Powershell on target machines from azure pipelines

Question

I have an Azure VM, which i would like to remotely run some powershell command from azure pipelines. I setup winrm on my VM with self signed certificates and open port 5986 on VM azure firewall. I have been able to remotely execute some scripts i put in VM from local machine, but when i execute the same from a Powershell on target machines tasks, i will get an Access Denied error.

I have tried the v2 task as well and tick the Test Certificate and use an admin account i use to rdp to the machine, but got the same error. I wonder what have i missed in setting this?

Answer 1

First test that you can get Powershell to execute remotely on your target from a laptop or other machine.

Use the Powershell script below to test your WinRM connection and self-signed cert and note the -SkipCNCheck -SkipCACheck PSSession options in the test Powershell script. These options are essential if you are using a self-signed cert and you'll also need to provide the same switches in the "Session Options" in the "Run Powershell On Target Machines" template (ver 3).

Note: I'm using a local host IP for example only so as not to accidentally use a real IP

$password = ConvertTo-SecureString 'password goes here' -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential ('yourDomain\yourDomainUserId', $password)

$sessionOptions = New-PSSessionOption -SkipCNCheck -SkipCACheck

$remote_session = new-pssession -computername 127.0.0.1 -UseSSL -credential $credential -SessionOption $sessionOptions

Invoke-Command -session $remote_session -ScriptBlock { Get-Culture }

Also make sure you have setup a WinRM listener to listen on the external IP of the target machine and register the self-signed cert thumbprint with that listener. Use the WinRM command to do that (user your actual external public facing IP), example:

winrm create winrm/config/Listener?Address=IP:127.0.0.1+Transport=HTTPS @{Hostname="some.hostname.outhere.net"; CertificateThumbprint="[YOUR CERT THUMBPRINT]ABCDEF0247283798137030174027"}

One more note, use the machine external public IP in place of an FQDN or DNS name in the "Machines" field of the "Run Powershell On Target Machines" template. You must do this if you are using a self-signed cert.

Once you get the test Powershell script to connect and handshake using the self-signed cert from a remote machine, you are virtually guaranteed success having the "Run Powershell on Target Machines" work too.

Other things to check:

• Make sure you have setup TrustedHosts using a wildcard "*" as the server name or ip. You can go back and fine tune your security after you have the basic connection working.

• You may need a Domain Level GPO to allow the WinRM service to run unhindered depending on whether your target machine is a workstation or a machine joined to a domain.

If all else fails, download and install Wireshark on your target machine and set an ip filter to listen just for the ip of the client server and analyze the traffic, most of the time this will clue you in to what's being rejected and why.

Hope this helps.