Last active
January 21, 2026 06:26
-
-
Save kewalaka/e888d3fe51f6e7e654f38ace2abc1a08 to your computer and use it in GitHub Desktop.
Bypass DSC and install AVD agents directly via MSI to work around WDAC/script enforcement settings. First option - run command, second option - custom script extension. Done for illustration, not tested, feedback welcome!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_virtual_machine_run_command" "register_avd" { | |
| name = "register-avd-host" | |
| location = azurerm_windows_virtual_machine.session_host.location | |
| virtual_machine_id = azurerm_windows_virtual_machine.session_host.id | |
| source { | |
| script = <<-EOT | |
| $ErrorActionPreference = 'Stop' | |
| $tempDir = 'C:\temp' | |
| if (-not (Test-Path $tempDir)) { New-Item -ItemType Directory -Path $tempDir -Force } | |
| $registrationToken = '${azurerm_virtual_desktop_host_pool_registration_info.registration.token}' | |
| # Download RD Agent | |
| $agentUrl = 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrmXv' | |
| Invoke-WebRequest -Uri $agentUrl -OutFile "$tempDir\RDAgent.msi" | |
| # Install RD Agent with registration token | |
| Start-Process msiexec.exe -ArgumentList "/i $tempDir\RDAgent.msi /quiet REGISTRATIONTOKEN=$registrationToken" -Wait -NoNewWindow | |
| # Download and install Bootloader | |
| $bootloaderUrl = 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrxrH' | |
| Invoke-WebRequest -Uri $bootloaderUrl -OutFile "$tempDir\RDBootLoader.msi" | |
| Start-Process msiexec.exe -ArgumentList "/i $tempDir\RDBootLoader.msi /quiet" -Wait -NoNewWindow | |
| Write-Output "AVD Agent registration completed" | |
| EOT | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_virtual_machine_extension" "register_avd_host" { | |
| name = "register-avd" | |
| virtual_machine_id = azurerm_windows_virtual_machine.session_host.id | |
| publisher = "Microsoft.Compute" | |
| type = "CustomScriptExtension" | |
| type_handler_version = "1.10" | |
| auto_upgrade_minor_version = true | |
| protected_settings = jsonencode({ | |
| commandToExecute = "powershell.exe -ExecutionPolicy Bypass -Command \"${local.avd_registration_script}\"" | |
| }) | |
| depends_on = [ | |
| azurerm_virtual_desktop_host_pool_registration_info.registration | |
| ] | |
| } | |
| locals { | |
| avd_registration_script = <<-EOT | |
| $registrationToken = '${azurerm_virtual_desktop_host_pool_registration_info.registration.token}' | |
| $agentUrl = 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrmXv' | |
| $bootloaderUrl = 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrxrH' | |
| # Download and install RD Agent | |
| Invoke-WebRequest -Uri $agentUrl -OutFile 'C:\\temp\\Microsoft.RDInfra.RDAgent.Installer.msi' | |
| Start-Process msiexec.exe -ArgumentList '/i C:\\temp\\Microsoft.RDInfra.RDAgent.Installer.msi /quiet REGISTRATIONTOKEN=$registrationToken' -Wait | |
| # Download and install RD Agent Bootloader | |
| Invoke-WebRequest -Uri $bootloaderUrl -OutFile 'C:\\temp\\Microsoft.RDInfra.RDAgentBootLoader.Installer.msi' | |
| Start-Process msiexec.exe -ArgumentList '/i C:\\temp\\Microsoft.RDInfra.RDAgentBootLoader.Installer.msi /quiet' -Wait | |
| EOT | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment