I recently had to deploy some new VMs and wanted to use PowerShell and also join them to a domain and get the anti-malware extension used. Below is the PowerShell I used. You would need to modify the variables in the below to match your own domains.
$Region = "EastUS"
$VNetName = "savilltech-vnet-east"
$VNetRG = "savilltech-vnets_rg"
$VNetSubnetName = "savilltech-vnet-east-savhybridinfra-vms"
$VNetSubnetCIDR = "10.244.3.64/26"
$NSGName = "savNSGLockdownEastUS"
$VMRG = "savilltech-savhybridinfra_rg"
$SQLVMName = "AZUUSESQL01"
$SQLVMSize = "Standard_DS3_v2" #4vcpu 16GB memory
$SQLVMIP = "10.244.3.68"
$VMDiagName = "savhybridinfradiag"
#Domain Join Strings
$string1 = '{
"Name": "savilltech.net",
"User": "savilltech.net\adminname",
"OUPath": "OU=Servers,OU=Hybrid,OU=Environments,DC=savilltech,DC=net",
"Restart": "true",
"Options": "3"
}'
$string2 = '{ "Password": "rawpasswordhere" }'
#Get the network subnet
$NSG = Get-AzureRmNetworkSecurityGroup -Name $NSGName -ResourceGroupName $VNetRG
$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $VNetRG
$VNetSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $VNetSubnetName -VirtualNetwork $VNet
#Local Credential
$user = "localadmin"
$password = 'localadminpasshere'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword)
# Antimalware extension
$SettingsString = '{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}';
$allVersions= (Get-AzureRmVMExtensionImage -Location $Region -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$typeHandlerVer = $allVersions[($allVersions.count)-1]
$typeHandlerVerMjandMn = $typeHandlerVer.split(".")
$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]
#Create the resource group
New-AzureRmResourceGroup -Name $VMRG -Location $Region
#Create the diagnostics storage account
New-AzureRmStorageAccount -ResourceGroupName $VMRG -Name $VMDiagName -SkuName Standard_LRS -Location $Region
# Create VM Object
$vm = New-AzureRmVMConfig -VMName $SQLVMName -VMSize $SQLVMSize
$nic = New-AzureRmNetworkInterface -Name ('nic-' + $SQLVMName) -ResourceGroupName $VMRG -Location $Region `
-SubnetId $VNetSubnet.Id -PrivateIpAddress $SQLVMIP
# Add NIC to VM
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
# VM Storage
$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer `
-Skus 2016-Datacenter -Version latest
$vm = Set-AzureRmVMOSDisk -VM $vm -StorageAccountType PremiumLRS -DiskSizeInGB 512 `
-CreateOption FromImage -Caching ReadWrite -Name "$SQLVMName-OS"
$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $SQLVMName `
-Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$diskConfig = New-AzureRmDiskConfig -AccountType PremiumLRS -Location $Region -CreateOption Empty `
-DiskSizeGB 2048
$dataDisk1 = New-AzureRmDisk -DiskName "$SQLVMName-data1" -Disk $diskConfig -ResourceGroupName $VMRG
$vm = Add-AzureRmVMDataDisk -VM $vm -Name "$SQLVMName-data1" -CreateOption Attach `
-ManagedDiskId $dataDisk1.Id -Lun 1
$vm = Set-AzureRmVMBootDiagnostics -VM $vm -Enable -ResourceGroupName $VMRG -StorageAccountName $VMDiagName
# Create Virtual Machine
New-AzureRmVM -ResourceGroupName $VMRG -Location $Region -VM $vm
Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -Name "IaaSAntimalware" `
-Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" `
-TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $Region
Set-AzureRmVMExtension -ResourceGroupName $VMRG -VMName $SQLVMName -ExtensionType "JsonADDomainExtension" `
-Name "joindomain" -Publisher "Microsoft.Compute" -TypeHandlerVersion "1.0" -Location $Region `
-SettingString $string1 -ProtectedSettingString $string2
Note the TypeHandlerVersion to join the domain now needs to be 1.3. Also the account type for storage should now be Premium_LRS.
LikeLike