Remediate noncompliant servers
When you onboard servers with Azure Automation State Configuration, you set the configuration mode to one of the following modes:
- ApplyOnly
- ApplyandMonitor
- ApplyAndAutoCorrect
If you don't choose ApplyAndAutoCorrect, servers that drift from a compliant state for any reason remain noncompliant until you manually correct them. To force an Azure Automation State Configuration node to download the latest configuration and apply it, you must use the Update-DscConfiguration cmdlet, as in the following code example:
Update-DscConfiguration -Wait -Verbose
However, to run this cmdlet against your noncompliant server, you must use an Azure compute feature Run Command.
What is the Run Command?
The Run Command feature enables you to run scripts inside VMs. You can use this feature when manually correcting configuration drift. Run Command uses the VM agent to run PowerShell scripts within an Azure Windows VM. You can use these scripts for a general machine or application management. They can help you to quickly diagnose and remediate VM access and network issues, and get the VM back to a good state.
Tip
Run Command enables VM and application management, and troubleshooting by using scripts. It's available even when the machine is not reachable—for example, if the guest firewall doesn't have the Remote Desktop Protocol (RDP) or the Secure Shell (SSH) port open.
Restrictions
There are some restrictions to using Run Command. Because it's designed to quickly remedy issues affecting VMs, its software features have been kept to a minimum. The following restrictions apply when using Run Command:
- Output is limited to the last 4,096 bytes.
- The minimum time to run a script is about 20 seconds.
- Scripts run as the System account on Windows.
- Only one script can run at a time.
- Scripts that prompt for information (interactive mode) are not supported.
- You can't cancel a running script.
- The maximum time a script can run is 90 minutes. After that, it will time out.
- Outbound connectivity from the VM is required to return the results of the script.
Note
To function correctly, Run Command requires connectivity (port 443) to Azure public IP addresses. If the extension doesn't have access to these endpoints, the scripts might run successfully but not return the results. If you're blocking traffic on the VM, you can use service tags to allow traffic to Azure public IP addresses by using the AzureCloud tag.
Available PowerShell commands
You can launch a number of PowerShell commands against your Windows VMs. The following table describes the list of commands available for Windows VMs.
| Name | Description |
|---|---|
| RunPowerShellScript | Runs a PowerShell script. You can use the RunPowerShellScript command to run any custom script that you want. |
| DisableNLA | Disables Network Level Authentication (NLA). |
| DisableWindowsUpdate | Disables Automatic Updates through Windows Update. |
| EnableAdminAccount | Checks if the local administrator account is disabled, and if so enables it. |
| EnableEMS | Enables Emergency Management Services (EMS) to allow for serial console connection in troubleshooting scenarios. |
| EnableRemotePS | Configures the machine to enable PowerShell remoting. |
| EnableWindowsUpdate | Enables Automatic Updates through Windows Update. |
| IPConfig | Provides detailed information for the IP address, subnet mask, and default gateway for each adapter bound to Transmission Control Protocol (TCP)/IP. |
| RDPSettings | Checks registry settings and domain policy settings. Suggests policy actions if the machine is part of a domain, or modifies the settings to default values. |
| ResetRDPCert | Removes the Transport Layer Security (TLS)/SSL certificate tied to the RDP listener and restores the RDP listener security to default. Use this script if you find any issues with the certificate. |
| SetRDPPort | Sets the default or user-specified port number for Microsoft Remote Desktop connections. Enables firewall rules for inbound access to the port. |
Limiting access to the Run Command feature
Because Run Command can overrule some firewall port restrictions, it's important to ensure only authorized personnel can use it. Listing the run commands or displaying the details of a command requires the Microsoft.Compute/locations/runCommand/read permission.
Note
The built-in Reader role and higher levels have this permission.
Running a command requires the Microsoft.Compute/virtualMachines/runCommand/action permission.
Note
The Virtual Machine Contributor role and higher levels have this permission.
You can use one of the built-in roles or create a custom role to use Run Command.
Additional reading
You can learn more by reviewing the following documents:
Note
Azure Machine Configuration is a replacement service combines features of the DSC extension handler, Azure Automation State Configuration, and incorporates commonly requested features based on customer feedback. Azure Machine Configuration is currently in preview. Azure Automation State Configuration is still available and will be retired on September 30, 2027.