Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
913 questions
Previously i asked a question on this and microsoft gives me answer that open the ports of 5985/5986 , i have done this , even i allowed all traffic , but the issue not resolved , even you can see the security group rules of my appliance and migration vm
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 51%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
SHAILENDRA PRASAD SHUKLA
40
Reputation points
Azure Migrate
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 2,320 Reputation points Microsoft External Staff Moderator2025-05-07T21:15:42.31+00:00 Hello SHAILENDRA PRASAD SHUKLA,
If the Azure Migrate appliance is failing validation even though ports 5985/5986 are open on the VM side, here are the most common causes:
The appliance communicates with Windows servers over WinRM port 5986 (HTTPS) by default. If the HTTPS prerequisites aren't configured on the target servers, the appliance communication will fall back to WinRM port 5985 (HTTP). To enforce HTTPS communication without fallback, enable the HTTPS protocol toggle in the Appliance Config Manager.
After enabling the checkbox, ensure that the prerequisites are configured on the target servers:
- If certificates aren't configured on the target servers, discovery will fail on the currently discovered servers and on newly added servers.
- WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname to be installed. The certificate must not be expired, revoked, or self-signed. Refer to the article on configuring WinRM for HTTPS for more information.
- To confirm WinRM is listening on HTTPS, type the following command:
winrm enumerate winrm/config/listener - To confirm a computer certificate has been installed, use the Certificates MMC add-in or type the following command:
winrm get http://schemas.microsoft.com/wbem/wsman/1/config - If you get the following error message: Error number: -2144108267 0x80338115 ProviderFault WSManFault Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate.
To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Open the certificates MMC add-in and confirm the following attributes are correct:
- The date of the computer falls between the Valid from: to the To: date on the General tab.
- Host name matches the Issued to: on the General tab, or it matches one of the Subject Alternative Name exactly as displayed on the Details tab.
- That the Enhanced Key Usage on the Details tab contains Server authentication.
- On the Certification Path tab that the Current Status is This certificate is OK.
- If you have more than one local computer account server certificate installed, confirm the Certificate Thumbprint displayed by
Winrm enumerate winrm/config/listeneris the same Thumbprint on the Details tab of the certificate.
Steps to Troubleshoot:
- Check WinRM is Properly Configured on the VM, Run this command on the target VM:
winrm quickconfigIf it says WinRM is not configured, it will prompt to enable it — say yes. Also check:
winrm e winrm/config/listenerEnsure there's a listener on port 5985 (HTTP) or 5986 (HTTPS).
- Verify WinRM Service is Running. It should be in a Running state.
Get-Service winrm- From the Azure Migrate appliance, Test Connectivity from the Appliance to the VM.
Test-NetConnection <VM-IP-or-hostname> -Port 5985(or 5986 if you're using HTTPS). This confirms network reachability.
- Check Firewall Rules on the VM, make sure inbound firewall rules allow traffic on:
TCP 5985 (for HTTP WinRM)
TCP 5986 (for HTTPS WinRM)
Use:
New-NetFirewallRule -Name "WinRM HTTP" -DisplayName "WinRM over HTTP" -Protocol TCP -LocalPort 5985 -Action Allow
(or replace with 5986 and HTTPS if needed)
If the issue still persists, check the Azure Migrate appliance logs for more detailed error messages. The logs are typically located under C:\ProgramData\Microsoft Azure\Logs and may provide additional clues.
If the provided solution works for your query, please do not forget to click Upvote Button. this can be beneficial to other community members.it would be greatly appreciated and helpful to others
Thanks
-
Vinod Pittala 2,320 Reputation points Microsoft External Staff Moderator
2025-05-09T20:42:24.9033333+00:00 Hello SHAILENDRA PRASAD SHUKLA,
Just want to check if the above answer worked for you or else please let us know if any help needed, we are always here to help whenever you need us.
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Thanks
-
SHAILENDRA PRASAD SHUKLA 40 Reputation points
2025-05-12T04:33:28+00:00 i dont understand how to find certificate and use it ,please explain step by step. if i use 5985 port ,does we need certificate in this case also?
-
Vinod Pittala 2,320 Reputation points Microsoft External Staff Moderator
2025-05-15T23:37:45.4966667+00:00 Hello SHAILENDRA PRASAD SHUKLA,
Apologies for the delay in my response. here is the explanation for your queries.1.How to find the certificate?
You can follow the steps outlined in this Microsoft guide to find the certificate: https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https#summary
Additionally, here are the clear steps for your ease of reference.
i> Open MMC:
Press Win + R to open the Run dialog, type mmc, and hit Enter.
ii> Add Certificates Snap-in:
In the MMC window, go to File > Add/Remove Snap-in....
Select Certificates and click Add.
Choose Computer Account and click Next, then Finish.
iii> Navigate to the Certificate:
In the left pane, expand Certificates and then select Trusted Root Certification Authorities or Personal.
Look for the certificate that matches your hostname.
Check the Common Name (CN):
Right-click on the certificate and select Properties.
In the Details tab, find the Common Name (CN) field. This should match the hostname you are looking for.
**2. How to use Certificates **
i> Verify the CN of the SSL Certificate:
ii> Create a New SSL Certificate (if needed):
If you need to create a new certificate, you can use PowerShell or a certificate management tool.
The commands might look like this:
New-SelfSignedCertificate -DnsName "yourhostname" -CertStoreLocation "cert:\LocalMachine\My"This command creates a new self-signed certificate with the specified hostname as the CN.
iii> Install the Certificate:
Use the Microsoft Management Console (MMC) to install the certificate. Open the MMC by typing mmc in the Run dialog, add the Certificates snap-in, and import the new certificate under 'Local Computer' > 'Personal' > 'Certificates'.
iv> Configure WinRM for HTTPS:
Ensure that the WinRM listener is configured to use the new certificate. Check the current listeners by running the following command in in PowerShell:
winrm e winrm/config/listenerUpdate the listener configuration to use the new certificate if does not match:
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="yourhostname"; CertificateThumbprint="thumbprint"}Update Deployment Scripts and Settings:
Ensure all scripts and Azure configurations reference the hostname that matches the CN in the certificate.
3. If i use 5985 port, do we need certificate in this case also?
Yes, certificates are still required under certain conditions. According to Microsoft’s documentation, If certificates aren't configured on the target servers, discovery would fail on the current discovered servers and on the newly added servers.
Also, as per the https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https#more-information, WinRM over HTTPS requires a Server Authentication certificate with a CN matching the hostname. The certificate must not be expired, revoked, or self-signed.
As per this doc, the purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the wire. WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname to be installed. and the certificate mustn't be expired, revoked, or self-signed
If the provided solution works for your query, please do not forget to click Upvote Button. this can be beneficial to other community members.it would be greatly appreciated and helpful to others
Thanks
-
Vinod Pittala 2,320 Reputation points Microsoft External Staff Moderator
2025-05-17T00:54:40.1333333+00:00 Hello SHAILENDRA PRASAD SHUKLA,
We haven't heard back from you regarding the advice we provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.
Thanks
-
Vinod Pittala 2,320 Reputation points Microsoft External Staff Moderator
2025-05-19T23:44:10.7333333+00:00 Hello SHAILENDRA PRASAD SHUKLA,
We haven't heard back from you regarding the advice we provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.
Thanks
Sign in to comment
Sign in to answer