Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,458 questions
Unable to use CIS Windows Image as base for PackerBuild@1 task in Azure DevOps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 37%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Jithin Joy
21
Reputation points
I'm trying to use a CIS (Center for Internet Security) hardened Windows image as a base image to build a custom managed image using packer build task in Azure DevOps (PackerBuild@1).
- task: PackerBuild@1
name: BuildImage
displayName: 'Build immutable image'
inputs:
templateType: builtin
ConnectedServiceName: $(AzureServiceConnection)
isManagedImage: true
managedImageName: wsrte-$(imageVersionPrefix)-$(Build.BuildId)
location: uksouth
storageAccountName: $(imageStorageAccountName)
azureResourceGroup: $(imageResourceGroup)
baseImage: 'center-for-internet-security-inc:cis-windows-server:cis-windows-server2019-l2-gen1:windows'
packagePath: ValidPath/file
deployScriptPath: deployScript.ps1
skipTempFileCleanupDuringVMDeprovision: false
Unfortunately, it fails and the I can see the below error message in Azure DevOps:
==> azure-arm: polling after CreateOrUpdate: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details." Target="/subscriptions/dd826d9c-b0a2-408a-a4dc-230352883355/resourceGroups/pkr-Resource-Group-wqadfnezxo/providers/Microsoft.Resources/deployments/pkrdpwqadfnezxo" Details=[{"code":"ResourceDeploymentFailure","details":[{"code":"VMMarketplaceInvalidInput","message":"Creating a virtual machine from Marketplace image or a custom image sourced from a Marketplace image requires Plan information in the request. VM: '/subscriptions/dd826d9c-b0a2-408a-a4dc-230352883355/resourceGroups/pkr-Resource-Group-wqadfnezxo/providers/Microsoft.Compute/virtualMachines/pkrvmwqadfnezxo'."}],"message":"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","target":"/subscriptions/dd826d9c-b0a2-408a-a4dc-230352883355/resourceGroups/pkr-Resource-Group-wqadfnezxo/providers/Microsoft.Compute/virtualMachines/pkrvmwqadfnezxo"}]
Do I need to do something specific to make sure I'm able to use this particular image?
Note:
As seen in one of the document, I did accept the VM image terms using the below CLI command but still it fails:
az vm image terms accept --urn center-for-internet-security-inc:cis-windows-server:cis-windows-server2019-l2-gen1:latest
{count} votes
-
Prrudram-MSFT 22,046 Reputation points2024-01-30T05:58:04.7933333+00:00 @Jithin Joy
Currently, Azure DevOps is not supported on Microsoft Q&A. Please check this supported products list here (more to be added later on). However, the Azure DevOps team and community are active and answering questions on https://developercommunity.visualstudio.com/spaces/21/index.html Please post your question there and experts will guide you. You can also ask for help on Stack overflow: https://stackoverflow.com/questions/tagged/azure-devops
or request for support here : https://azure.microsoft.com/en-us/support/devops/
-
Jithin Joy 21 Reputation points
2024-02-01T09:16:14.71+00:00 Thank you @Prrudram-MSFT
I've posted my question in developercommunity.visualstudio.com -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 27%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Nick Michels 0 Reputation points Microsoft Employee2024-03-14T02:05:48.9433333+00:00 Packer uses WinRM as its connection method (it doesn't yet support using SSH or other methods for windows). Unfortunately, the images provided by CIS (both level1 and level2) disable WinRM as a standard in their hardening specs. CIS specifically disables all network services that allow remote execution and management functions. About 2 years ago I was messing with using azure's remote-execution to essentially modify the image before packer ran, but it was a rats nest of modifications and would hit timing problems galore so I eventually abandoned the experiment.
Sign in to comment