Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✔️ Windows VMs
Note
Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.
Note
The steps in this article don't apply to Windows domain controllers.
If you can't connect to a Windows virtual machine (VM), you can reset Remote Desktop Services and credentials by using the VMAccess extension. Here are the available methods to do this:
If you're using PowerShell, make sure that you have the latest PowerShell module installed and configured and are signed in to your Azure subscription. You can also perform these steps for VMs created with the classic deployment model.
First, sign in to the Azure portal and then select Virtual machines on the left menu.
Select your Windows VM and then select Reset password under Help. The Reset password window is displayed.
Select Reset password, enter a username and a password, and then select Update.
Tip
If you enter a different name than the current local administrator account on your VM, the VMAccess extension will add a local administrator account with that name, and assign your specified password to that account. If the local administrator account on your VM exists, the VMAccess extension will reset the password. If the account is disabled, the VMAccess extension will enable it.
Try connecting to your VM again.
This process will enable Remote Desktop service in the VM, and create a firewall rule for the default RDP port 3389.
Select your Windows VM and then select Reset password under Help. The Reset password window is displayed.
Select Reset configuration only and then select Update.
Try connecting to your VM again.
First, make sure that you have the latest PowerShell module installed and configured and are signed in to your Azure subscription by using the Connect-AzAccount cmdlet.
Reset the administrator password or user name with the Set-AzVMAccessExtension PowerShell cmdlet. The
typeHandlerVersionsetting must be 2.0 or greater, because version 1 is deprecated.$SubID = "<SUBSCRIPTION ID>" $RgName = "<RESOURCE GROUP NAME>" $VmName = "<VM NAME>" Connect-AzAccount Select-AzSubscription -SubscriptionId $SubID Set-AzVMAccessExtension -ResourceGroupName $RgName -VMName $VmName -Credential (get-credential) -typeHandlerVersion "2.0" -Name VMAccessAgent
Reset remote access to your VM with the Set-AzVMAccessExtension PowerShell cmdlet. The following example resets the access extension named
VMAccessAgenton a VM in the resource group:$SubID = "<SUBSCRIPTION ID>" $RgName = "<RESOURCE GROUP NAME>" $VmName = "<VM NAME>" Connect-AzAccount Select-AzSubscription -SubscriptionId $SubID Set-AzVMAccessExtension -ResourceGroupName $RgName -VMName $VmName -Name VMAccessAgent -typeHandlerVersion "2.0" -ForceRerun $trueTip
At any point, a VM can have only a single VM access agent. To set the VM access agent properties, use the
-ForceRerunoption. When you use-ForceRerun, ensure you use the same name for the VM access agent that you might have used in any previous commands.If you still can't connect remotely to your virtual machine, see Troubleshoot Remote Desktop connections to a Windows-based Azure virtual machine. If you lose the connection to the Windows domain controller, you will need to restore it from a domain controller backup.
| Error | Description |
|---|---|
| {"innererror": {"internalErrorCode": "CannotModifyExtensionsWhenVMNotRunning"}, "code": "OperationNotAllowed","message": "Cannot modify extensions in the VM when the VM is not running."} | This error indicates that the operation to modify extensions in the VM isn't allowed because the VM isn't running. To resolve this issue, ensure that the VM is running before attempting to modify extensions. |
| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'VMAccess Extension does not support Domain Controller.'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because it doesn't support a domain controller. To resolve this issue, ensure that the VM isn't configured as a domain controller when using this extension. For more information, see Reset Remote Desktop Services or its administrator password in a Windows VM. |
| VM 'vmname' has not reported status for VM agent or extensions. Verify that the OS is up and healthy, the VM has a running VM agent, and that it can establish outbound connections to Azure storage. Please refer to https://aka.ms/vmextensionwindowstroubleshoot for additional VM agent troubleshooting information. | To troubleshoot this error, see Troubleshooting checklist. |
| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. --- End of inner exception stack trace --- at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUser.SetPassword(SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot. | This error indicates that the VM extension "enablevmAccess" failed to update the Remote Desktop Connection settings for the Administrator account due to a password policy violation. To resolve this issue, ensure that the password meets Windows password policy requirements, including minimum length, complexity, and history. For more information, see Troubleshoot VM extensions. |
| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'The Admin User Account password cannot be null or empty if provided the username.'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because the Admin User Account password wasn't provided. To resolve this issue, ensure that a non-null and non-empty password is specified for the Admin User Account. |
| Provisioning of VM extension enablevmaccess has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. | This error message indicates that the provisioning of the VM extension "enablevmaccess" has timed out because it took too long to complete. Additionally, the extension didn't provide any status message during the process. To resolve this issue, consider checking the VM's performance and network conditions, and then retry the provisioning operation. For more information, see Troubleshooting Azure Windows VM extension failures. |
| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Exception: User account scsadmin already exists but cannot be updated because it is not in the Administrators group. at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because the user account "scsadmin" already exists but isn't in the Administrators group. To resolve this issue, ensure that the user account is added to the Administrators group. |
| VM has reported a failure when processing extension 'enablevmaccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. at System.DirectoryServices.DirectoryEntry.CommitChanges() at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUser.SetPassword(SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUserManager.CreateUserInGroup(String userName, SecureString password, Boolean expirePassword, String[] groups) at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error message indicates that the VM failed to process the "enablevmaccess" extension due to an issue with updating the Remote Desktop Connection settings for the Administrator account. The specific error is related to the password not meeting the policy requirements, such as minimum length, complexity, and history. To resolve this issue, ensure that the password complies with the required policy standards. For more information, see Troubleshoot VM extensions. |
| {"innererror": {"internalErrorCode": "MultipleExtensionsPerHandlerNotAllowed"}, "code": "BadRequest","message": "Multiple VMExtensions per handler not supported for OS type 'Windows'. VMExtension 'enablevmaccess' with handler 'Microsoft.Compute.VMAccessAgent' already added or specified in input."} | This error message indicates that the OS type "Windows" doesn't support multiple VM extensions per handler. The "enablevmaccess" extension with the handler "Microsoft.Compute.VMAccessAgent" has already been added or specified in the input. To resolve this issue, ensure that only one extension per handler is configured for the VM. You can manually remove an extension by using the following PowerShell cmdlet and retry the operation: Remove-AzVMExtension -ResourceGroupName "ResourceGroup11" -Name "ExtensionName" -VMName "VirtualMachineName" |
If the Azure VM access extension fails to install you can troubleshoot VM extension issues.
If you're unable to reset the password using the VM access extension then you can reset the local Windows password offline. This method is more advanced and requires you to connect the virtual hard disk of the problematic VM to another VM. Follow the steps documented in this article first, and attempt the offline password reset method only if those steps don't work.
Troubleshoot Remote Desktop connections to a Windows-based Azure virtual machine.
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.