Azure Powershell Runbook - Invoke commands on remote VM (ARM a.k.a. V2)

Question

What I need

I want to have an automation runbook that executes commands on a remote VM (the VM is a V2 or "Resource Manager" VM).

I found examples to make that work with Classic VMs but I can't make it work for RM VMs (best I found: https://alexandrebrisebois.wordpress.com/2015/08/14/azure-automation-remote-powershell-and-a-virtual-machine/).

Does anybody have an example of running powershell commands on a remote V2 VM in an automation runbook?

Where I'm stuck currently

I have tried to adjust the 2nd piece of the example code (the part that invokes the command) and I get the following error:

[vm-template] Connecting to remote server vm-template failed with the following error 
message : The WinRM client cannot process the request. If the authentication scheme is 
different from Kerberos, or if the client computer is not joined to a domain, then HTTPS 
transport must be used or the destination machine must be added to the TrustedHosts 
configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the 
TrustedHosts list might not be authenticated. You can get more information about that by
running the following command: winrm help config. For more information, see the 
about_Remote_Troubleshooting Help topic.
+ CategoryInfo          : OpenError: (vm-template:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken

My understanding is that since I am not using Kerberos (don't even know what that is) I must use HTTPS. And for that I must do the first half of the example code, which is about importing the certificate (importing where btw since the runbook runs "in azure"?).

I found some pages that explain how to enable HTTPS (Connecting to remote server failed using WinRM from PowerShell) and create the certificate (http://www.jayway.com/2011/11/21/winrm-w-self-signed-certificate-in-4-steps/) but they require some commands to be run on BOTH machines ; I certainly can run commands on my remote VM but I don't understand how I could do it for the client machine which does not really exist since the runbook is running directly in azure.

Any help is greatly appreciated, thanks!

Answer 1

Is your network security group configured to open port 5985 (winrm http port) or 5986 if using https? You also might need a public IP, if you plan on using winrm not from Azure automation. You should also be able to use http, so I think the error you're seeing is a generic failure to connect error.

Note: by default, winrm over http and the listener should be set up and listening on your machines. winrm uses message level encryption, so it's not completely in plaintext. You can verify with:

winrm e winrm/config/listener

Which should show you the listener with something like:

Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 1.1.1.1

Once you've verified that, I would verify that you can connect to the remote machine using winrm from your own computer. You can easily do that with:

$username = '<admin-user>'
$pass = ConvertTo-SecureString -string '<password>' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
Enter-PSSession -ComputerName <public-IP> -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)

Note that you may have to set your trusted hosts on your own computer to trust the Azure machine to create the winrm session. This can be done with something like: Set-Item WSMan:localhost\Client\TrustedHosts -value * -Force

Note that you should use the Azure VM's actual name for security, not a wildcard.