I am trying to install the Microsoft Antimalware extension to an existing virtual machine.
Steps to reproduce the problem:
Using Visual Studio
1) Connect to Azure from VS
2) Select Server from Virtual Machines
3) Open Configuration properties.
4) Select Microsoft Antimalware from extensions and click Add.
5) Click Update. Outputs...
Updating virtual machine myVM...
Failed to update virtual machine. The probe setting for the endpoint group HTTP-80 is null. An external endpoint HTTP cannot specify a probe setting.
Using PowerShell
When following these MS instructions to install Antimalware using the Powershell , I get the error:
PS C:\> Update-AzureVM -Name $service -ServiceName $name -VM $vm.VM
Update-AzureVM : Could not find a deployment for 'myVM' in 'Production' slot.
At line:1 char:1
+ Update-AzureVM -Name $service -ServiceName $name -VM $vm.VM
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Update-AzureVM], ApplicationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.IaaS.UpdateAzureVMCommand
To install antimalware via the powershell:
Make sure you are using the latest Azure Powershell version (version 0.8.12)
Get-Module
Now create a configuration file on disk in json format:
$JsonString="{ 'AntimalwareEnabled': true }"
$JsonString |Out-File $home\downloads\AzureAntimalware.json
Then select and update your VM:
Get-AzureVM -Servicename "myService" -Name "myVM" | Set-AzureVMMicrosoftAntimalwareExtension -AntimalwareConfigFile $home\downloads\AzureAntimalware.json | Update-AzureVM
This will install System Center Endpoint Protection onto the virtual machine.
When you try and launch System Center Endpoint Protection from the start menu you may be presented with the following error message:
Your system administrator has restricted access to this app.
To fix this issue, open a command prompt on the VM and enter:
cd "c:/program files/microsoft security client"
configsecuritypolicy cleanuppolicy.xml
This will create the necessary config files and fix the problem.
You will now be able to launch System Center Endpoint Protection from the start menu and configure the program in the usual way.
I'm a little late replying so you've probably solved the issue.
This is how I resolved it using Powershell:
http://go.microsoft.com/fwlink/?LinkID=394789&clcid=0x409 – Download the VM agent and install on the virtual machine
Activate the VM agent with the following:
$vm = Get-AzureVM –serviceName $svc –Name $name
$vm.VM.ProvisionGuestAgent = $TRUE
Update-AzureVM –Name $name –VM $vm.VM –ServiceName $svc
You can check if it’s running by opening task manager and clicking the details tab – Look for WaAppAgent.exe, WindowsAzureGuestAgent.exe, WindowsAzureTelemetryService.exe
Once running you can install AntiMalware with the following:
$servicename = "<SERVICE NAME HERE>"
$name = "<NAME HERE>"
# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name
# Add Microsoft Antimalware Agent to the Virtual Machine
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM
# Update the VM which will install the Antimalware Agent
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM
You can check it works by looking in services.msc for Microsoft Antimalware service
Related
I have an Azure runbook where I am trying to deallocate VMs. When I run the runbook I get the error
Stop-AzureVM : No default subscription has been designated. Use Select-AzureSubscription -Default <subscriptionName> to
set the default subscription.
I have used the below in my script.
Add-AzureRmAccount
Select-AzureRMSubscription
After calling the select, it prints out
PSComputerName : localhost
PSSourceJobInstanceId :
Account :
Environment :
Subscription :
Tenant :
with the correct subscrption and tenant information so it seems the select is working correctly, but for some reason I still cannot use the Stop-AzureVM cmdlet.
Any ideas?
The command Stop-AzureVM is Azure Service Management PowerShell command. It just can be used to stop Azure classic VM. But the command Add-AzureRmAccount is Azure Resource Management PowerShell command. After running the command, we just can manage Azure Resource Management resources. For more details, please refer to here and here.
So with Azure ARM VM, please use the command Stop-AzureRmVM to stop it. Meanwhile, regarding how to stop Azure classic VM, please refer to the following steps
Create Azure Classic Run As Account
Script
$ConnectionAssetName = "AzureClassicRunAsConnection"
# Get the connection
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
# Authenticate to Azure with certificate
$CertificateAssetName = $Conn.CertificateAssetName
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
#stop VM
Stop-AzureVM -ServiceName "ContosoService01" -Name "MyVM" -Force
Besides, regarding how to check if the VM is classic, please refer to the blog
Try Running the below :
Get-Module AzureRm.Profile -ListAvailable
This issue might occur when there is multiple instances of the module. If there are multiple instance remove the older modules and retain the new module.
To remove the old module : Uninstall-Module -Name AzureRm.Profile -RequiredVersion 4.6.0#(olderversion if you have any)
We have a Cloud Service (Classic) swap using powershell in Azure pipelines that has worked all year, setup by a previous employee and now it is failing with error:
Move-AzureDeployment : An error occurred while sending the request.
At D:\a\_temp\blahblahblah.ps1:8 char:1
+ Move-AzureDeployment -ServiceName $servicename
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Move-AzureDeployment], HttpRequestException
+ FullyQualifiedErrorId : System.Net.Http.HttpRequestException,Microsoft.WindowsAzure.Commands.ServiceManagement.H
ostedServices.MoveAzureDeploymentCommand
The actual job task is using PowerShell Script set as inline with Error action as Stop. The actual script:
$subid = 'blah-blah-blah-blah'
$servicename = "blahblahblah"
Select-AzureSubscription -SubscriptionId $subid
Move-AzureDeployment -ServiceName $servicename
$service = Get-AzureDeployment -ServiceName $servicename -Slot Production
Start-Sleep -s 300
Remove-AzureDeployment -ServiceName $servicename -Slot "Staging" -Force
I was sure this was maybe a Service connection with Management Certificate expired but I have one valid working and found it is setup exactly like another similar pipeline/service connection that is working.
So the issue was two things, SSL and PowerShell version issues after updates. To deal with SSL issues I added this line to the top of our inline script:
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
And for the PowerShell issue it required changing to the Azure PowerShell app for pipelines, so we could roll back to a specific task version and the 4.2.1 PowerShell Version as seen in this answer:
Programmatically Swap Staging Slot to Production Slot in Azure Cloud Service
This might be the only way to swap a Cloud Service (Classic) these days. A little annoying Azure pushed this classic service and never properly maintained it.
I have created some Azure VMs using the new Resource Manager and i'd like to stop them everyday.
To do so, i've published a runbook to stop aboth classic and ARM VMs, and i created a scheduler which runs the runbook every night :
workflow Stop-AzureVMs
{
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureAccount -Credential $cred
Select-AzureSubscription -Current 'SubscriptionName'
Get-AzureVM | Stop-AzureVM –Force
Get-AzureRmVM | Stop-AzureRmVM -Force
}
I have imported the AzureResourceManager module to my Azure Automation account :
But i am getting this error :
Exception
At line:34 char:2
+ Get-AzureRMVM | Stop-AzureRMVM -Force
+ ~~~~~~~~~~~~~ Cannot find the 'Get-AzureRMVM' command. If this command is defined as a workflow, ensure it is defined before the workflow that calls it. If it is a command intended to run directly within Windows PowerShell (or is not available on this system), place it in an InlineScript: 'InlineScript { Get-AzureRMVM }'
How is that possible ?
Edit : Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscipritionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
All workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription. I thought that the authentication process to our Azure account was the same.
Update : It is now possible to combine both ASM and ARM cmdlets within the same runbooks, see this post for more informations about ARM supported by default on Azure Automation
Looks like you imported the old version of the ARM cmdlets (before Azure PS 1.0) into Azure Automation. This was before the *-AzureRm* renaming. So tt should be Stop-AzureVM not Stop-AzureRmVM.
However, that makes it ambiguous as to whether you are trying to call Azure Service Management or Azure Resource Manager cmdlets -- which is exactly why the cmdlet names were renamed in Azure PS 1.0. I recommend you follow the guidance here.
As per my understanding ASM mode is default. If you are going for ARM command firstly switch mode is required using Switch-AzureMode
One more confusion is what is the purpose of Get-AzureRMVM command. I googled but coulndn't find anything -
The Get-AzureRMVM cmdlet is in the AzureRM.Compute module... The AzureRM* cmdlets are still in preview, I don't think they are available in Azure Automation yet.
The two modules in your screenshot above likely correspond to the 0.9.x version of the cmdlets and there were indeed two different modules (Azure=ASM and AzureResourceManager=ARM) behind Switch-AzureMode. Switch-AzureMode just unloads one and loads the other.
If Automation is still using the 0.9.x version of the cmdlets then you should be able to just use Get-AzureVM for ARM VMs using the AzureResourceManager module.
Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscriptionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
It is not yet possible to combine ARM and ASM cmdlets in same runbook apparently ... So you have to use only ARM cmdlet or ASM cmdlet.
Also, all workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription.
I thought that the authentication process to our Azure account was the same.
The Following code will work for both old style and new Style VM's but be aware this will shut down all machines with no warning.
{
# TODO: update to the name of the credential asset in your Automation account
$AutomationCredentialAssetName = "AzureAutomationRG"
# Get the credential asset with access to my Azure subscription
$Cred = Get-AutomationPSCredential -Name $AutomationCredentialAssetName
# Authenticate to Azure Service Management and Azure Resource Manager
Add-AzureAccount -Credential $Cred
Add-AzureRmAccount -Credential $Cred
"`n-Old Style VMS-`n"
# Get and output Azure classic VMs
$VMs = Get-AzureVM
$VMs.Name
Get-AzureVM | Stop-AzureVM -Force
"`n-New Style Resource Group VMs-`n"
# Get and output Azure v2 VMs
$VMsv2 = Get-AzureRmVM
$VMsv2.Name
Get-AzureRmVM | Stop-AzureRmVM -Force
}
For new Azure RM VMs use access extensions the following command:
Set-AzureRmVMAccessExtension -ResourceGroupName "ResourceGroupName" -VMName "VMName" -Username "Admin User Name" -Password "Admin Password" -Name "Extension Name"
Please note the -Name parameter is the arbitrary extension name.
This might be late to the party, but I would recommend you check out this link:
https://www.attosol.com/start-or-stop-all-vms-of-a-resource-group-in-azure/
Basically, you can create a script and write some aliases with switches to make your job super easy.
The most recent information I could find while scouring the net was a post 6 months old (back toward the original deployment of D-Series servers). How can you seamlessly upgrade an A-Series Azure VM to a D-Series Azure VM without a huge headache?
To find out what sizes are available in your Region (and see the InstanceSize naming sceheme to use in Powershell) use this PowerShell Cmdlet:
Get-AzureLocation | Where-Object {$_.DisplayName.Contains("<your-region>")}
View the VirtualMachineRoleSizes property to see what sizes you have access to.
To update a VM you can use the following set of commands:
Get-AzureVM -ServiceName <cloudservice> -Name <vmname> | Set-AzureVMSize -InstanceSize <sizevalue> | Update-AzureVM
If you run the above command on a running VM it will be restarted in order to provision it on the right host infrastructure to support your desired Series.
# To Upgrade or downgrade your Azure VM Plan you can use the following script
$ResourceGroupName = "CMLAB"
$VMName = "2007CMCEN"
$NewVMSize = "Standard_A5"
$vm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $VMName
$vm.HardwareProfile.vmSize = $NewVMSize
Update-AzureRmVM -ResourceGroupName $ResourceGroupName -VM $vm
I am trying to add the Antimalware extension to a virtual machine for protection but when i try to add the extension in the Azure portal i get the following error:
Failed to add extension to virtual machine. The virtual machine request is invalid The specified source image is a user image. The image must be a platform image.
I have installed the VMAgent.
As extra information i have tried using powershell commands to install the extension by using the following commands and getting the respective responses:
$vm = Get-AzureVM –ServiceName "MyServiceName" –Name "MyVMName"
VERBOSE: ... - completed operation: Get Deployment*
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM
WARNING: The resource extension reference list is null or empty
AvailabilitySetName :
ConfigurationSets : {Microsoft.WindowsAzure.Commands.ServiceManagement.Model.NetworkConfigurationSet}
DataVirtualHardDisks : {"MyVMName"}
Label :
OSVirtualHardDisk : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.OSVirtualHardDisk
RoleName : "MyVMName"
RoleSize : Large
RoleType : PersistentVMRole
WinRMCertificate :
X509Certificates :
NoExportPrivateKey : False
NoRDPEndpoint : False
NoSSHEndpoint : False
DefaultWinRmCertificateThumbprint : F4CF28C735C5E557C7B47742E4F16A08959272F1
ProvisionGuestAgent :
ResourceExtensionReferences : {IaaSAntimalware}
DataVirtualHardDisksToBeDeleted :
Update-AzureVM -Name "MyServiceName" -ServiceName "MyVMName" -VM $vm.VM
VERBOSE: 11:15:10 - Completed Operation: Get Deployment
VERBOSE: 11:15:10 - Begin Operation: Update-AzureVM
VERBOSE: 11:15:42 - Completed Operation: Update-AzureVM
OperationDescription OperationId OperationStatus
-------------------- ----------- ---------------
Update-AzureVM 387b77a2-c8fc-233a-913d-cd364c855429 Succeeded
After i run the commands i check and VMAgent is installed on the VM but no extension.
Does anyone have any ideas?
Thanks!!
The cause might be your first line
$vm = Get-AzureVM –ServiceName "MyServiceName" –Name "MyVMName"
When -servicename and -name are not specified, Get-AzureVM returns no VM object
Set-AzureVMextension only works with -VM input
Try this:
https://gist.github.com/andreaswasita/428fc5519b0ddac76b01
In my experience, this warning is due to the Azure Guest agent not being deployed on the VM, not running on the VM, or being out-of-date. If the VM doesn't have a healthy (and current) guest agent, you won't be able to deploy extensions.
You can check the guest agent status with:
$vm.GuestAgentStatus
You'd be looking for a "Status" of "Ready"; anything else and the extension is likely to fail. Extending Klaad's code then...
# Azure Cloud Service and Azure VM Name
$service= Read-Host -Prompt 'Azure Cloud Service:'
$name = Read-Host -Prompt 'Azure VM:'
# Get the Cloud Service and Azure VM
$vm = Get-AzureVM –ServiceName $service –Name $name
# Check for health of the agent
If ($vm.GuestAgentStatus.Status -ne "Ready") {
Write-Error "The VM agent appears to not be installed or is in an unhealthy state."
}
Else {
# Add Microsoft Antimalware Agent to the Azure VM
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM
# Update the Azure VM and install the Antimalware Agent
Update-AzureVM -Name $name -ServiceName $service -VM $vm.VM
}
To check if the agent is there, you can look for the following three processes on the server:
WaAppAgent.exe
WindowsAzureGuestAgent.exe
WindowsAzureTelemetryService.exe
You can download the agent from here (current version at time of edit is 2.6.1198.718).
Installation requires two steps (Source: Zach Millis):
Install the agent. This requires you to run PowerShell as an Administrator and execute the installer from within the PowerShell prompt. (Do not run directly)
Update Azure so it knows about the agent. This requires the following code to be executed:
Code:
# Azure Cloud Service and Azure VM Name
$service= Read-Host -Prompt 'Azure Cloud Service:'
$name = Read-Host -Prompt 'Azure VM:'
# Get the Cloud Service and Azure VM
$vm = Get-AzureVM –ServiceName $service –Name $name
# Provision the guest agent so Azure knows about it
$vm.VM.ProvisionGuestAgent = $TRUE
# Update the Azure VM and install the Antimalware Agent
$vm | Update-AzureVM
# Refresh the connection to the VM to get the new status
$vm = Get-AzureVM –ServiceName $service –Name $name
# Check status - should now be "Ready"
$vm.GuestAgentStatus
That should be it.