Azure

Azvise

Onboard on-prem servers directly to Defender for Servers

  1. General Introduction
  2. Must Know
  3. How to enable Direct Onboarding
  4. How to onboard servers
  5. Notes

General Introduction

If you want to onboard on-prem servers directly to Defender for Servers, you can now do so with the Defender for Endpoint agent. This has the advantage of being able to license and activate Microsoft Defender for Endpoint on servers without having to use Azure Arc. While full of useful functionalities, Arc, among others, gives you remote management of your servers and must be therefore treated carefully. 

If you enable direct onboarding (a tenant-level feature) and onboard your servers to MDE, they’ll show up in Defender for Cloud and be enabled to Defender for Servers. Still, you’ll have to onboard your servers with Arc to get the most out of Defender for Servers, such as the features in Plan 2.
Defender for Servers Plan 1 include the following functionalities:

Image credits to m365maps.com

Direct onboarding is a seamless integration between Defender for Endpoint and Defender for Cloud that doesn’t require extra software deployment on your servers. Once enabled, it also shows your non-Azure server devices onboarded to Defender for Endpoint in Defender for Cloud

https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint

Must Know

  • The feature will be enabled tenant level.
  • Both new and existing servers will be onboarded to Defender for Servers.
  • It’s fully supported by Defender for Servers Plan 1. Plan 2 features are not supported.

How to enable Direct Onboarding

  • Head into portal.azure.com
  • Search for Defender for Cloud and open it.
  • Click on Environment Settings 
  • Select Direct Onboarding in the middle of the screen.
  • Set Direct onboarding to On and select the billing subscription. In this subscription you’ll get a “Servers – Defender for Endpoint” object which references the on-prem server enabled to Defender for Servers.
  • Save
  • Check if Direct onboarding enabled Defender for Servers Plan 1 on that subscription.
  • To check, go into Environment settings, select the subscription you have used for enabling Direct onboarding
  • From Defender plans, look for Servers, then make sure it’s enabled and Plan 1 is selected
  • Wait for the servers to show up.

How to onboard servers

Notes

Here are the Microsoft Docs:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint


To onboard using Azure Arc, follow this documentation:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines

Azvise

A vulnerability assessment solution should be enabled on your virtual machines – Azure

  1. General introduction
  2. Step-by-step guide
  3. Sources

General introduction

This is one of the more common alerts that may come up when you activate Defender for Cloud. This message comes up when a vulnerability assessment solution is not found in at least one virtual machine in your environment.

What happens behind the curtains? Azure virtual machine servers are constantly checked for infrastructure security misconfigurations by Defender for Cloud, which offers advice on how to fix them. Through integrated Vulnerability Assessment solutions or via agents and extensions, Defender for Cloud can also report on vulnerabilities found and the OS or application level. Since these “agents” must be configured for the process to work, you should configure the automatic provisioning of vulnerability assessment solutions on your virtual machines.

A valid VA solution is one of the following:

  • Microsoft threat and vulnerability management, included in both the Defender for Servers plans (P1 and P2). This is now the suggested solution, especially if you already use Microsoft Defender for Endpoint. You should not confuse this with the Microsoft Defender Vulnerability Management Add-on, which has a really similar name but is a different feature included with Defender for Servers Plan 2.
  •  The Qualys agent, also included in Defender for Servers, but just in Defender for Servers Plan 2. This used to be the default choice in the past.
  •  A Bring Your Own License Qualys or Rapid7 agent configured to integrate with Defender for Cloud. If you are looking at ways to incorporate them, follow this article: Integrate security solutions in Microsoft Defender for Cloud | Microsoft Docs

As we said, Microsoft threat and vulnerability management is the default solution to fix this recommendation. The only case I would use something else is if you already have Qualys or Rapid 7 in your environment and want to manage everything from a single pane. Defender for Endpoint will be onboarded in the VM through the MDE.Windows extension.

Step-by-step guide

To automatically enable a vulnerability assessment solution and resolve the alert:

  • Search Defender for Cloud from the Azure Portal (portal.azure.com)
  •  From Defender for Cloud’s menu, click on Environment settings from the left bar.
  • Click on the subscription the resource is in.
  • In the top bar, click on Settings & Monitoring.
  • Turn on (if it’s not already enabled) the vulnerability assessment for machines and select the solution you wish to use. I’ll enable Microsoft Defender vulnerability management.

Once you are done, wait for the check to be triggered again. The alert should go away automatically after 24 hours.

Sources

https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-vulnerability-assessment

Azvise

Scale AKS HCI control plane and worker nodes



  1. Notes
  2. Scale the Control Plane
  3. Scale worker nodes

In Azure Kubernetes Service (AKS) on Azure Stack HCI, you can increase the resources available to your node pool by changing the size of virtual machines in a node pool or expanding the node count. The node count can also be increased with autoscaling methods.

The worker nodes can be scaled using the command Set-AksHciNodePool, while the Set-AksHciCluster scales the control plane.

I’ll be going over scaling both using PowerShell in the following guide. You’ll need to open a PowerShell session on one of the Azure Stack HCI nodes to follow along. Replace the parameter values as needed. 

Notes

  • As of January 2023, the scaling of the management cluster (the one created by AKS HCI automatically) is currently not supported.
  • At the time of writing, the “-vmsize” argument used with Set-AksHciNodePool is not documented in the command docs (Set-AksHciNodePool | Microsoft Docs) but is only referenced in this article: Scale up a worker node | AKS HCI Docs



Scale the Control Plane

Now we’ll scale up the current cluster. You’ll see the control plane VM size under ControlPlaneVmSize.

Get-AksHciCluster -name akshci01

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 1
ControlPlaneVmSize    : Standard_D2s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01

You’ll only be allowed to scale up the control plane to the available VM sizes. To get which sizes are availabe, use Get-AksHciVmSize. 

Get-AksHciVmSize

VmSize CPU MemoryGB
------ --- --------
Default 4 4
Standard_A2_v2 2 4
Standard_A4_v2 4 8
Standard_D2s_v3 2 8
Standard_D4s_v3 4 16
Standard_D8s_v3 8 32
Standard_D16s_v3 16 64
Standard_D32s_v3 32 128
Standard_DS2_v2 2 7
Standard_DS3_v2 2 14
Standard_DS4_v2 8 28
Standard_DS5_v2 16 56
Standard_DS13_v2 8 56
Standard_K8S_v1 4 2
Standard_K8S2_v1 2 2
Standard_K8S3_v1 4 6

In this example we’ll scale up to a D4s_v3.

Set-AksHciCluster -name akshci01 -controlPlaneVmSize Standard_D4s_v3

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 1
ControlPlaneVmSize    : Standard_D4s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01

Now that we have scaled up the control plane, we can scale the control plane node count. The default is 1. If you scale up the control plane, it will become highly available and will not accept any scale down back to 1 node⚠️

Set-AksHciCluster -name akshci01 -controlPlaneNodeCount 3

Status                : {ProvisioningState, Details}
ProvisioningState     : Deployed
KubernetesVersion     : v1.23.8
PackageVersion        : v1.23.8
NodePools             : linuxnodepool
WindowsNodeCount      : 0
LinuxNodeCount        : 4
ControlPlaneNodeCount : 3
ControlPlaneVmSize    : Standard_D4s_v3
AutoScalerEnabled     : False
AutoScalerProfile     :
LoadBalancer          : {VMSize, Count, Sku}
Name                  : akshci01



Scale worker nodes

Now we’ll do the same thing we did for the control plane with the worker nodes. Here we’ll get the default VM size for the cluster.

Get-AksHciNodePool -clusterName $aksclustername

Status : {Phase, Details}
ClusterName : akshci01
NodePoolName : linuxnodepool
Version : v1.23.8
OsType : Linux
NodeCount : 2
VmSize : Standard_K8S3_v1
Phase : Deployed
AutoScalerEnabled : False

You’ll only be allowed to scale up the worker nodes to the available VM sizes. To get which sizes are availabe, use Get-AksHciVmSize. 

Get-AksHciVmSize

VmSize CPU MemoryGB
------ --- --------
Default 4 4
Standard_A2_v2 2 4
Standard_A4_v2 4 8
Standard_D2s_v3 2 8
Standard_D4s_v3 4 16
Standard_D8s_v3 8 32
Standard_D16s_v3 16 64
Standard_D32s_v3 32 128
Standard_DS2_v2 2 7
Standard_DS3_v2 2 14
Standard_DS4_v2 8 28
Standard_DS5_v2 16 56
Standard_DS13_v2 8 56
Standard_K8S_v1 4 2
Standard_K8S2_v1 2 2
Standard_K8S3_v1 4 6

Now that we know which sizes are supported, we can scale up the cluster nodes. All preexistent nodes will be scaled up ⚠️

Set-AksHciNodePool -ClusterName "akshci01" -name "linuxnodepool" -vmsize "Standard_DS13_v2"

Status : {Phase, Details}
ClusterName : akshci01
NodePoolName : linuxnodepool
Version : v1.23.8
OsType : Linux
NodeCount : 2
VmSize : Standard_DS13_v2
Phase : Deployed
AutoScalerEnabled : False

Now that we have scaled up, we can scale the workload node count. The current node count depends on what you have set during setup.

Set-AksHciNodePool -clusterName "akshci01" -name linuxnodepool -count 4


Status            : {Phase, Details}
ClusterName       : akshci01
NodePoolName      : linuxnodepool
Version           : v1.23.8
OsType            : Linux
NodeCount         : 4
VmSize            : Standard_DS13_v2
Phase             : Deployed
AutoScalerEnabled : False

Azvise

Delete a user profile in Azure Virtual Desktop – AVD

To remove a user profile in Azure Virtual Desktop, you must first be sure that the user is logged off. If you are unsure on how to do it, follow the guide below.

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

After you’ve checked this, you got two options based on the type of profile architecture you chose to implement.

  • If the profiles are stored locally, you can proceed to remove them as you’d do in standard W10 machine.
  • If you are using FSLogix, which is the recommended way to handle them, you can proceed to remove the user folder from the Azure File Share.

If you are unsure about which type of user profile solution you use, you can log in to a standard user account (preferably the one you wish to remove) and follow the guide below.

Check whether you are using an FSLogix profile in Azure Virtual Desktop – AVD

If you fall under the first option, log into the AVD instance/instances with an admin user account, open “Run“, then type netplwiz.exe and click enter. This will open the Advanced User Accounts Control Panel. From there, you’ll get a list of all the users. Next, click on the user profile you’d like to delete and click “Remove”. You’ll have to repeat this procedure for all the AVD hosts in your environment.

If you are running FSLogix, log into the Azure File Share hosting your profiles, then locate the user folder you wish to delete. Usually, the format is either %username%%sid% or “%sid%%username%, depending on whether you have added the FlipFlopProfileDirectoryName registry in the FSLogix configuration (FlipFlopDirectoryName | AVD). Once you have found it, open it, and delete the VHD/ VHDX stored inside, as per the screenshot below. After the VHD deletion has been completed, delete the user profile folder.

Azvise

How to download the disk of an Azure VM – Azure

Since Azure introduced the option to download the OS disk of a VM directly, you don’t need anymore to traffic around to download the unmanaged disk (or go with the snapshot route).
Here are some easy steps to directly download the disk of your Windows / Linux VM.
Please note that a Sysprep is advised if you need to use the disk as a template to create new VMs.

  • Go to the VM, and stop it.
  • Click on “Disks” then on he OS Disk.
  • Click on “Disk Export“, then in the field, enter a higher number (es. 30600) so that you have plenty of time to download the disk. Once done, click “Generate URL“.
  • Click on “Download the VHD file

Azvise

ResourceNotTopLevel error when trying to move resources – Azure

When you transfer Azure resources between subscriptions, you might get the following error: “ResourceNotTopLevel“.

This is caused by the fact that you only have to select top-level resources for the move, and the dependencies will be moved automatically.

For example, say you selected both a Network Watcher Extension and the relative VM you want to move. You will just need to move the VM object, and the extension will come with the server.

Example of an error code:


{
                "code": "ResourceNotTopLevel",
                "message": "Identifier '/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved/extensions/AzureNetworkWatcherExtension' is not a top level resource. Please include only the top-level resource for this child resource in the move request. A child resource would be moved along with its associated top-level resource.\""
            }

From the error code, you’ll get that you just have to move the following resource, being the top-level one:

/subscriptions/0000000000000000000/resourceGroups/MoveResource/providers/Microsoft.Compute/virtualMachines/VMtobeMoved

It’s good to remember that if dependent resources are distributed across different resource groups, you’ll first have to move them into one resource group and then attempt the migration.

Azvise

Force Azure File Sync tiering

If you are encountering issues with Azure File Sync, or you just want to force the process so that you can free some space now, follow the commands shown below:

#Import the commands
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

#Force the synchronization of the folder you have specified in the sync group
Invoke-StorageSyncCloudTiering -Path <sync_group_path>

If you want to get some logs out of the operation for troubleshooting, send these commands in a separate PowerShell window before launching the script above:

cd C:\
New-Item -ItemType directory -Path C:\AZfslogs
cd "C:\Program Files\Azure\StorageSyncAgent"
Import-Module .\AFSDiag.ps1
Debug-AFS -OutputDirectory C:\AZfslogs -KernelModeTraceLevel verbose -UserModeTraceLevel verbose

You can terminate the command once the sync is concluded and get the logs in the C:\AZfslogs folder.

Azvise

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

Prerequisites: The Microsoft.RDInfra.RDPowerShell module, the Az PS module

First, install the RDInfra module:

Install-Module -Name Microsoft.RDInfra.RDPowerShell; Import-Module -Name Microsoft.RDInfra.RDPowerShell

Then proceed by installing the Az module and logging in:

Connect-AzAccount

Once you are logged in you can run the following script to disconnect a specific user session:

Get-RdsUserSession -TenantName "tenantname.onmicrosoft.com" -HostPoolName "HostPoolName" | where { $_.UserPrincipalName -eq "azvise\demouser" } | Invoke-RdsUserSessionLogoff -NoUserPrompt

Azvise

Repair / troubleshoot a Linux VM – Azure

If you encounter a boot or disk error with a VM, you need to get the OS disk into another VM to troubleshoot the issue.

The command we will run into Azure Cloud Shell is az vm repair create. To create a troubleshooting VM, follow these steps:

  • Open Azure Cloud Shell in bash or install Azure CLI in your bash environment.
  • Run the following command: az vm repair create -g “resourcegroupname” -n “VMname” –verbose
  • Insert admin credentials for the newly created VM into the bash shell
  • Connect to the newly created server and start analyzing the problem

Azvise

Configure a SLES VM for Azure Site Recovery

To configure a VM for Azure Site Recovery we’ll need to configure the Microsoft Azure Linux Agent and enable the console. The VM will automatically get the DHCP network settings that it will need to get an IP from Azure.

First, add the repository and install the agent:

SLES 12 SP3:

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_12_SP3/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 12 SP4

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_12_SP4/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15 SP1

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15_SP1/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

SLES 15 SP2

zypper addrepo https://download.opensuse.org/repositories/Cloud:Tools/SLE_15_SP2/Cloud:Tools.repo
zypper refresh
zypper install python-azure-agent

Then enable automatic updates for the agent:

vi /etc/waagent.conf

Go to AutoUpdate.Enabled and enable it. It should look like this:

# AutoUpdate.Enabled=y
AutoUpdate.Enabled=y

Restart waagent and enable it:

systemctl restart waagent.service
systemctl enable waagent.service

Enable the serial console, to be able to access the VM even without connection from Azure: 

systemctl start serial-getty@ttyS0.service
systemctl enable serial-getty@ttyS0.service

Azvise

ASR Kernel modules fail to load while installing the Mobility Service (VMware) – Azure

If some kernel modules fail to load (such as in the example below) while installing the Mobility Service agent, please check:

  • If the kernel is supported in your Configuration Server version
  • If secure boot is enabled
#EXAMPLE using SUSE 15 SP2
exampleserver0:/tmp/ASR # sudo ./install -d /usr/local/ASR/ -r MS -v VmWare -q
All product pre-requisties are met.
Generating the certificate.
[...]

Filter driver kernel module is not loaded. Attempting to load it, please wait...
insmod /lib/modules/[kernelversion]-default/kernel/drivers/char/involflt.ko 
Filter driver could not be loaded successfully.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Vx agent installation exit code : 208.
Check the log file /var/log/ua_install.log for detailed diagnostic messages or installation success/failures...
Installer exiting with code: 208

Check the following page to see if the kernel version is supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#ubuntu-kernel-versions

If it’s supported try launching the following command: 

mokutil --sb-state

If it’s enabled you should get something along the lines of: 

SecureBoot enabled

Please note that SecureBoot is not supported at the moment with VMware DR in ASR:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#storage

To disable SecureBoot proceed as following:

  • Click on the virtual machine in vSphere (or vCenter)
  • Shut down the VM
  • Click on Edit Settings
  • Go in VM Options, then Boot Options
  • Deselect the Secure Boot check box
  • Click on OK
  • Start the VM



Azvise

ASR Data change rate is beyond supported limits

If you see the event “Data change rate beyond supported limits” in the ASR replicated items logs, you probably need to change the disk type of your managed disks for that Virtual Machine.

I would advise waiting a bit to check if the error disappears or remains consistent.

To change the disk size go to:

  • Disks
  • Select the disk specified in the error message above
  • Click on Configuration
  • Under Account type switch from “Standard HDD” to “Premium SSD” (or “Standard SSD”)
  • Save

Azvise

Cannot enable protection for a VM in ASR “This operating system isn’t supported in Azure”

If you get the following error, please check if the OS and kernel versions are supported:

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix

If they are supported, you can install manually the agent on the VM. If it doesn’t work, try checking if the VM in VMware is configured as “Other (64-bit)” in the guest OS version. If it is, you should change the version to the specific Linux distribution you got installed. Mind that the VM must be shut off to change the Guest OS version.

To install manually the agent follow these steps:

  • Go under %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository in your ASR server and copy the “Microsoft-ASR_UA*_GA*.tar.gz” file specific to your distribution.
  • Copy the file to the VM. I would recommend creating a specific folder for the file under /tmp
  • Copy the Conf server passphrase to the server
  • Unpack the file: tar -xvf Micorosft-ASR_UA_yourfile.tar.gz
  • Run the following command as root: ./install -d /usr/local/ASR -r MS -v VmWare -q
  • Register the mobility service to the Conf server: /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i ConfserverIP -P /var/passphrase.txt

Azvise

Recover ASR Configuration server passphrase

To recover your passphrase sign into the configuration server, then open a command line.

Change directory using: 

cd %ProgramData%\ASR\home\svsystems\bin

then to export your passphrase using the following command:

genpassphrase.exe -v > connection.passphrase

Open the file with notepad to get the key:

Notepad "connection.passphrase"
Azvise

Remove UDR from a subnet with a private endpoint associated – Azure

If you try to remove a UDR from a subnet that contains private endpoints, you may get the following error: 

Failed to dissociate subnet 'SubnetName'. Error: Private endpoint network policies cannot be enabled on private endpoint subnet 'FullPathSubnet' .

To resolve run the following command using Azure CLI. Keep the route table parameter blank.

az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --route-table ""

Azvise

Enable Azure Serial Console for replicated Linux VMs – Azure

If you replicate a Linux VM right away you might end up with the serial console not working. This could be especially an issue if you have your network interfaces set as static and you have to change the IP addresses.

To enable the Serial Console you have to log into your on-premise Linux VM and run the following:

systemctl start serial-getty@ttyS0.service ​

systemctl enable serial-getty@ttyS0.service

Wait until the changes will be replicated, then connect directly from the Azure Console.

Azvise

Change Outlook profiles from one month cache to online in AVD/WVD

Unfortunately, at this time, there is no way to change Outlook profiles from cached mode (1 month retention) to online mode in the Outlook settings.

To configure the cache settings in Outlook (2016/365) in a WVD session you need to use Active Directory GPOs or local Group Policies.

To use local group policies follow these steps:

  • Download the following ADMX in your environment: https://www.microsoft.com/en-us/download/details.aspx?id=49030
  • Extract the files
  • Copy the outlk16.admx file to %systemroot%\PolicyDefinitions\
  • Based on the language folders you see in your WVD host copy the outlk16.adml file from the admx\xx-xx folder to the relative folder in %systemroot%\PolicyDefinitions\
  • Open gpedit.msc
  • Go to User Configuration > Administrative Templates > Microsoft Outlook 2016 > Account Settings > Exchange > Cached Exchange Mode.
  • Set “Use Cached Exchange Mode for new and existing Outlook profiles” to Disabled

Azvise

Check whether you are using an FSLogix profile in Azure Virtual Desktop – AVD

To check whether you are using an FSLogix profile in an AVD session enter the AVD instance, then browse to the following folder:

C:/Program%20Files/FSLogix/Apps

Open frxtray.exe and open the System Tray as shown in the following picture:

Right-click on the frxtray icon and click open:

From here you can see that we get “Profile status: Active”, which indicates that we are using an FSLogix profile. If you are using a local profile you will get a yellow light on the traffic light and a warning message.

Azvise

Sysprep fails due to an app that was installed for a user, but not provisioned for all users

Example errors:

1. Package Microsoft.LanguageExperiencePackit-IT_19041.3.7.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.

2. SYSPRP Failed to remove staged package Microsoft.LanguageExperiencePackit-IT_19041.49.150.0_neutral__8wekyb3d8bbwe. Failed to remove apps for the current user.

To fix this kind of errors, mainly found in Azure Virtual Desktop implementations with custom languages, you must manually delete the app that was provisioned just for your current user, and that is crashing your sysprep attempts.

To fix the issue, take a snapshot of the client, then remove the provisioned app package:

Remove-AppxProvisionedPackage -Online -PackageName Microsoft.LanguageExperiencePackit-IT_19041.3.7.0_neutral__8wekyb3d8bbwe

Whatever output you get, complete the removal of the app using the following command:

Remove-AppxPackage -allusers Microsoft.XboxApp_31.32.16002.0_neutral_~_8wekyb3d8bbwe

You should now be able to sysprep the VM without issues.

Azvise

Error 53 when mounting Azure File Share – Azure

If you get an error 53 when trying to mount an Azure File Share, you got two main issues that might be causing it.

Port 445 is blocked

To check the effettive connection, and start the troubleshooter, run the following:


login-azaccount

$ResourceGroupName = "ba-weu-wvd-rg"
$StorageAccountName = "baweufslogixsa"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName
Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

If the error is, on the other hand, NTLMv2 is not enabled, please note that Azure files only supports NTLMv2 (not v1). Set the value of the following key to 3 on your local PC/Server:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa > LmCompatibilityLevel

Azvise

How to cancel a reservation – Azure

To cancel a reservation you have to have specific permissions on the reservation order. The permissions are not inherited from the subscription, so… contact who created the reservation (or just open a ticket with the Azure Engineers).

Once you have the right account, (or you’ve been given the permissions) go to the reservations tab in the Azure Portal. It’s best to have at least a couple of people who have permissions on the resource. To get to the reservations tab follow the link below:

https://portal.azure.com/#blade/Microsoft_Azure_Reservations/ReservationsBrowseBlade

Select the reservation you want to cancel and click on the name of the resource.

From the top click on “Refund”

Click on return reserved instances once you see the “Refund subtotal” pop up

Please refer to the following docs for additional informations:

https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations

https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/manage-reserved-vm-instance#add-or-change-users-who-can-manage-a-reservation

Azvise

Move resources request is blocked by an Azure Backup job.

Error message:

The move resources request contains resources like “*OsDisk*” that are being backed up as part of a Azure Backup job. Browse the link https://aka.ms/vmbackupmove for information

If you encounter this error check if the VM’s backup is stopped. If it’s stopped you need to remove the istant snapshot that has been created by the system:

  1. Find the location of your virtual machine.
  2. Find a resource group with the following naming pattern: AzureBackupRG_<location of your VM>_1. For example, AzureBackupRG_westus2_1
  3. In the Azure portal, check Show hidden types.
  4. Find the resource with type Microsoft.Compute/restorePointCollections that has the naming pattern AzureBackup_<name of your VM that you're trying to move>_###########.
  5. Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in the vault.
  6. After the delete operation is complete, you can move your virtual machine.

List source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations#portal

Azvise

VM has reported a failure when processing extension ‘joindomain’ – AVD

If you encounter this error while creating a new VM from the host pool wizard, try following these suggestions to solve the issue, or at least drill down on the problem:

  • Check whether you can resolve your domain from your VNET
  • Check what DNS Servers are configured on your VNET, correct accordingly (follow this guide: Change VNet DNS Servers)
  • Check if you have permissions to join the domain using the credentials you provided
  • Check if the specified credentials are correct
  • Check if the domain to join (and the OU), specified in the wizard, is correct (parameters in the JSON: domainToJoinouPathexistingDomainUPNexistingDomainPassword).
  • Try to join a VM to the domain from the same network and subnet

If all the above are met, you should be able to join the VM successfully to the domain. If not, at least you should have more context to further troubleshoot the issue.

Azvise

Activate Azure Update Management for on premise servers using Log Analytics

Requirements:
i. Log Analytics workspace
ii. Azure Automation Account

From the Log Analytics Workspace, click Connect a data source
Save the Workspace ID and Workspace key
Install the agent on the server, providing the Workspace ID and Key found in the workspace

Go into the automation account, then from the left into update management
Enable update management on the VM by clicking on “Click to manage machines”

You can then see the missing updates and create an update deployment

Please allow up to 24hrs for all the servers to show up (it usually takes about an hour)