Deploying Software via Custom Script Extensions in Azure

I started messing around with Custom Script Extensions today. After deploying a VM in Azure, I wanted to see if I could use a custom script extension to add MalwareBytes to the VM instead of logging into the server, downloading the MalwareBytes installer, and manually running the installer. Since I already have an Azure storage account that I know how to connect to, why not try deploying a custom script extension to the VM via Powershell and letting the script install MalwareBytes? If nothing else, I'd learn something new.

Now, creating and deploying a custom script extension requires some stuff. I was going to need the following:

  • A resource group in Azure
  • A storage account in Azure
  • A virtual machine in Azure to deploy to
  • MalwareBytes Installer File (housed in my Azure storage account)
  • A .ps1 script to call the MalwareBytes installer (also housed in my Azure storage account)
  • Connection info for my storage account

So, before doing anything, I deployed a resource group in Azure and called it MyResourceGroup.  I also deployed a storage account, called it "mystorageaccount", and documented my access keys.  Inside the storage account, I deployed a file share called "fileshare" and a blob container called "myscripts".  I then deployed a virtual machine called Server03 (01 and 02 were already in use).

Once I had my environment in place, I downloaded the MalwareBytes installer from the MalwareBytes website, and uploaded it to my "fileshare" file share in my Azure storage account. I planned to configure the custom extension script to connect to my Azure file share and install MalwareBytes from there.

With my MalwareBytes installer uploaded to my Azure file share, I got to work on my custom script extension. I fired up notepad and added the following two lines:

  1. cmdkey / /user:AZURE\mystorageaccount /pass:mystorageaccountaccesskey
  2. \\\fileshare\mb3-setup-consumer- /SP- /SILENT /NOCANCEL

The first line in my script was used to persist my storage account credentials so the VM could connect to my storage account without intervention from me. The GREEN text is the name of my storage account. The RED text is one of my storage account passkeys. It didn't matter which one I used. MS gives you two in case you have to change one. Line two of my script was used to launch the MalwareBytes installer file via a UNC path. Notice the "/SP- /SILENT /NOCANCEL" switches on the end. These switches are recommended by MalwareBytes to perform a "silent" install with no user intervention.

I saved my script extension as "InstallMWB.ps1" and uploaded it to my "MyScripts" container in my Azure storage account.

At this point, I had my custom script extension and MalwareBytes installer file both uploaded to my storage account so it was time to add the custom extension to my running VM (Server03). I opted to do it via PowerShell because, well, it's just more fun that way!

Next, I opened PowerShell on my workstation, logged into Azure (login-azureRMaccount), and got to work.

To assign my new custom MalwareBytes extension to my server, I ran the following command from PowerShell on my workstation:

  1. Set-AzureRmVMCustomScriptExtension -ResourceGroupName "MyResourceGroup" -Location "SouthCentralUS" -VMName "Server03" -Name "MyMWBInstall" -TypeHandlerVersion "1.1" -StorageAccountName "mystorageaccount" -StorageAccountKey mystorageaccountaccesskey -FileName "InstallMWB.ps1" -ContainerName "myscripts" -Run InstallMWB.ps1

I know - that's quite a bit of jargon. Let's break it down.

To run the Set-AzureRMVMCustomScriptExtension command, I had to specify the following parameters:

  • ResourceGroupName: The resource group where my virtual machine lived
  • Location: The Azure location of the VM
  • VMName: The name of the VM that I wanted to assign the extension to
  • Name: The name that I wanted to give my extension
  • TypeHandlerVersion: Sets the type version of the extension handler
  • StorageAccountName: The storage account where my InstallMWB.ps1 script and MalwareBytes installer were located
  • StorageAccountKey: The access key for authenticating to my storage account
  • FileName: The filename of my script
  • ContainerName: The name of the storage account blob container where my script was stored
  • Run: The command that ran my script

The italic parameters above are MANDATORY while the others are optional.

After running the command, PowerShell just sat there, looking at me, until it completed. Upon completion, PowerShell told me that the status was "OK". During deployment, I was able to watch things as they happened in the Azure portal. The deployment process itself took about 5 minutes or so. When I logged into my server, I could see MalwareBytes was installed and running. It was actually a pretty cool experiment.

Your turn....

Want to try this yourself? If so, follow the steps below.

Prepare the Environment:

  • Deploy a Resource Group in Azure called MyResourceGroup and assign it to SouthCentralUS
  • Deploy a Windows 2012 R2 virtual machine in Azure and call it MyServer01 (use a D1_V2 Standard size)
  • Provision a storage account in Azure if you don't have one
  • Deploy a file share called "fileshare" in your storage account
  • Deploy a blob container called "myscripts" in your storage account
  • Install Azure PowerShell on your workstation if you don't have it

Obtain the Installer:

  • Visit the MalwareBytes website and download a trial version
  • Upload the MalwareBytes installer to your "fileshare" share in Azure

Create Your Custom Extension Script:

  • Create a text file and add the following lines to it:
  1. cmdkey / /user:AZURE\mystorageaccount /pass:mystorageaccountaccesskey
  2. \\\fileshare\malwarebytesinstaller.exe /SP- /SILENT /NOCANCEL
  • Replace all instances of mystorageaccount with the name of your storage account
  • Replace mystorageaccountaccesskey with your own storage account access key
  • Replace malwarebytesinstaller.exe with the filename of the installer you downloaded (versions often change)
  • Save the text file as InstallMWB.ps1 and upload it to your "myscripts" blob container

Make it Happen:

  • Launch PowerShell on your workstation and login to Azure
  • Type the following command:
      1. Set-AzureRmVMCustomScriptExtension -ResourceGroupName "MyResourceGroup" -Location "SouthCentralUS" -VMName "MyServer01" -Name "MyMWBInstall" -TypeHandlerVersion "1.1" -StorageAccountName "mystorageaccount" -StorageAccountKey mystorageaccountaccesskey -FileName "InstallMWB.ps1" -ContainerName "myscripts" -Run InstallMWB.ps1
  • Be sure to replace all instances of mystorageaccount with the name of your storage account
  • Be sure to replace all instances of mystorageaccountaccesskey with your own storage account access key
  • Hit Enter

Give it about 10 minutes and then login to your virtual machine. You should see MalwareBytes installed and running.

Click here to join the Understanding Azure Facebook group or here for the latest Azure practice questions, answers, explanations, and reference materials.

Thomas Mitchell

Tom is a 20+ year veteran of the IT industry and carries numerous Microsoft certifications, including the MCSE: Cloud Platform and Infrastructure certification. A Subject Matter Expert in Active Directory and Microsoft Exchange, Tom also possesses expert-level knowledge in several other IT disciplines, including Azure, Storage, and O365/Exchange Online. You can find Tom at his website, on LinkedIn, or on Facebook. Need to reach him by phone? Call 484-334-2790.