Azure Windows VM Deployment and Management Guide

To deploy an Azure Windows VM, you'll need to create a resource group and a virtual network. This will serve as the foundation for your VM.

You can choose from two deployment models: Resource Manager and Classic. Resource Manager is the recommended model, as it provides more features and better management capabilities.

Azure provides a range of Windows VM images, including Windows 10 and Windows Server. You can also upload your own custom image.

To create a Windows 11 VM in Azure, you can follow these steps: sign in to the Azure portal, select Virtual Machines, and click Create. You can then select your Azure subscription, resource group, and region, and choose Windows 11 as the image.

You'll need to specify the Administrator account details, including a username and complex password. For inbound rules, you can select Allow Selected ports and specify the network ports you want to use. Be sure to confirm your Windows 11 license and click Review+Create to validate your settings.

Once you've created your Windows 11 VM, you can view the deployment details, enable auto-shutdown, or run a script inside the virtual machine. Note that the AADLoginForWindows extension must be installed successfully for the VM to complete the Microsoft Entra join process.

To deploy an Azure Windows VM, you'll need to meet some specific prerequisites. The Azure Windows VM Agent supports the x64 architecture for a range of Windows operating systems, including Windows 10, Windows 11, and various versions of Windows Server.

Here are the supported Windows operating systems:

The Azure Windows VM Agent requires at least Windows Server 2008 SP2 (64-bit) to run, with the .NET Framework 4.0. Ensure that your VM has access to the IP address 168.63.129.16, as this is required for the Azure Windows VM Agent and extensions to work properly.

To get information about Azure VMs, you can use the Azure Resource Manager PowerShell module. This module allows you to retrieve details about your virtual machines, including the provisioning state for the Azure Windows VM Agent.

The ProvisionVMAgent property is nested inside OSProfile, and it indicates whether the VM agent has been deployed to the VM. You can use this property to determine the state of the VM agent.

To return a concise list of VM names running Windows OS and the state of the Azure Windows VM Agent, you can use a specific script. This script will provide you with the necessary information in a clear and concise manner.

For VMs running Linux OS, the script is slightly different, but it still returns a concise list of VM names and the state of the Azure Windows VM Agent.

To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to specific endpoints over TCP port 443. This includes Azure Global, Azure US Government, and Azure China Cloud endpoints.

You'll need to allow access to these endpoints: https://enterpriseregistration.windows.net: For device registration.http://169.254.169.254: Azure Instance Metadata Service endpoint.https://login.microsoftonline.com: For authentication flows.https://pas.windows.net: For Azure RBAC flows. Note that the specific endpoints may vary depending on your region.

Microsoft Entra Guest accounts can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

Azure Global requires access to several endpoints, including https://enterpriseregistration.windows.net for device registration, http://169.254.169.254 for the Azure Instance Metadata Service, https://login.microsoftonline.com for authentication flows, and https://pas.windows.net for Azure RBAC flows.

In Azure Global, you also need access to https://enterpriseregistration.microsoftonline.us for device registration, http://169.254.169.254 for the Azure Instance Metadata Service, https://login.microsoftonline.us for authentication flows, and https://pasff.usgovcloudapi.net for Azure RBAC flows.

Azure China requires access to https://enterpriseregistration.partner.microsoftonline.cn for device registration, http://169.254.169.254 for the Azure Instance Metadata Service, https://login.chinacloudapi.cn for authentication flows, and https://pas.chinacloudapi.cn for Azure RBAC flows.

To confirm your network configuration meets these requirements, you can check the Azure portal or consult with your network administrator.

To access the Safe Mode CLI, you'll need to use the Serial Console in Azure/Windows VM. This might not be enabled by default, especially if your VM was created with an older Windows image before 2018.

Enabling Serial Console is easy, though - just go to your Azure subscription, find the VM you need, and select it. From there, you can enable Serial Console in the settings.

Once you've enabled Serial Console, you can access the SAC (Safe Mode CLI) by typing 'cmd' and pressing enter. This will give you a command prompt where you can run commands to troubleshoot your system or get it up and running again.

You can also switch to PowerShell by entering the command.

Troubleshooting Azure Windows VM issues can be a challenge, but knowing where to look can make all the difference. If the AADLoginForWindows extension fails to install correctly, you can RDP to the VM using the local administrator account and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.

To verify that the Azure Instance Metadata Service endpoint is working correctly, you can run three PowerShell queries: `curl.exe -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"`, `curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"`, and `curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"`. The expected output for these queries is correct information about the Azure VM, a valid tenant ID associated with the Azure subscription, and a valid access token issued by Microsoft Entra ID for the managed identity assigned to the VM.

If you're experiencing sign-in problems, you can view the device and single sign-on (SSO) state by running `dsregcmd /status`. The goal is for the device state to show as AzureAdJoined: YES and for the SSO state to show AzureAdPrt: YES.

Troubleshoot deployment problems by first checking the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.

If the VM extension fails to install correctly, you'll need to RDP to the VM using the local administrator account. The log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log if the extension restarts after the initial failure.

To verify that the Azure Instance Metadata Service endpoint is working correctly, open a PowerShell window on the VM. Run the following queries against the Azure host:

You can decode the access token by using a tool like https://jwt.ms/ to verify that the oid value matches the managed identity assigned to the VM.

Terminal Error Code 1007 is a common issue that can be frustrating to resolve.

This error code translates to DSREG_E_MSI_TENANTID_UNAVAILABLE, which means the extension can't query the Microsoft Entra tenant information.

To troubleshoot this issue, connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service.

Run the following command from an elevated PowerShell window on the VM: curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01

This command will help you check if the tenant ID is available, which can resolve the issue.

Troubleshoot sign-in problems by checking the device and single sign-on (SSO) state using the command dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES and for the SSO state to show AzureAdPrt : YES.

You can check the event logs in Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational event logs for RDP sign-in issues related to Microsoft Entra accounts.

If you encounter the error "Your account is configured to prevent you from using this device. For more info, contact your system administrator", it's likely due to a configuration issue with your account.

Manual detection can be a straightforward process. To start, you need to be logged in to a Windows VM.

Open Task Manager, which is usually found by pressing the Ctrl + Shift + Esc keys simultaneously.

Select the Details tab, and look for a process named WindowsAzureGuestAgent.exe.

The presence of this process indicates that the VM agent is installed.

To access Safe Mode, you need to load SAC first. Once SAC has loaded, type in 'cmd' and press enter. From here, you can run commands to troubleshoot your system.

You can use the command line to get your system up and running again. This is especially helpful if you're trying to resolve a critical issue.

In the Safe Mode CLI, you can run whatever commands you need to troubleshoot your system. This includes changing over to PowerShell if needed.

You can use the command line to change over to PowerShell too. This will give you more flexibility in your troubleshooting process.