Azure VM: can't install Qualys extension

2.9k views Asked by At

I run the same code snippet as for other extensions:

az vm extension set \
  --resource-group "azure-vm-arm-rg" \
  --vm-name "azure-vm" \
  --name "WindowsAgent.AzureSecurityCenter" \
  --publisher "Qualys"

..and I'm getting:

The handler for VM extension type 'Qualys.WindowsAgent.AzureSecurityCenter' 
has reported terminal failure for VM extension 'WindowsAgent.AzureSecurityCenter' 
with error message: 'Enable failed for plugin (name: Qualys.WindowsAgent.AzureSecurityCenter,
 version 1.0.0.10) with exception Command 
C:\Packages\Plugins\Qualys.WindowsAgent.AzureSecurityCenter\1.0.0.10\enableCommandHndlr.cmd 
of Qualys.WindowsAgent.AzureSecurityCenter has exited with Exit code: 4306'. 

I have no issues installing this extension via Azure UI in Security Center

I suspect license to be the root cause but I don't have any dedicated licenses, I believe Security center manages them automatically

Any ideas how to install Qualys extension automatically?

3

There are 3 answers

0
Mathias Neerup On

I did also encounter this issue. In my case it helped to start the Qualys service manually. The extension then changes status to "Provisioning succeeded".

0
user1 On

I encountered the same issue. It was because the extension was added too soon after the vm had started. The pre-req is that the Azure Virtual Machine agent should be running on the vm before the extension is added.

for my solution, I added dependencies on other extensions before running this extension. That gave enough time for the machine to start and have the Azure Virtual Machine agent running before qualys extension is added.

{
        "type": "microsoft.compute/virtualmachines/providers/serverVulnerabilityAssessments",
        "apiVersion": "2015-06-01-preview",
        "name": "[concat(parameters('virtualMachineName'), '/Microsoft.Security/Default')]",
        "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]",
            "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'), '/extensions/AzurePolicyforWindows')]",
            "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'), '/extensions/Microsoft.Insights.VMDiagnosticsSettings')]",
            "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'), '/extensions/AzureNetworkWatcherExtension')]"
        ]
        
    }
0
codaamok On

Make sure you have no Azure Policies configured which do things like require tags, as this can block the extension installation and only give the error message The resource operation completed with terminal provisioning state 'Failed'..