Enabling RDP on a VM Uploaded to Azure
The short version of this story is: Before uploading a VHD to Azure, make sure you’ve enabled remote RDP (installing Azure PowerShell is a good idea too). But if you forget (and your VM is running Windows Server 2012), it can be fixed without having to redo a massive upload.
We recently did a demo for a prospective client, and wanted to give that client access to the VM the demo was on to further explore and tinker with the solution. Azure IaaS makes perfect sense here – upload the VM right to Azure and let the client have access. The VM can be spun up on demand, and can be removed when it’s no longer needed – and it won’t require any special permissions or network/firewall rules on either end.
There are several helpful guides to prepping and uploading a VHD to Azure:
The upload process went fairly smoothly – we let it run over night and in the morning our VHD was there and ready to be attached and booted.
For better or worse (maybe just because it should be so obvious), none of the guides mention the fact that remote RDP should be enabled before uploading your VHD (and I forgot to do so before starting the upload). The process to do that is fairly trivial: run SystemPropertiesRemote and then use the GUI to configure your settings.
There are ways to enable RDP on an Azure VM from the portal or using PowerShell – if you created the VM using the portal, or if you have Azure PowerShell installed before uploading the VHD. Neither of these was true in my case. However, Windows 2012 enabled RemotePowershell by default, and allows public access to remote PowerShell from the LocalSubnet by default. This was our way in.
We created another VM on Azure on the same local subnet as the uploaded VM. The Uploaded VM had an IP of 10.0.0.4, and the new VM was 10.0.0.5. After logging into the new (RDP accessible) VM, and ran the following commands in PowerShell:
# Add IP to the trusted hosts Set-Item WSMAN:\LocalHost\Client\TrustedHosts -value 10.0.0.4 -Force # restart to update WinRM Restart-Service WinRM # Login information $user = "Administrator" $pwd = "MyPasswordForAdministrator" $secPwd = ConvertTo-SecureString $pwd -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential($user, $secPwd) # enter the remote PowerShell Session Enter-PSSession 10.0.0.4 -Credential $credential # Prompt should change to [10.0.0.4] C:\users\Administrator\Documents > # Allow remote RDP connections Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 # Allow through firewall Enable-NetFirewallRule -DisplayGroup "Remote Desktop" # Set up authentication for RDP Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
And then, we could successfully RDP into the remote machine. In all, this process took about an hour to work out – instead of another overnight upload!