Pre-requisites for using Azure VMs in WinRM based Tasks in Build and Release management workflows

  • Article

Azure VM pre-requisites

 

If you are using a pre-provisioned Azure machine as part of Build or Release Management workflow and if you would like to use workflow Tasks that are based on WinRM remote PowerShell for deployment (Example – PowerShell on Target machines, Windows File Copy) ensure all your pre-requisites in Azure VM is in place before using it for deployment.

NOTE: If you would like WinRM configurations to be automatically handled by Task, then refer to the post.

a)     Ensure you have WinRM firewall ports opened for your resource group

In Azure portal you should create an inbound security rule to allow TCP/5986 for WinRM.

 

 

b)     Ensure you have WinRM listener configured for https

  • From within Azure VM run below command to check if you have winrm listener for HTTPS.

‘WinRM e winrm/config/listener’

 

  • If winrm listener is not already configured, configure winrm for HTTPS

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname=" <*.westus.cloudapp.azure.com> ";CertificateThumbprint=" <thumbprint> "}

You can create a self-signed certificate (using makecert.exe) for server authentication and use it.

Example:

makecert -sk " mydomain.com " -ss My -sr localMachine -r -n "CN= mydomain.com " -a sha1 -eku "1.3.6.1.5.5.7.3.1"

 

  • Verify if winrm lister is proper

‘WinRM e winrm/config/listener’

 

c)      Ensure your Azure VM is not in public network location.

PowerShell Remoting has limitation on working with machines in public network location. Refer this blog for details.

You can verify and change the network location using secpol.msc. Refer this for guidance.

Verification

 

A quick way to verify if the PS remoting is proper before you start using the machine in workflow is to execute below script. It is preferable to try this from the automation agent box to eliminate any possible failures during execution.

$soptions = New-PSSessionOption -SkipCACheck

$cred = Get-Credential

$computername = <EnterComputerName>

$computerport = <EnterPort>

Enter-PSSession -ComputerName $computername -Port $computerport -Credential $cred -SessionOption $soptions -UseSSL