Setting up Target Machines for TFS Build and Release Remoting

Question

Spent a lot of time trying to figure out how to set up some VMs to allow a TFS Build Agent to Remote into it and run PowerShell scripts.

You might run into error messages such as:

Connecting to remote server (IP Address here) failed with the following error message : 
WinRM cannot complete the operation. Verify that the specified computer name is valid, 
that the computer is accessible over the network, and that a firewall exception for the 
WinRM service is enabled and allows access from this computer. By default, 
the WinRM firewall exception for public profiles limits access to remote computers within 
the same local subnet. For more information, see the about_Remote_Troubleshooting Help 
topic.

---

Connecting to remote server (IP Address here) failed with the following error message : 
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. 
 ---> System.Management.Automation.RuntimeException: Connecting to remote server 
(IP Address here) failed with the following error message : Access is denied. For more 
information, see the about_Remote_Troubleshooting Help topic.

Answer 1

These are the steps to take to configure the Build Agent:

• A shared folder

  param
  (
    [string]$sharePath = $(Read-Host "Please enter the path that you want to create the share"),
    [string]$username = $(Read-Host "Please enter the username of the account to share the folder with")
  )
  
  $majorVersion = [Environment]::OSVersion.Version.Major;
  
  if(!(Test-Path $sharePath)){
  New-Item $sharePath -type directory;
  
  if($majorVersion -eq 6){
    net share SharedData=C:\SharedData /grant:$env:COMPUTERNAME\$Username`,full
  }
  
  elseif($majorVersion -eq 10){
    New-SMBShare -Name "SharedData" -Path $sharePath -FullAccess $username;
    Write-Host "Shared created."
  }
  }
  else{
    Write-Host "Share already existed."
  }
  

• WinRM must be configured

  Winrm quickconfig -quiet

• The Target Machine is on the list of Trusted Hosts of the Build Agent

  winrm s winrm/config/client '@{TrustedHosts="xx.xx.xx.xx"}'

  xx.xx.xx.xx is the Target Machine’s IP address

---

These are the steps to take to configure the Target Machine:

• A shared folder - same as above so wont add code here

• The connected network must be Private

  $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles";
  
  $ValName = "Category";
  
  $Value = "1";
  
  $ValName2 = "CategoryType"
  
  $Value2 = "0";
  
  foreach($RegObj in Get-ChildItem $RegPath)
  {
      $RegKeyName = $RegObj.PSChildName;  
      New-ItemProperty -Path $RegPath\$RegKeyName -Name $ValName -Value $Value -PropertyType DWORD -Force | Out-Null;
      New-ItemProperty -Path $RegPath\$RegKeyName -Name $ValName2 -Value $Value2 -PropertyType DWORD -Force | Out-Null
  }
  
  $majorVersion = [Environment]::OSVersion.Version.Major;
  $NetAdapters = netsh interface show interface;
  [String]$NetAdapters -match "(?<=Dedicated).*";
  
  foreach($Adapter in $matches)
  {
    if($majorVersion -eq 6)
    {
      netsh interface set interface name=($Adapter[0]).Trim() admin="disable";
      Start-Sleep 3
      netsh interface set interface name=($Adapter[0]).Trim() admin="enable";
   }
   elseif($majorVersion -eq 10)
   {
     Restart-NetAdapter -Name ($Adapter[0]).Trim();
   }
  }
  

• WinRM must be configured - same as above so wont add code here

• PowerShell Remoting must be enabled

  Enable PSRemoting -force

• The Build Agent is on the list of Trusted Hosts - same as above so wont add code here

• For Windows 7, add a rule in the Firewall local group policies to allow TCP connection over a specified port

  To get you started on this select the Windows button type in policy and select 'Edit group policy'. Traverse to Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules. Right click and select New Rule.... Follow these selections, Select Port, click next, Select TCP, enter 5985 (HTTP) or 5986 (HTTPS) Specific local ports, Select 'Allow the connection', choose the network type I selected all 3, Enter a name, and click Finish.