MAY 2020 SERVICE ALERT - Existing users, please ensure you are compliant this Service Alert by 26th May!!!
This article is to show you how you can create a basic customized image using the Azure VM Image Builder, and distribute to a region.
This covers using mutliple customizations to illustrate some high level functionality:
- PowerShell (ScriptUri) - Downloading a bash script and executing it
- PowerShell (inline) - Execute an array of commands
- File - Copy a html file from github to a specified, pre-created directory
- buildTimeoutInMinutes - Increase a build time to allow for longer running builds
- vmProfile - specifying a vmSize and Network properties
- osDiskSizeGB - you can increase the size of image
- WindowsRestart - this will allow for restarts between software installs
- WindowsUpdate - update the image with the latest Windows Updates, note this will handle its own required reboots.
To use this Quick Quickstarts, this can all be done using the Azure Cloudshell from the Portal. Simply copy and paste the code from here, at a miniumum, just update the subscriptionID variable below.
Happy Image Building!!!
Note! Azure Image Builder automatically runs sysprep to generalize the image, this is a generic sysprep command, which you can overide if you are aware of more favorable settings. However, for Windows there are limits on how many times (8), an image can be sysprep'd, see here for more details. Therefore exercise caution on how many times you layer customizations.
You must have the latest Azure PowerShell CmdLets installed, see here for install details.
# Register for Azure Image Builder Feature
Register-AzProviderFeature -FeatureName VirtualMachineTemplatePreview -ProviderNamespace Microsoft.VirtualMachineImages
Get-AzProviderFeature -FeatureName VirtualMachineTemplatePreview -ProviderNamespace Microsoft.VirtualMachineImages
# wait until RegistrationState is set to 'Registered'
# check you are registered for the providers, ensure RegistrationState is set to 'Registered'.
Get-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
Get-AzResourceProvider -ProviderNamespace Microsoft.Storage
Get-AzResourceProvider -ProviderNamespace Microsoft.Compute
Get-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
# If they do not saw registered, run the commented out code below.
## Register-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
## Register-AzResourceProvider -ProviderNamespace Microsoft.Storage
## Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
## Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
# Step 1: Import module
Import-Module Az.Accounts
# Step 2: get existing context
$currentAzContext = Get-AzContext
# destination image resource group
$imageResourceGroup="aibWinImg01"
# location (see possible locations in main docs)
$location="westus2"
## if you need to change your subscription: Get-AzSubscription / Select-AzSubscription -SubscriptionName
# get subscription, this will get your current subscription
$subscriptionID=$currentAzContext.Subscription.Id
# name of the image to be created
$imageName="win2019image1"
# image distribution metadata reference name
$runOutputName="win2019ManImg01ro"
# image template name
$imageTemplateName="window2019Template01"
# distribution properties object name (runOutput), i.e. this gives you the properties of the managed image on completion
$runOutputName="winSvrSigR01"
# create resource group for image and image template resource
New-AzResourceGroup -Name $imageResourceGroup -Location $location
# setup role def names, these need to be unique
$timeInt=$(get-date -UFormat "%s")
$imageRoleDefName="Azure Image Builder Image Def"+$timeInt
$idenityName="aibIdentity"+$timeInt
## Add AZ PS module to support AzUserAssignedIdentity
Install-Module -Name Az.ManagedServiceIdentity
# create identity
New-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $idenityName
$idenityNameResourceId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $idenityName).Id
$idenityNamePrincipalId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $idenityName).PrincipalId
This command will download and update the template with the parameters specified earlier.
$aibRoleImageCreationUrl="https://raw.githubusercontent.com/danielsollondon/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json"
$aibRoleImageCreationPath = "aibRoleImageCreation.json"
# download config
Invoke-WebRequest -Uri $aibRoleImageCreationUrl -OutFile $aibRoleImageCreationPath -UseBasicParsing
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<subscriptionID>',$subscriptionID) | Set-Content -Path $aibRoleImageCreationPath
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<rgName>', $imageResourceGroup) | Set-Content -Path $aibRoleImageCreationPath
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName) | Set-Content -Path $aibRoleImageCreationPath
# create role definition
New-AzRoleDefinition -InputFile ./aibRoleImageCreation.json
# grant role definition to image builder service principal
New-AzRoleAssignment -ObjectId $idenityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
### NOTE: If you see this error: 'New-AzRoleDefinition: Role definition limit exceeded. No more role definitions can be created.' See this article to resolve:
https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting
For more information on image builder permissions, please review this document.
# update AIB image config template
$templateUrl="https://raw.githubusercontent.com/danielsollondon/azvmimagebuilder/master/quickquickstarts/0_Creating_a_Custom_Windows_Managed_Image/helloImageTemplateWin01.json"
$templateFilePath = "helloImageTemplateWin01.json"
# download configs
Invoke-WebRequest -Uri $templateUrl -OutFile $templateFilePath -UseBasicParsing
((Get-Content -path $templateFilePath -Raw) -replace '<subscriptionID>',$subscriptionID) | Set-Content -Path $templateFilePath
((Get-Content -path $templateFilePath -Raw) -replace '<rgName>',$imageResourceGroup) | Set-Content -Path $templateFilePath
((Get-Content -path $templateFilePath -Raw) -replace '<region>',$location) | Set-Content -Path $templateFilePath
((Get-Content -path $templateFilePath -Raw) -replace '<runOutputName>',$runOutputName) | Set-Content -Path $templateFilePath
((Get-Content -path $templateFilePath -Raw) -replace '<imageName>',$imageName) | Set-Content -Path $templateFilePath
((Get-Content -path $templateFilePath -Raw) -replace '<imgBuilderId>',$idenityNameResourceId) | Set-Content -Path $templateFilePath
Your template must be submitted to the service, this will download any dependent artifacts (scripts etc), and store them in the staging Resource Group, prefixed, IT_.
New-AzResourceGroupDeployment -ResourceGroupName $imageResourceGroup -TemplateFile $templateFilePath -api-version "2019-05-01-preview" -imageTemplateName $imageTemplateName -svclocation $location
# note this will take minute, as validation is run (security / dependencies etc.)
To build the image you need to invoke 'Run'.
Invoke-AzResourceAction -ResourceName $imageTemplateName -ResourceGroupName $imageResourceGroup -ResourceType Microsoft.VirtualMachineImages/imageTemplates -ApiVersion "2019-05-01-preview" -Action Run -Force
Note, the command will not wait for the image builder service to complete the image build, you can query the status below.
As there are currently no specific Azure PowerShell cmdlets for image builder, we need to construct API calls, with the authentication, this is just an example, note, you can use existing alternatives you may have.
We need to start, by getting the Bearer Token from your existing session.
References A big thanks to brettmillerb, for this simple method.
### Step 1: Update context
$currentAzureContext = Get-AzContext
### Step 2: Get instance profile
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
Write-Verbose ("Tenant: {0}" -f $currentAzureContext.Subscription.Name)
### Step 4: Get token
$token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
$accessToken=$token.AccessToken
$managementEp = $currentAzureContext.Environment.ResourceManagerUrl
$urlBuildStatus = [System.String]::Format("{0}subscriptions/{1}/resourceGroups/$imageResourceGroup/providers/Microsoft.VirtualMachineImages/imageTemplates/{2}?api-version=2019-05-01-preview", $managementEp, $currentAzureContext.Subscription.Id,$imageTemplateName)
$buildStatusResult = Invoke-RestMethod -Method Get -Uri $urlBuildStatus -Headers @{"Authorization" = ("Bearer " + $accessToken) } -ContentType application/json
$buildStatusResult.properties.lastRunStatus
The image build for this example will take approximately 50mins (multiple reboots, windows update installs/reboot), when you query the status, you need to look for lastRunStatus, below shows the build is still running, if it had completed successfully, it would show 'suceeded'.
"lastRunStatus": {
"startTime": "2019-08-21T00:39:40.61322415Z",
"endTime": "0001-01-01T00:00:00Z",
"runState": "Running",
"runSubState": "Building",
"message": ""
},
$imageResourceGroup = "myResourceGroup"
$vmName = "aibVm1"
# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."
# Create a resource group
New-AzResourceGroup -Name $imageResourceGroup -Location $location
# Network pieces
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24
$vnet = New-AzVirtualNetwork -ResourceGroupName $imageResourceGroup -Location $location `
-Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig
$pip = New-AzPublicIpAddress -ResourceGroupName $imageResourceGroup -Location $location `
-Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
-Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 3389 -Access Allow
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $imageResourceGroup -Location $location `
-Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
$nic = New-AzNetworkInterface -Name myNic -ResourceGroupName $imageResourceGroup -Location $location `
-SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id
# Create a virtual machine configuration using $imageVersion.Id to specify the shared image
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_D1_v2 | `
Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
Set-AzVMSourceImage -Id $imageVersion.Id | `
Add-AzVMNetworkInterface -Id $nic.Id
# Create a virtual machine
New-AzVM -ResourceGroupName $imageResourceGroup -Location $location -VM $vmConfig
Remote Desktop to the VM, using the Portal, or typing MSTSC at the Command Prompt (CMD).
Then, Go to the Command Prompt, then run:
dir c:\
You should see these two directories created during image customization:
- buildActions
- buildArtifacts
# Get ResourceID of the Image Template
$resTemplateId = Get-AzResource -ResourceName $imageTemplateName -ResourceGroupName $imageResourceGroup -ResourceType Microsoft.VirtualMachineImages/imageTemplates -ApiVersion "2019-05-01-preview"
### Delete Image Template Artifact
Remove-AzResource -ResourceId $resTemplateId.ResourceId -Force
Remove-AzRoleAssignment -ObjectId $idenityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
## remove definitions
Remove-AzRoleDefinition -Name "$idenityNamePrincipalId" -Force -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
## delete identity
Remove-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $idenityName -Force
Remove-AzResourceGroup $imageResourceGroup -Force
If you loved or hated Image Builder, please go to next steps to leave feedback, contact dev team, more documentation, or try more examples here]