Document Details

Automation Hrw Run Runbooks
Home / Scan #41 / Automation Hrw Run Runbooks
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
powershell_heavy
windows_tools
missing_linux_example
Summary
The documentation demonstrates a Windows-first bias in several areas. Windows instructions, tools, and examples are often presented before their Linux equivalents, and some sections (such as credential usage and runbook authentication) provide only PowerShell/Windows-centric examples or omit Linux-specific guidance. Windows tools and patterns (e.g., Control Panel, Windows environment variable setup, Windows file paths, Windows event logs) are described in detail, while Linux instructions are more concise or missing in some cases. PowerShell is the primary language for code samples, with limited or no Bash or Python examples for Linux users.
Recommendations
  • Ensure that Linux instructions are presented alongside Windows instructions, not after them, and with equal detail.
  • Provide Linux-specific code examples (e.g., Bash, Python) wherever PowerShell examples are given for Windows.
  • Include Linux equivalents for all Windows tools and patterns mentioned (e.g., environment variable setup, logging locations, credential management).
  • Where Windows file paths or UI navigation are described, provide the corresponding Linux paths or commands.
  • Add explicit Linux authentication/runbook examples (e.g., using managed identities, credential assets) where only PowerShell/Windows examples are currently shown.
  • Balance the use of PowerShell with examples in Bash or Python, especially for common automation tasks.
  • Clarify any features or limitations that are Windows-only or Linux-only, and provide workarounds or alternatives where possible.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2025-07-12 23:44 #41 cancelled Biased Biased
2025-07-12 00:58 #8 cancelled Clean Clean
2025-07-10 05:06 #7 processing Clean Clean
2025-07-09 23:22 #6 cancelled Clean Clean

Flagged Code Snippets

$Cred = Get-AutomationPSCredential -Name "MyCredential"
$Computer = Get-AutomationVariable -Name "ComputerName"

Restart-Computer -ComputerName $Computer -Credential $Cred

        # Ensures you do not inherit an AzContext in your runbook
        Disable-AzContextAutosave -Scope Process

        # Connect to Azure with user-managed-assigned managed identity. Replace <ClientId> below with the Client Id of the User Managed Identity
        $AzureContext = (Connect-AzAccount -Identity -AccountId <ClientId>).context

        # set and store context
        $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile
        $AzureContext

        # Get all VM names from the subscription
        Get-AzVM -DefaultProfile $AzureContext | Select Name
    
### Sign your runbooks using the certificate

With the Hybrid Runbook Workers configured to use only signed runbooks, you must sign runbooks that are to be used on the Hybrid Runbook Worker. Use the following sample PowerShell code to sign these runbooks.


        # Ensures you do not inherit an AzContext in your runbook
        Disable-AzContextAutosave -Scope Process

        # Connect to Azure with system-assigned managed identity
        $AzureContext = (Connect-AzAccount -Identity).context

        # set and store context
        $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile
        $AzureContext

        # Get all VM names from the subscription
        Get-AzVM -DefaultProfile $AzureContext | Select Name
        
        # Ensures you do not inherit an AzContext in your runbook
        Disable-AzContextAutosave -Scope Process

        # Connect to Azure with system-assigned managed identity
        $AzureContext = (Connect-AzAccount -Identity).context

        # set and store context
        $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile
        $AzureContext

        # Get all VM names from the subscription
        Get-AzVM -DefaultProfile $AzureContext | Select Name
    
## Work with signed runbooks on a Windows Hybrid Runbook Worker

You can configure a Windows Hybrid Runbook Worker to run only signed runbooks.

> [!IMPORTANT]
> Once you've configured a Hybrid Runbook Worker to run only signed runbooks, unsigned runbooks fail to execute on the worker.

> [!NOTE]
> PowerShell 7.x does not support signed runbooks for Windows and Linux Hybrid Runbook Worker.


### Create signing certificate

The following example creates a self-signed certificate that can be used for signing runbooks. This code creates the certificate and exports it so that the Hybrid Runbook Worker can import it later. The thumbprint is also returned for later use in referencing the certificate.


### Import certificate and configure workers for signature validation

Copy the certificate that you've created to each Hybrid Runbook Worker in a group. Run the following script to import the certificate and configure the workers to use signature validation on runbooks.