PowerShell Windows remote management of virtual machines in Azure

Working remotely on virtual machines in Windows Azure using PowerShell is something I do quite often. The first thing I do after I created a new virtual machine is in fact to enable Windows Remote Management (WinRM). Enabling WinRM makes it possible to connect from you local PowerShell to a PowerShell session on the target machine, just like an SSH session in the Linux world. You also can register PowerShell script blocks, stored in external files, and get them executed on the target machine. Because WinRM in the Windows Azure world demands an SSL/TLS connection the communication is secured.

Adding a virtual machine endpoint for PS remoting

If it’s not created already you need to create en endpoint for the virtual machine to allow PowerShell remoting. PS remoting uses the TCP port 5986, so the definition for the Azure endpoint that allows HTTPS secured PowerShell remote sessions might look like this:

get-azurevm $mySvc $vmName | Add-AzureEndpoint -Name PS-HTTPS -Protocol TCP -LocalPort 5986 -PublicPort 5986 | Update-AzureVM

Enabling PowerShell remoting on the target machine

If you are dealing with a virtual machine that has an older versions of Windows 2012 R2 installed you need to run the following command:

This command starts the windows service, sets the startup type to automatic and assigns a (HTTP) listener endpoint to all addresses the vm is providing.
Microsoft made it much more easy for us with Windows 2012 R2, because since then the WinRM service is running by default.

Adding an HTTPS listener to WinRM

By default WinRM installs an HTTP listener, what is less secure. In Windows Azure we need to secure the communication using SSL/TLS. To enable that it’s necessary to add the appropriate listener on the target machine. This HTTPS listener needs to be bound to a server certificate, what can be self signed or assigned by the usual authorities on the internet.
If you have the certificate installed you can run following command to add the listener in a standard command shell on the target machine:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOSTNAME.cloudapp.net";CertificateThumbprint="THUMBRPINT"}
You need to replace the HOSTNAME by the host name of the target machine and the THUMBPRINT by the thumbprint value of the server certificate.
Now the virtual machine is ready to accept PowerShell remoting.

Open a Powershell Remote session using SSL and a credentials object

To open a remote session on the target machine in PowerShell we need to create a credentials object based on a username and password pair of the remote machine. We use a secure string object in PowerShell to handle the password securely.
$password = ConvertTo-SecureString $myPwd -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ($username, $password)
Enter-PSSession -ComputerName HOSTNAME.cloudapp.net -Credential $cred -UseSSL
First we declare two variables for the password and username. Then we convert the plain text password into a secure string representation. Based on the secure password and the username we create a PowerShell credential object.
Finally, the Enter-PSSession command connects the remote machine and switches the context of the your PowerShell to the remote session just like SSH does on a Linux system.

Running a remote script using SSL and a credentials object

Running a script on a remote machine needs the same setup. We also need to provide a credentials object. The command can be a single line of code or a whole PowerShell script stored in a external file.
$password = ConvertTo-SecureString $myPwd -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ($username, $password )
$computername= "HOSTNAME"
$cmdAutoAdmin = { New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value "1" }
invoke-command -ComputerName $computername -Credential $cred -UseSSL -ScriptBlock $cmdAutoAdmin

This example uses the invoke-command to patch the a registry value on the remote machine. First, the command is stored in the cmdAutoAmdin value and then invoked on the remote machine.


Dealing with virtual machines in Windows Azure using PowerShell

I’m a great fan of  Windows Powershell.

The Windows Azure CmdLets for Powershell are a handy and powerful collection of tools to configure virtual machines in Windows Azure. You could use the Azure portal though to create and configure virtual machines in Azure, but if you need spin up a lot of machines, the configuration can be much more convenient to setup Powershell scripts that do the job for you.

Here is a list of cmdlets I found most useful to create, update and delete virtual machines in Windows Azure.

Tipp: The examples might include values in UPPERCASE, those need to be replaced by real data, like credentials of subscription, storage names. 

First things first, download and Azure Subscriptions

First you need to install the Windows Azure Powershell, this can be done using the Web Platform Installer. If you need to know more about how to install and configure Windows Azure PowerShell follow this link.

After you’ve installed Windows Azure PowerShell it’s necessary to connect your Azure subscription to the Windows Azure Powershell. This is done by running the following command:


The command will open your default web browser and guide to the Azure portal. You will need to authenticate with your Microsoft Account.

You’ll be prompted to download and save a .publishsettings file.  The .publishsettings file contains a list of all subscriptions for which your Microsoft Account is an admin or co-admin, as well as a base64 encoded management certificate.

Windows Azure will automatically associate the newly created management certificate with every subscription for which your Microsoft Account is an admin or co-admin. (read more here)

After you’ve downloaded the setting file you need to import the file by running the following command:

Import-AzurePublishSettingsFile "PATH TO DOWNLOADED SETTINGS FILE"

To list all available subscriptions run:


Set current storage

To create virtual machines you need to tell your Azure Subscription which Azure storage it should use. This is done by:

Set-AzureSubscription -SubscriptionName "SUBSCRIPTION NAME" -CurrentStorageAccount "STORAGE NAME"

Browsing OS images and Datacenter locations in Windows Azure

To view Available OS Images just type Get-AzureVMImage. The following sample loads all images into the $images array and iterates through the array to print out the item index and name.

$images = Get-AzureVMImage
for ($i=0; $i -le $images.length-1;$i++) {Write-Host $i $images[$i].Imagename}

The following sample retrieves all images and pipes the result into the Where-Object cmdlet that returns just those images that have Windows in the imageName property.

Get-AzureVMImage | Where-Object {$_.ImageName -like "*windows*"}

To get a list of Datacenter Locations available in Windows Azure:

$locations = Get-AzureLocation
for ($i=0; $i -le $locations.length-1;$i++) {Write-Host $i $locations[$i].DisplayName}

Print only the names of the Azure Datacenter Locations using Select.

Get-AzureLocation | select Name

Creating a virtual machine using New-AzureQuickVM

To create a Quick VM, we need to name a unique service- and vm name. We need to provide a username and password for the administrator account and finally name the location where the system disk (VHD) should be placed in. Note: the current storage account and the location must fit together.

New-AzureQuickVM -Windows -name $vmName -ImageName $image -ServiceName $mySvc -Location $location -Password $myPwd -AdminUsername $username

Adding endpoints to the virtual machine

A virtual machine in Windows Azure is secured by an external firewall controlled by Windows Azure. To allow specific ports on the virtual machine to by accessible by the internet you need to configure endpoints for the virtual machines. Those endpoints are ports on the external firewall. Using port forwarding you can define which external ports should be open and to which internal ports requests should be forwarded.

Here’s a typical example using port 80 to allow access to a web server running on the virtual machine:

get-azurevm $mySvc $vmName | Add-AzureEndpoint -Name Web-HTTP -Protocol TCP -LocalPort 80 -PublicPort 80 | Update-AzureVM

This command is actually a concatenation of several cmdlets. First we get the virtual machine, then we add the endpoint and finally we perform an update of the vm. It needs a name, the protocol and the external and internal port to add an endpoint.