Azure: Disabling the Windows Firewall on an virtual machine from the portal

The RDP client is one of the most heavily utilised tools in a system administrator’s toolkit. There are alternatives, for example, console access, PowerShell, iLO or in the case of a physical machine the locally connected keyboard and monitor. This is fine for on-premise machines but for machines running in the cloud, most of the alternative methods are not an option and RDP becomes a critical method of connectivity.

Over the past months I have seen an increase in the number of customers that have adjusted the guest Windows OS firewall, inadvertently locking themselves out and making it impossible to manage their Azure virtual machines.


The following article outlines one of the methods I have successfully used when restoring access. This method makes use of the Azure virtual machine Custom Script Extension and a snippet of PowerShell.

1. The first step is to open your preferred PowerShell editor and paste in the following code.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile' -name "EnableFirewall" -Value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
PublicProfile' -name "EnableFirewall" -Value 0


Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
Standardprofile' -name "EnableFirewall" -Value 0

These commands update local registry values which in turn disables the three firewall profiles on the next machine reboot.

A copy of the file can be downloaded from my GitHub disablefw.ps1.


2. Save the file as <filename>.ps1

3. Now login to the Azure portal and browse to the virtual machine that is having connectivity problems.

4. From the blade of the virtual machine, select Extensions


5. Click the +Add button and select Custom Script Extension from the popup menu.


6. Click on the folder icon to browse to where the <filename>.ps1 file has been stored and after selecting the file, click Open to upload it.


7. The virtual machine extension can now be installed by clicking OK.

NOTE: Additional Arguments are optional and for this task should be left blank.

8. Once the extension is installed, the Azure portal will report that provisioning has been successful.


9. It’s now time to restart the virtual machine before retrying an RDP connection.


This has proven to be very useful to me on a number of occasions, hopefully it will be of assistance to others.

As always, if any mistakes are spotted, feel free to leave me a comment.

Helpful Cmdlets

Over the past few years when deploying Hyper-V, SCVMM or Windows Clustering, I have found myself searching around for little snippets of PowerShell or Cmdlets to make basic configuration changes to the environments. I know there are some fantastic scripts out there that will step you from the beginning to end of full builds, but on many occasions, these short one or two liners have been of great help.

If all goes to plan, I will add additional posts to the series with similar content.

Changing the metrics of a cluster network

(Get-ClusterNetwork “CSV Network”).Metric=900

Revert the network back to autometric

( Get-ClusterNetwork “Cluster Network 1” ).AutoMetric = $true

The network metric is used by windows to determine which network should be sued for CSV communications when cluster shared volumes are installed. The lowest metric network would be chosen for this purpose with the second lowest being designated for live migration. (It is possible to also select a live migration network from within the GUI)

Check ODX Status (return value 0 = ODX enabled, return value 1 = ODX disabled)

Get-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name “FilterSupportedFeaturesMode”

Disable ODX

Set-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name “FilterSupportedFeaturesMode” -Value 1

ODX is a feature that allows Windows to move or copy data from one device to another or one location on a device to another location on the same device without transferring the data through the windows device. Essentially offloading the workload to the device and speeding up the transfer.

Disable TRIM

fsutil behavior set disabledeletenotify 1

Re-Enable TRIM

fsutil behavior set disabledeletenotify 0

SCVMM 2012 R2 displays duplicate VMs

Get-VM “DuplicateVM” | Where Cloud -eq $Null | Remove-VM -force

This command will remove the VM from the SCVMM DB, yet leave the VM on the Hyper-V host/Cluster. Once removed from SCVMM, refresh the cluster to reregister the VM in SCVMM.

Discover WWN info from a Hyper-V host using PowerShell

Open up a powershell with administrator privileges, then run: Get-InitiatorPort

Fibre Output:

Fibre

iSCSI Output:

iSCSI

Disable all disconnected Adapters on a Hyper-V host

Get-NetAdapter -Physical | Where-Object {$_.Status -eq “Disconnected”} | ` Disable-NetAdapter }

How to add host management credentials to Hyper-V Hosts in SCVMM that are greyed out via the console

Open PowerShell and Import the SCVMM Module, or open SCVMM PowerShell from the top ribbon in the SCVMM console.

$YourCluster = Get-SCVMHostCluster -Name YOUR-CLUSTER-NAME

$YourRunAs = Get-SCRunAsAccount -Name “YOURRUNASACCOUNT”

Set-SCVmHostCluster -VMHostCluster $YourCluster -VMHostManagementCredential $YourRunAs

Replace YOURRUNASACCOUNT with VMM Run as account and YOUR-CLUSTER-NAME with name of cluster. It can take a minute to run, but afterwards your hosts in the cluster will be managed with the new Run As account. You can right click on any host and go to properties > Host Access to verify.

Edit BCD to allow dual boot of Windows 8

Using bcdedit.exe /enum

To enable the computer to also boot to a second Windows 8 you can use bcdedit.exe with the following command which will copy the current Windows Boot Loader details for Windows 8 to a second record for Windows 7/8 or Server 2012.

bcdedit.exe /copy {current} /d “Second Microsoft Windows 8″

bcdedit.exe will respond with something like the following.

The entry was successfully copied to {…………………………..}.

Using bcdedit.exe /enum to again enumerate through the current entries within the BCD store you’ll see the newly added entry.

Before you can use the newly created Windows boot loader configuration, you’ll need to change the partition for the second Windows 8 using the following two bcdedit.exe commands.

bcdedit.exe /set {……………………………} device partition=D:

bcdedit.exe /set {……………………………} osdevice partition=D:

If you now reboot the system you should now be able to boot into either copy of Windows 8.

bcdedit