Enabling WinRM Using Custom Script Extensions in Azure ARM

When provisioning vanilla Windows marketplace templates via CloudBolt, WinRM and the firewall policy prevent remote execution by default. This presents a 'chicken and the egg' scenario where in order to enable remote scripting against the VM, it must first be accessed via RDP and manually configured. When automating the deployment of VMs, this solution becomes untenable.

To help with this situation, a Cloudbolt plugin can be used to install Azure's CustomScripting VM extension, which runs a PowerShell script on the provisioned Azure VM using the Azure VM Agent. More info about VM extensions can be found here.

In order to enable WinRM on a newly provisioned VM in CloudBolt, we can use a Post Provision hook to install the CustomScripting VM Extension which permits the execution one one or more PowerShell scripts upon provisioning.

In this case, we'll be using a popular script from Ansible that is perfect for configuring WinRM for secure remote command execution. This script is downloaded from GitHub and ensures that WinRM is enabled in secure mode, it's started automatically, and port 5986 is opened in Windows firewall.

The attached python script should be uploaded as a CloudBolt plugin under Server Actions and tested (as a Server Action) before including it as a Post Provisioning (trigger point 10) Orchestration Action. If deployed as a Post Provisioning Orchestration action, it should occur first in the list if any subsequent scripts require remote execution.

Once imported into your environment, ensure that all Action Input types are set to 'String', except the 'Settings' Action Input which should be set to type: 'Code'. Also ensure that its Resource Technology is set specifically to Azure ARM and that is it Shared:


To verify that the plugin properly installs the VM extension, check the 'Extensions + applications' section in the Azure portal for the target VM. The Status column should say 'Provisioning succeeded':


You can get more details by double-clicking the Extension:


Note that the installation process is asynchronous. The plugin will poll for (240 seconds) waiting for the installation to complete. 

By default, CloudBolt is setup to run WinRM commands on port 5985/tcp. To tell CloudBolt to use the secure channel going forward, add the following line to /var/opt/cloudbolt/customer_settings.py:




If the VM extension is installed successfully via the plugin, Ad-Hoc scripts as well as Remote Execution via CloudBolt will be enabled on the VM.


Have more questions? Submit a request


  • 1
    Thomas Mukunnemkeril

    The python script didn't work for me initially.  I'd get an error about 1 positional parameter expected, but 2 positional found and 5 additional keyword (not sure exact wording anymore)

    Changing the script at line 43, instead of location, I specified location=location and the script started working:

    on line 43:
     extension_parameters = VirtualMachineExtension(                                         
  • 0
    Aaron Jablonowski

    Thanks for that feedback, Thomas- I've updated the uploaded plugin. 

Please sign in to leave a comment.