Azure: Disabling the Windows Firewall on an virtual machine from the portal

The RDP client is one of the most heavily utilised tools in a system administrator’s toolkit. There are alternatives, for example, console access, PowerShell, iLO or in the case of a physical machine the locally connected keyboard and monitor. This is fine for on-premise machines but for machines running in the cloud, most of the alternative methods are not an option and RDP becomes a critical method of connectivity.

Over the past months I have seen an increase in the number of customers that have adjusted the guest Windows OS firewall, inadvertently locking themselves out and making it impossible to manage their Azure virtual machines.

The following article outlines one of the methods I have successfully used when restoring access. This method makes use of the Azure virtual machine Custom Script Extension and a snippet of PowerShell.

1. The first step is to open your preferred PowerShell editor and paste in the following code.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile' -name "EnableFirewall" -Value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
PublicProfile' -name "EnableFirewall" -Value 0

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
Standardprofile' -name "EnableFirewall" -Value 0

These commands update local registry values which in turn disables the three firewall profiles on the next machine reboot.

A copy of the file can be downloaded from my GitHub disablefw.ps1.

2. Save the file as <filename>.ps1

3. Now login to the Azure portal and browse to the virtual machine that is having connectivity problems.

4. From the blade of the virtual machine, select Extensions

5. Click the +Add button and select Custom Script Extension from the popup menu.

6. Click on the folder icon to browse to where the <filename>.ps1 file has been stored and after selecting the file, click Open to upload it.

7. The virtual machine extension can now be installed by clicking OK.

NOTE: Additional Arguments are optional and for this task should be left blank.

8. Once the extension is installed, the Azure portal will report that provisioning has been successful.

9. It’s now time to restart the virtual machine before retrying an RDP connection.

This has proven to be very useful to me on a number of occasions, hopefully it will be of assistance to others.

As always, if any mistakes are spotted, feel free to leave me a comment.

Where has “Desktop Experience Mode” gone from Windows Server 1709?

First of all don’t panic, Windows Server Desktop Experience Mode has not gone for good!

Although for sometime now core has been seen as the preferred version of Windows Server for the enterprise. From experience, most customers will still end up installing the full GUI version.

So why remove it from the latest Windows Server release 1709?

Windows Server, version 1709 is the first release in the new Semi-Annual Channel for Microsoft. The Semi-Annual Channel release is aimed at customers such as those that have a rapid development path or perhaps those acting as hosting companies who wish to keep up with the latest Hyper-V investments. Microsoft plans for Windows Server products in the Semi-Annual Channel to be released twice a year, with each release in this channel being supported for 18 months from the initial release. Microsoft have stated that, most of the features introduced in the Semi-Annual Channel will be rolled up into the next Long-term Servicing Channel release of Windows Server. However, the actual editions, functionality, and supporting content might vary from release to release depending on customer feedback.

Windows Server as we know it with the full Desktop Experience Mode will become the Long Term Service Channel of Windows Server 2016. If you want to stay in this channel, you should continue to install Windows Server 2016, which can be installed in Server Core mode or Server with Desktop Experience Mode.

These changes will call for a more informed discussion during project initiation phases. Choosing the correct OS will be based not only on the need for the latest and greatest features, but also an acceptable upgrade cycle for the business, whether the customer is comfortable supporting Windows Server Core and if the the technology being deployed as part of the proposed solution is supported. For example, Remote Desktop Service (RDS) would not take advantage of the new Semi-Annual Channel where as Hyper-V would.

Both releases will be supported with security updates and non-security updates but feature updates to the LTSC would happen less frequency purely due to its release cycle.

Release channels and installation options

Installation option Semi-Annual Channel (Windows Server) Long-term Servicing Channel (Windows Server 2016)
Nano Server Yes No
Server Core Yes Yes
Server with Desktop No Yes

For much more on this subject, checkout this Microsoft blog:

Changing the Network Location of a Windows 2012 R2 Server Network Connection

It’s sometimes necessary to manually change the network location configuration of a Windows 2012 R2 Servers network connection. There are two common approaches to this, either by Local Group Policy or PowerShell. In this post I will be stepping through how to implement either method.

Windows classifies networks connections into one of three profiles, each profile configures the server with different firewall settings.

  • Private: Used for computers on a private or home network. This allows you to see computers and devices, while making your computer discoverable.
  • Public: Used for computers on a pubic network such as a coffee shop or internet café. Designed to keep your computer from being visible to other computers around you and to help protect your computer from any malicious software from the Internet.
  • Domain: Used for computers that belong to enterprise network.

By default new network connections are configured with the public profile, however, if ADDS (Active Directory Domain Services) are found on the network, the profile automatically changes to domain.

Changing the Network Location by Local Group Policy

1. Run gpedit.msc to open the Local Group Policy Editor

2. Navigate to Computer Configuration / Windows Settings / Security Settings / Network List Manager Policies and double click the appropriate Network Name

3. From the popup window select the Network Location tab, then select the correct location type

4. Click OK and close the Local Group Policy Editor

5. Finally checking back in the Network and Sharing Center, the network profile should now display the options chosen in the previous steps.


Changing the Network Location by PowerShell

As with most things on Server 2012 it is possible to use PowerShell to change the network category. We first need to list the network connections and make note of the InterfaceIndex associated with the network connection we are looking to reconfigure.

1. Open an elevated PowerShell prompt and run the following CmdLet


2. Make note of the InterfaceIndex for the network connection that requires its location changing. We can then use the following command to change the connections network location type

Set-NetConnectionProfile -InterfaceIndex <ID> -NetworkCategory <Category>

For Example:

Set-NetConnectionProfule -InterfaceIndex 12 -NetworkCategory Private

3. To confirm changes have been made, rerun the Get-NetConnectionProfile CmdLet and review the NetworkCategory reflects the change.


Event Update #001


With many of the recent events slowly drawing to a close, I thought it worth making note of some of the ones I will be involved with during the second half of the year.

Transform the Datacentre Workshop with Microsoft

  • The Microsoft Cloud Platform Vision
  • What’s coming in Windows Server and System Center 2016
  • Build your Private Cloud with Windows Server and Hyper-V
  • Build your Hybrid Cloud With Microsoft Azure
  • Manage your Hybrid Cloud with Microsoft System Center and Operations Management Suite

Transform the Datacentre Workshop with Microsoft

Azure Round Table Workshop

The Azure round table events have been very successful and we have had lots of positive feedback. For this reason new dates and locations have been added to the current schedule. This workshop is high level and starts with an overview of the Azure platform and then concentrates around some of the key areas that we believe offer the most value to customers. Numbers dependant, we are usually able to adjust the contents depending on attendees areas of interest.

  • Extending your private cloud with Microsoft Azure
    • Azure Overview
    • IaaS
    • Recovery Services (DR/Backup)
    • RemoteApp
    • StorSimple
    • Web App
  • Mobilise your workforce with Enterprise Mobility Suite
    • Microsoft Azure Active Directory Premium
    • Microsoft Intune
    • Microsoft Azure Rights Management

NEW Azure Webinar

For anyone who is unable to attend the round table events, a new Azure webinar is being offered which can be better tailored towards your enterprise requirements.

To find out more on these events and others checkout Latest News and Events