
Write-Output "Checking state of $vmName from $vmRG..."
$VMDetail = $VM | Select-Object -ExpandProperty StatusesText | convertfrom-json
$vmPowerstate = $VMDetail[1].Code
if($vmPowerstate -like "PowerState/deallocated")
{
Write-Output "$vmName powerstate is $vmPowerstate, starting VM..."
$res = $VM | Start-AzureRmVM
if (($res.StatusCode) -ne 'OK')
{
Write-Error "Could not start VM."
}
}
else
{
Write-Output "$vmName powerstate is $vmPowerstate, not starting VM."
}
Write-Output "END."
}
As you can see I've tried adding some logging but I can't see these in the Testing Pane. Running the key steps in a Powershell on my PC works just fine so what's going on here?
The credential has been newly defined using the details of my azure account (I am an Owner on the account).
It should go without saying but I've tried some much simpler approaches to call Start-AzureRmVm and nothing works.
Thanks and appreciation in advance!
Ok I got it and the answer was frustratingly simple.
You cannot use a workflow block unless your runbook was created as a "PowerShell Workflow" runbook. In my case it was simply a "PowerShell" runbook which I guess was just ignoring the workflow block of code.
Recreating the runbook as a "PowerShell Workflow" runbook allowed the logging to be output so I could see what was happening and the VM got started as expected (although it took a really long time).
I was working on a script which I have downloaded from the gallery to stop all VMs running in a subscription. This was running perfectly until last week, but when I ran it yesterday, it couldnt find any VM in my subscription (VMs are there in my sub and running). Script is below:
workflow Stop-AllAzureVM
{
# Add the credential used to authenticate to Azure.
# TODO: Fill in the -Name parameter with the Name of the Automation PSCredential asset
# that has access to your Azure subscription. "myPScredName" is your asset name that reflects an OrgID user
# like "someuser#somewhere.onmicrosoft.com" that has Co-Admin rights to your subscription.
$Cred = Get-AutomationPSCredential -Name "myPsCred"
# Connect to Azure
Add-AzureAccount -Credential $Cred
# Select the Azure subscription you want to work against
# TODO: Fill in the -SubscriptionName parameter with the name of your Azure subscription
Select-AzureSubscription -SubscriptionName "MySubs"
# Get all Azure VMs in the subscription that are not stopped and deallocated, and shut them down
# all at once.
$VMs = Get-AzureVM | where-object -FilterScript {$_.status -ne 'StoppedDeallocated'}
if (!$VMs)
{
Write-Output "No VM running at the moment"
}
else
{
Write-Output "VM(s) found running, proceeding for shutdown"
}
foreach -parallel ($vm in $VMs)
{
$stopRtn = Stop-AzureVM -Name $VM.Name -ServiceName $VM.ServiceName -force -ea SilentlyContinue
$count=1
if(($stopRtn.OperationStatus) -ne 'Succeeded')
{
do{
Write-Output "Failed to stop $($VM.Name). Retrying in 60 seconds..."
sleep 60
$stopRtn = Stop-AzureVM -Name $VM.Name -ServiceName $VM.ServiceName -force -ea SilentlyContinue
$count++
}
while(($stopRtn.OperationStatus) -ne 'Succeeded' -and $count -lt 5)
}
if($stopRtn){Write-Output "Stop-AzureVM cmdlet for $($VM.Name) $($stopRtn.OperationStatus) on attempt number $count of 5."}
}
}
This script always prints "No VM running at the moment"
I tried Get-AzureVM without any condition also but the result was same.
I am not sure if something has changed in past couple of weeks which is resulting in this issue.
Update-1:
I tried adding below commands in script:
$VMs = Get-AzureVM
$subscriptions = Get-AzureSubscription
Write-Output "Found [$($subscriptions.Count)] subscriptions accessible to user"
Write-Output "Found [$($VMs.Count)] VMs in Subscription"
and I got below output:
Found [] subscriptions accessible to user
Found [0] VMs in Subscription
No VM running at the moment
So it looks like something weird had happened in my automation account and I dont seem to have any clue about it!
To all who are facing this issue, not sure if this is the right way to fix this but at least as a workaround, I tried creating a new automation account and copy pasted same runbook in it and it is working fine for me.