Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
Azure Migrate Hyper-V guest discovery fails (Error 60001 / WinRM Negotiate 0x8009030d “Failed to open runspace”) even though manual remoting works
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 59%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Michael S
0
Reputation points
I’m evaluating whether migrating to Azure makes sense and I’m using Azure Migrate to assess our Hyper-V environment. I created a Migrate project, deployed/connected the Hyper-V appliance, and hosts/VMs are discovered. However, software/performance discovery for guest VMs fails.
Symptoms
- Azure Migrate shows Error ID 60001 for one or more discovered guest VMs.
Error details include:
“Failed to open runspace (state: Broken)”
“WinRM cannot process the request… using **Negotiate** authentication… **0x8009030d** (A specified logon session does not exist…)”
The failure is reported across multiple addresses for the same VM (hostname/FQDN/IP), depending on what the appliance tries.
What I’ve verified (high level)
On the Hyper-V hosts and guest VMs:
WinRM service running, WSMan listener present, TCP 5985 listening, Windows Firewall rules allow WinRM
Basic WMI/CIM queries succeed locally
Time is in sync across systems (to avoid Kerberos/NTLM issues).
The credential I configured in the appliance is a **domain account** and is in the **Remote Management Users** group (and I also tested with elevated permissions).
From the **appliance VM itself**, I can successfully remote to the same target systems with the same credential, for example:
`Invoke-Command -ComputerName <host-or-vm> -Authentication Negotiate -Credential <domaincred> -ScriptBlock { hostname; whoami }`
This succeeds against my Hyper-V hosts (and I can also reach target VMs manually).
What I’ve tried
Removed/re-added the credentials in the appliance.
Refreshed/revalidated in the portal multiple times.
Rebuilt the appliance / created a brand new Migrate project and repeated setup.
Disabled IPv6 on the appliance to rule out v6 selection issues (no change).
Question Given that manual WinRM / PowerShell remoting from the appliance to the target works, what specific Azure Migrate guest discovery dependency or authentication requirement commonly causes 0x8009030d / “Failed to open runspace” errors?
In particular:
Are there known cases where Azure Migrate uses a different authentication path than a normal Invoke-Command test (e.g., SPN/hostname requirements, constrained delegation, UAC remote token behavior, WinRM auth settings such as CredSSP/Basic/AllowUnencrypted, etc.)?
What logs on the appliance or target should I look at to pinpoint why Azure Migrate fails to create the runspace despite WinRM being reachable?
Sanitized error excerpt Error ID: 60001 Error details: Unable to connect… Failed to open runspace (state: Broken)… WinRM Negotiate… 0x8009030d “A specified logon session does not exist…”I’m evaluating whether migrating to Azure makes sense and I’m using Azure Migrate to assess our Hyper-V environment. I created a Migrate project, deployed/connected the Hyper-V appliance, and hosts/VMs are discovered. However, software/performance discovery for guest VMs fails.
Symptoms
Azure Migrate shows Error ID 60001 for one or more discovered guest VMs.
Error details include:
“Failed to open runspace (state: Broken)”
“WinRM cannot process the request… using **Negotiate** authentication… **0x8009030d** (A specified logon session does not exist…)”
The failure is reported across multiple addresses for the same VM (hostname/FQDN/IP), depending on what the appliance tries.
What I’ve verified (high level)
On the Hyper-V hosts and guest VMs:
WinRM service running, WSMan listener present, TCP 5985 listening, Windows Firewall rules allow WinRM
Basic WMI/CIM queries succeed locally
Time is in sync across systems (to avoid Kerberos/NTLM issues).
The credential I configured in the appliance is a **domain account** and is in the **Remote Management Users** group (and I also tested with elevated permissions).
From the **appliance VM itself**, I can successfully remote to the same target systems with the same credential, for example:
`Invoke-Command -ComputerName <host-or-vm> -Authentication Negotiate -Credential <domaincred> -ScriptBlock { hostname; whoami }`
This succeeds against my Hyper-V hosts (and I can also reach target VMs manually).
What I’ve tried
Removed/re-added the credentials in the appliance.
Refreshed/revalidated in the portal multiple times.
Rebuilt the appliance / created a brand new Migrate project and repeated setup.
Disabled IPv6 on the appliance to rule out v6 selection issues (no change).
Question
Given that manual WinRM / PowerShell remoting from the appliance to the target works, what specific Azure Migrate guest discovery dependency or authentication requirement commonly causes 0x8009030d / “Failed to open runspace” errors?
In particular:
Are there known cases where Azure Migrate uses a different authentication path than a normal Invoke-Command test (e.g., SPN/hostname requirements, constrained delegation, UAC remote token behavior, WinRM auth settings such as CredSSP/Basic/AllowUnencrypted, etc.)?
What logs on the appliance or target should I look at to pinpoint why Azure Migrate fails to create the runspace despite WinRM being reachable?
Sanitized error excerpt
Error ID: 60001
Error details: Unable to connect… Failed to open runspace (state: Broken)… WinRM Negotiate… 0x8009030d “A specified logon session does not exist…”
Azure Migrate
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Bharath Y P 2,560 Reputation points Microsoft External Staff Moderator2025-12-02T21:49:10.09+00:00 Hello Michael S,
It sounds like you're having a tough time with Azure Migrate while assessing your Hyper-V environment. The Error ID 60001, along with the specifics regarding "Failed to open runspace" and "0x8009030d," indicates an authentication issue, even though you’ve confirmed manual remoting works.
- Azure Migrate uses WinRM with Negotiate (Kerberos first, NTLM if Kerberos fails). It’s stricter about matching the server’s identity than a simple PowerShell test. If the appliance connects using an IP address or a name that doesn’t match the server’s registered identity, Kerberos can fail and Negotiate may not recover, causing error 0x8009030d. Use the server’s full DNS name (FQDN) instead of IP. Add those names (and IPs if needed) to the appliance’s TrustedHosts list, and make sure the appliance can reach the domain. Windows Admin Center known issues | Microsoft Learn
- For Hyper‑V discovery, the appliance prefers WinRM over HTTPS (port 5986). If HTTPS is enforced but the target VM/host doesn’t have a valid certificate with the hostname in the CN field, the connection fails. Either set up proper WinRM HTTPS certificates on your targets, or temporarily disable HTTPS enforcement in the appliance until certificates are fixed.Windows Admin Center known issues | Microsoft Learn
- To collect software and performance data, Azure Migrate needs access to WMI/CIM and performance counters. Just being in the Remote Management Users group may not be enough because UAC filtering can block access. Add the discovery account to Remote Management Users, Performance Monitor Users, and Performance Log Users. For quick testing, you can add it to Administrators. If UAC still blocks access, grant explicit permissions to the CIMV2 namespace. Support for physical discovery and assessment in Azure Migrate and Modernize - Azure Migrate | Microsoft Learn
- Azure Migrate may try connecting to a VM using different addresses (FQDN, hostname, IP). If the WinRM listener is not set to Address=* or TrustedHosts doesn’t include the address being used, Negotiate can fail. Check that WinRM listeners on your targets are bound to Address=*. Add all possible names the appliance might use to TrustedHosts.
- Hyper‑V discovery uses HTTPS (5986) by default and falls back to HTTP (5985) if HTTPS isn’t available. If you enforce HTTPS without proper certificates, discovery fails. If you rely on HTTP fallback, make sure port 5985 is open. Set up an Azure Migrate appliance for physical servers - Azure Migrate | Microsoft Learn
To resolve this you can try below steps:
- Check WinRM listeners on each VM/host: run the below command
`winrm e winrm/config/listener`- Make sure you see Address=*.
- Confirm ports are open: Ensure TCP 5985 (HTTP) and 5986 (HTTPS) are open from the appliance to each VM. If HTTPS is enforced, verify the TLS handshake works (valid cert chain, CN matches hostname).
- **Validate authentication path:**Prefer connecting by FQDN instead of IP. On the appliance, run:
Add the VM hostnames (and IPs if needed) to TrustedHosts`winrm get winrm/config/client` - Fix HTTPS certificate issues (if enforced)
- Each VM/host must have a Server Authentication certificate with CN = hostname.
- If you don’t have proper certs yet, disable HTTPS enforcement in the appliance until they’re fixed.
- Adjust permissions for discovery account Add the account to:
- Remote Management Users
- Performance Monitor Users
- Performance Log Users
For quick validation, add it to Administrators. If UAC still blocks access, grant explicit permissions to the CIMV2 namespace.
Check logs for failure
- On the Azure Migrate Appliance:
- Appliance Diagnostic Logs: Use the Configuration Manager UI > Support > Download Logs.
- Windows Event Viewer (Appliance VM):
- Application Log: Errors from the Azure Migrate agent or PowerShell remoting.
- System Log: Network or service-level issues.
- Windows Remote Management Operational Log: Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Remote Management > Operational
- On Target VMs / Hosts
- Security Log: Check for Kerberos or NTLM logon failures (Event IDs 4625, 4776). These indicate authentication handshake issues.
- WinRM Operational Log: Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Remote Management > Operational. Look for errors related to session creation or authentication.
- WMI-Activity Log: Event Viewer > Applications and Services Logs > Microsoft >Windows > WMI-Activity > Operational. Shows if CIM/WMI queries fail due to permissions or UAC filtering.
Hope this helps. if you still encounter any issue, please do let us know, thanks.
-
Michael S 0 Reputation points
2025-12-02T23:19:31.7566667+00:00 - I have already configured the appliance with the FQDN. The appliance's trusted host is set to *. This should allow access to all servers.
- We don't have certificates on the VMs, so I have allowed it to connect through HTTP (this was done prior to posting). Same errors.
- I've granted CIMV2 permissions (all) to my account. (this was added new at your suggestion). After a refresh of the appliance in the portal, I still get the same errors.
- I have verified that the WinRM listener is set to Address=*
- I rely on fallback. Port 5985 is open and accessible.
As a sanity check, I switched the discovery account to a domain admin account. I am still receiving the same error.
However, I just noticed the "Troubleshoot" button at the top of the appliance webpage. When I run that, there are 2 tests that are failing. They are:
The first item references "azcmagent" service. That service does not exist on the appliance virtual machine. These are the closest matches:
Regarding the second error "400 Bad Request", from the appliance VM I ran a
Test-NetConnection discoverysrv.wus2.prod.migration.windowsazure.com -Port 443And it succeeded. So it is not getting blocked by our firewalls.
Any guidance on why that service doesn't exist on the downloaded appliance VM? Or why it's getting a bad request?
I am hoping this is related to the issue of discovery. I assume it is.
-
Bharath Y P 2,560 Reputation points Microsoft External Staff Moderator
2025-12-03T11:06:38.4666667+00:00 Hello Michael S, Thaks for the update. If the appliance is registered with a project key from a different Azure Migrate project/region, the request can hit the wrong discovery endpoint and be rejected.
Example: key created in East US while the appliance calls West US 2 (wus2). From Azure Migrate > Servers > Discover get a fresh project key for the exact project/region you intend, then re-register the appliance using Appliance Configuration Manager.
Also note that we cannot use Hyper-v host as the physical appliance and it should be dedicated windows server without hyper-v installed. to resolve this you recreating it with hyper-v host option.
-
Michael S 0 Reputation points
2025-12-03T19:52:15.76+00:00 I have completely removed and restarted a new migrate project, downloaded the appliance VM again, and configured everything with a new key (for the third time now). and I still have the diagnostic problems. There is something wrong with the Azure Migrate VM that is getting downloaded. Your suggestion of:
Also note that we cannot use Hyper-v host as the physical appliance and it should be dedicated windows server without hyper-v installed. to resolve this you recreating it with hyper-v host option.
relates to installing the migrate services on a separate machine. I am downloading the VM...not running the install script.
Can this be escalated to someone. I'm about to give up and just put everything on AWS.
-
Bharath Y P 2,560 Reputation points Microsoft External Staff Moderator
2025-12-04T18:22:46.6266667+00:00 Hello Michael S, Thank you for the update. We are currently reviewing this issue and will keep you informed at the earliest.
Sign in to comment
Sign in to answer