Security Center is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.
Azure Security Center’s features cover the two broad pillars of cloud security:
Cloud security posture management (CSPM) – Security Center is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with the built-in policies.
Cloud workload protection (CWP) – Security Center’s integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Enabling Azure Defender brings a range of additional security features as described on this page. In addition to the built-in policies, when you’ve enabled any Azure Defender plan, you can add custom policies and initiatives. You can add regulatory standards – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Microsoft Azure Arc enables you to manage your entire environment, with a single pane of glass, by projecting your existing resources into Azure Resource Manager. You can now manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure. Regardless of where they live, you can use familiar Azure services and management capabilities. Azure Arc enables you to continue using traditional ITOps, while introducing DevOps practices to support new cloud native patterns in your environment.
IT Management with Azure ARC
With Microsoft Windows Admin Center I Build a Microsoft Azure Stack HCI Clusterand the Nodes are connected with Azure Arc Services. In the following steps you will see a security feature of Microsoft Azure Arc Services with remediation of the Risks on the Azure Stack HCI Cluster On-premises.
Azure Arc Security Remediation
Here you see the Azure Arc Servers with Azure Stack HCI
On Skywalker01 Node we have two Security Risks
When you click on the risk, you see the description and the remediation steps to solve this risk issue. Here you can also see the remediation script:
Automatic Remediation Script.
Select the Azure workspace ID and when you don’t have one you can Create new Workspace in Azure.
Select the resource, in my case Skywalker01
Click on remediate resource.
Remediation in progress
The Microsoft Azure Monitor Agent extension in Azure Arc is successfully installed.
Done.
I did the same for Skywalker02 Azure Stack HCI Cluster Node.
The Next Medium Risk is a Vulnerability assessment on the Azure Stack HCI Cluster nodes. Just follow the steps of the wizard.
Azure Arc Security Vulnerability Assessment with Azure Defender
Click on remediate.
This one will use Qualys in Azure Defender.
Click on remediate resource.
The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys’ scanner is one of the leading tools for real-time identification of vulnerabilities. It’s only available with Azure Defender for servers. You don’t need a Qualys license or even a Qualys account – everything’s handled seamlessly inside Security Center.
Azure Arc Insights of the Azure Stack HCI Cluster Node
Because we have installed the Microsoft Azure Monitor extension in Azure Arc on this Azure Stack HCI Node Server, telemetry and analytics will do his job for Monitoring in Azure and data will be collected. In Azure maps you see the connectivity of the Server.
Here you can see the Fired Alerts by severity and Investigate 🙂
Here you see the power of Hybrid IT management via Microsoft Azure Arc services and get Azure Cloud services for your On-premises Servers. You have the Free Microsoft Windows Admin Center Tool and integration with Azure Arc for all the innovative tools like Azure Monitor, Azure Security Center, Azure Defender, Update management and more. I hope you see the benefits too, Get started Today !
Azure Stack HCI is a Hyper-Converged Infrastructure (HCI) cluster solution that hosts virtualized Windows and Linux workloads and their storage in a hybrid on-premises environment. Azure hybrid services enhance the cluster with capabilities such as cloud-based monitoring, Site Recovery, and VM backups, as well as a central view of all of your Azure Stack HCI deployments in the Azure portal. You can manage the cluster with your existing tools including Windows Admin Center, System Center, and PowerShell.
Azure Stack HCI, version 20H2 is a new operating system now in Public Preview and available for download. It’s intended for on-premises clusters running virtualized workloads, with hybrid-cloud connections built-in. As such, Azure Stack HCI is delivered as an Azure service and billed on an Azure subscription. Azure Stack HCI also now includes the ability to host the Azure Kubernetes Service; for details, see Azure Kubernetes Service on Azure Stack HCI.
Get Started with Azure Stack HCI and Windows Admin Center
Windows Admin Center is a locally deployed, browser-based app for managing Azure Stack HCI. The simplest way to install Windows Admin Center is on a local management PC (desktop mode), although you can also install it on a server (service mode).
If you install Windows Admin Center on a server, tasks that require CredSSP, such as cluster creation and installing updates and extensions, require using an account that’s a member of the Gateway Administrators group on the Windows Admin Center server. For more information, see the first two sections of Configure User Access Control and Permissions.
Before you begin, you have to know that Azure Stack HCI is still in Preview and not for Production usage ready. But I’m installing it in my MVPLAB for testing purpose only and learn all the New Features.
What’s New in Azure Stack HCI
Clusters running Azure Stack HCI, version 20H2 have the following new features as compared to Windows Server 2019-based solutions:
New capabilities in Windows Admin Center: With the ability to create and update hyper-converged clusters via an intuitive UI, Azure Stack HCI is easier than ever to use.
Stretched clusters for automatic failover: Multi-site clustering with Storage Replica replication and automatic VM failover provides native disaster recovery and business continuity to clusters that use Storage Spaces Direct.
Affinity and anti-affinity rules: These can be used similarly to how Azure uses Availability Zones to keep VMs and storage together or apart in clusters with multiple fault domains, such as stretched clusters.
Azure portal integration: The Azure portal experience for Azure Stack HCI is designed to view all of your Azure Stack HCI clusters across the globe, with new features in development.
GPU acceleration for high-performance workloads: AI/ML applications can benefit from boosting performance with GPUs.
BitLocker encryption: You can now use BitLocker to encrypt the contents of data volumes on Azure Stack HCI, helping government and other customers stay compliant with standards such as FIPS 140-2 and HIPAA.
Improved Storage Spaces Direct volume repair speed: Repair volumes quickly and seamlessly.
In the Following Step-by-Step guide we install Azure Stack HCI Cluster with Windows Admin Center.
Click on Add and then Create New Server Cluster.
Choose for Azure Stack HCI.
Here you can also choose for both Azure Stack HCI nodes are in the same Site or you have more Azure Stack HCI Nodes in Two Sites for disaster Recovery and Business Continuity.
In my MVPLAB I have all Azure Stack HCI nodes in One Site. More information about Microsoft Azure Stack HCI Stretching Clusters can be found here.
This is what I like about Windows Admin Center, supporting you in all steps and choices for making an Azure Stack HCI Cluster with Storage Spaces Direct.
Specify your administrator Account and password and add the Azure Stack HCI Node Servers
Add the Nodes to the Domain.
Install Required Features on the Azure Stack HCI Node Servers
Install Updates on the Azure Stack HCI Node Servers
Here you get options from your hardware vendor
I don’t get this because it’s virtual.
Restart the Azure Stack HCI Node Servers and Click Next Networking
Networking adapters are UP and Running.
When you have Enough Nics in your Azure Stack HCI Node Server, you can choose here for a Teamed Management NIC.
I choose for a single management NIC. Plan your Azure Stack HCI Node network
Configure your Production and Storage network
Here you can configure different Switches for your workloads. Windows Admin Center will work with Software Defined Networking (SDN) I Skipped this in my MVPLAB.
Before creating the Azure Stack HCI Cluster, we have to Validate the Cluster first.
When the Cluster Validation is done, you can download the Cluster Validation report.
Here we give the Cluster a Name and a static IP.
Click Create Cluster.
Microsoft Azure Stack HCI Cluster is created 😉
Click Next for Storage.
Click Next
I Got some small disks Click Next.
Storage is validated and suitable for Storage Spaces Direct.
Storage Spaces Direct is enabled on your Azure Stack HCI Cluster.
Click Next for SDN
Here you can configure the Network Controller for the Azure Stack HCI Cluster
Done your Azure Stack HCI Cluster is made 🙂
Here we have the Dashboard in Windows Admin Center of my Azure Stack HCI Cluster
Management of your Azure Stack HCI Cluster
Managing your Azure Stack HCI Cluster with Windows Admin Center is important, because I have connected WAC with my Azure Subscription I can use Azure Monitor.
From here the Cluster is also connected with my Analytics workspace of Azure Monitor.
Azure Stack HCI Cluster Nodes connected with Azure Monitor.
With Windows Admin Center you can manage the Azure Stack HCI updates with Cluster Aware Updating (CAU) without any downtime for your workloads.
Start Cluster Aware Updating
Click on Install
One Azure Stack HCI Node is waiting and the other is Installing.
Now the other Azure Stack HCI Node is Installing the Update.
Updates Succeeded on both Azure Stack HCI Nodes.
Microsoft Azure Stack HCI Cluster is Running
Create your Virtual Machine on Azure Stack HCI Cluster.
Conclusion
Windows Admin Center supports you all the way for making your Microsoft Azure Stack HCI Cluster in easy steps deployment wizard. Of course you can make also your own PowerShell deployment scripts when you have to make more Azure Stack HCI Clusters for different platforms like Deploying virtual machines or AKS Kubernetes Clusters for Container Applications or a SQL environment. Here you find more information about PowerShell commands
After deploying Azure Stack HCI Clusters with your own PowerShell Script, you can add the Cluster into Windows Admin Center for IT Management.
The Installation time of the Cluster is really fast. I hope this will give you more inside information about the Preview of Microsoft Azure Stack HCI Cluster and Windows Admin Center better Together!
Next Step is AKS Kubernetes on Azure Stack HCI 😉
I Love being the first to see what’s next for Windows in the Windows Insider Program. For me It’s a way of Life to support Microsoft by giving feedback, suggestions and ideas for Windows 10 New innovations and improvements. I feel I’m building together with the Microsoft Product Team and Community to make a better product every week. It’s awesome too see that Microsoft is solving your feedback issue or your idea is coming in the next Windows Insider Build Release 🙂 I’m a Windows Insider MVP but also a Cloud and Datacenter Management MVP for the Community sharing New Microsoft Technologies.
You can join the Microsoft Windows Insider Programtoo and work with the newest Windows Insider Preview Builds of Microsoft.
Windows Insider Feedback Hub
Windows Insider Program
When you joined the Windows Insider program, you only have to activate the right Windows Insider Channel in your Windows10 Operating system. Go to Settings and Click on Windows Insider Program.
Windows Insider Program
First you login with your Windows Insiders Registration email address to get connection with the Windows Insiders Preview Build version. Then you have to select in which Windows Insiders Channel you want :
Here you see the Windows Insiders Channels.
I’m using all the Channels on different Machines as a MVP
When you select your Windows Insiders Channel, then you go to Windows Updates and get the latest Windows Insiders Preview Build of your Channel to download and Install.
Downloading Windows Insider Preview Build 20251 in the Dev Channel.
After downloading, rebooting, installing the new Windows Insiders Preview Build, you can test Windows 10 with the newest features of Microsoft and give your feedback and ideas in the Feedback Hub on your Machine.
Here you find the Microsoft Windows Insider Blogpost about this Preview Build 20251
When you found a new Issue in Windows Insider Preview Build or you want to give your idea to Microsoft, open the Windows Insiders Feedback Hub on your local machine here:
Click here on Give Feedback.
Summarize your feedback and Explain in more details
Select at Category if it’s a problem or Suggestion
and the category recommendations.
Click on Next
Find Similar Feedback Click Next
Add More Details.
For the Microsoft Windows Insider Engineers It’s important to get Screenshots and the data. Start recording and show Microsoft your issue in this Windows Insider Preview Build. Save the recordings ! and Send your feedback to Microsoft.
You can support Microsoft by giving feedback when something is fixed for you.
Here I report that the File Explorer issue is solved in Build 20251.
In the Feedback Hub you find more like Quests, Achievements, and Announcements from Microsoft Windows Insider Program.
Windows Insider Achievements
For the work you do free because you like to test the newest Microsoft Windows features, you can earn Microsoft Badges.
Microsoft Windows Insider Quests
With Microsoft Windows Insider Quests, Microsoft ask you to test new features and give your feedback about it.
They explain the feature and the steps so you can try it yourself. I love these quests, because then you learn about the new features and innovation you try out.
here you see the Microsoft Windows Insider Announcements to keep you Up-to-Date
Windows Insider Community
Being a Windows Insider in the Community is Awesome, you make friends on social media who share the same technology interest, asking questions and keep each other posted on new updates. Microsoft Windows Insiders program is really active on Twitter with handler @windowsinsider
We use Hashtag’s : #WindowsInsiders #WIMVP #Windows10
When you like to work with the Newest Microsoft Windows Insider Preview Build versions to test and explore New innovated features in Windows 10 or Windows Server, then JOIN the Windows Insider Program.
I really like this program and being connected with Microsoft Product Group, giving feedback and working Together with the Community to make a better product every time. For me It’s a way of life, It’s a Great Hobby for me but also my Work 😉
Have Fun with the Windows Insider Program, and Learn on the Job !
As an Administrator, I like to work with Microsoft Windows Admin Center, It’s a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. You can download Windows Admin Center hereand use it for Free in your Production environment. What is Windows Admin Center? What are my benefits? Here you see Windows Admin Center Architecture how it works.
Windows Admin Center Architecture.
So you can use Windows Admin Center everywhere, you can Install it on a Server on-premises without any internet connections, or in a hybrid way with a internet connection for Cloud
services integrations like Azure Backup, Azure Security Center, Azure Monitor or Azure File Sync and to manage your Virtual Machines in the Cloud.
Microsoft is now busy with Windows Admin Center in the Azure Portal in Preview to manage your Hybrid Datacenter. Here you find a blogpost about it in the Microsoft Tech Community.
Manage Internet Access in Windows Admin Center.
Datacenter Administrators want to manage Windows Servers in an Easy way but it must be secure. Microsoft has some user access options for using Windows Admin Center.
The one I like most is Microsoft Azure MFA (Two-Factor-Authentication) on your Windows Admin Center environment. Here you find more information about User Access WAC.
Choose the right Windows Admin Center installation for your environment:
Windows Admin Center Installation types.
These are Production Ready.
But don’t forget the Microsoft Windows Admin Center in the Azure Portal Preview :
Windows Admin Center in the Azure Portal Preview.
Windows Admin Center | Management | Azure Security Center Integration.
The Power of a Modern Management tool like Windows Admin Center is the Extensions feature to integrate with external Services like Azure Cloud Services, or third party vendors like Dell EMC or HP, Fujitsu, Data-On with great management solutions. An other example of a Windows Admin Center Extension are Containers.
In the following steps you will see how easy it is to manage and integrate Azure Security Center into Windows Admin Center for your Servers.
When you have installed Windows Admin Center, you have to add your Microsoft Azure Subscription into WAC.
Azure Registration in Windows Admin Center.
In the upper right you have the settings icon of Windows Admin Center, from there you can select Azure and do the registration. What it will do is making a API with your Microsoft Azure subscription:
Here you see the Registration in Microsoft Azure.
When that is completed successfully, you can add the Microsoft Azure Services via Extensions in Settings. We are going to Select Azure Security Center.
Install the Microsoft Azure Security Center Extension.
From here you have installed the basics for your Servers, now the Microsoft Azure Security Center feature is added in the left management bar at each Server in Windows Admin Center.
Now we only have to register the Servers into Azure Security Center with Windows Admin Center.
Here you see my MVPLAB Machines.
I have two Azure Stack HCI virtual Machines and I like to know if they are secure. ( Skywalker01 and Skywalker02) I start with the Azure Security Center Installation on Skywalker01 VM.
Azure Stack HCI VM called Skywalker01.mvplab.cloud
Sign into Azure.
Select your Azure Subscription, Create or Use existing workspace.
Select Region, and Create or use existing Resource Group.
Click on Setup.
The Virtual Machine will be added to Azure Security Center.
From here it need some time to do the job with doing assessments, getting the metadata of the server with log analytics. Microsoft Azure Security Center will come with security recommendations like:
Here you can do a Quick Fix and do Remediation.
After a view minutes the Security issues are also coming into Windows Admin Center.
Here I get some Security advice in Windows Admin Center for Skywalker01 VM
Here you see the Power of the Azure Cloud with Log Analytics and the
Azure Security Center baselines for Skywalker01 Azure Stack HCI VM.
I forgot Skywalker02 VM to do the monthly security updates and that is a Security Risk too of course :
Skywalker02 Azure Stack HCI VM at High Security Risk.
(No updates)
Of course we have Windows Updates in Windows Admin Center, Just have to select and approve the updates for Skywalker02 to solve this high Risk issue.
Skywalker02 Azure Stack HCI VM Security Risk Solved 😉
Conclusion
In a Hybrid IT world today is Better Together my motto with Windows Admin Center and Microsoft Azure Security Center you have a Great solution. You can make your own Azure Security Center Baseline policy to deploy on your Windows Servers to make them more Secure. Get a High Security Score ! And don’t worry you can add all your Windows Servers into Windows Admin Center if they are on-premises or in the Cloud.
With Azure MFA Two-Factor access authentication, you make your Management tool Windows Admin Center more Secure for your environment. If you don’t use Windows Admin Center yet, start Today !
Learn about the latest Windows Server features and capabilities—directly from the Microsoft product team. Watch demos and discover best practices to modernize your workloads, whether you’re running Windows Server on-premises, in a hybrid environment, or on Azure.
Windows Admin Center is a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. It comes at no additional cost beyond Windows and is ready to use in production. If you want to work more secure with Windows Server Core images without the GUI or with Microsoft Azure Stack HCI operating system then Windows Admin Center is the tool for the Administrator to manage your workloads on-premises or in the Cloud. You have one web based interface for all your Server consoles (MMC) to manage your Hybrid Datacenter.
Here you can read more about Microsoft Windows Admin Center and download the free software.
Get the best with Windows Admin Center Extensions
Windows Admin Center and the Container Extension
When you have installed Microsoft Windows Admin Center you can configure the settings and extensions for your environment. When you want the benefits of the Microsoft azure Cloud Services you can configure your Azure subscription and add the extensions to your Windows Admin Center. There are also Third Party extensions like Dell, DataOn, Fujitsu and more. Here you find more information about how extensions work.
Container Extension
In the following step-by-step guide we will work with the Container Extension of Windows Admin Center on a Windows Server 2019. You have already added the server in WAC and installed the Container extension. In my MVPLAB.CLOUD is that Windows Server 2019 datacenter Starship01.mvplab.cloud. When you open the server you will come in the Overview of the Windows Server:
Click on Containers.
Click on Install for the Docker installation on Starship01.mvplab.cloud.
This will install Docker on the Windows Server 2019 and reboot when it’s ready to use for Containers. From this moment you can work with Windows Containers on the host via Windows Admin Center.
Remote Desktop in Windows Admin Center, the docker host is installed with the Windows Filter by default.
When you want to use Docker Linux Containers with Windows Server 2019 host, you have to configure the Linux kit LCOW with a distro on the host. More info here
Containers on Starship01.mvplab.cloud
To start with containers you can create your own, or pull an image from Docker Hub with Windows Admin Center. In my case I pull Windows Server 2019 ltsc with IIS image.
mcr.microsoft.com/windows/servercore/iis (Image)
windowsservercore-ltsc2019 (Tag)
Click then on Pull.
Select your image and click on Run.
Give your Container a name and set your settings.
Click on Run.
Click on Containers tab and you will see your running Container
More details you see the IP-Address of the Container.
IIS is running on Windows Server 2019 ltsc in a Docker Windows Container.
That was easy right 😉
Making your Own Docker file with Windows Admin Center Container Extension
When you have your own Github repository with your software, you can make your own docker file and make a docker image on your host for deployment. To show this I have used this sample on Microsoft docs, but you can clone also a github repository and copy the dockerfile on the host.
I copied the dockerfile on the host C:\BuildImage.
—————
# Sample Dockerfile
# Indicates that the windowsservercore image will be used as the base image. FROM mcr.microsoft.com/windows/servercore:ltsc2019
# Metadata indicating an image maintainer. LABEL maintainer=”jshelton@contoso.com”
# Uses dism.exe to install the IIS role. RUN dism.exe /online /enable-feature /all /featurename:iis-webserver /NoRestart
# Creates an HTML file and adds content to this file. RUN echo “Hello World – Dockerfile” > c:\inetpub\wwwroot\index.html
# Sets a command or process that will run each time a container is run from the new image. CMD [ “cmd” ]
In Windows Admin Center comes ITpro world and DevOps world Together in One web based console like with the Container extension. Microsoft is developing really fast in Windows Admin Center to get all the right Feature for ITPro, DevOps and SecOps Administrators in one place. Awesome are the Windows Admin Center Extensions, developers makes these better and better to do the job for Administrators 🚀
Windows Server 2019 Core and Azure Stack HCI are Operating systems without a GUI, and with Windows Admin Center they are really good to manage, update and keeping in control of security.
I like Windows Admin Center a lot and it Rocks for managing your hybrid Datacenter 😉
Send your comments and feedback via Microsoft GitHub repoby opening a new issue for the Container Extension. Follow @vrapolinario on Twitter
You can Follow Windows Admin Center here on Twitter : @servermgmt
People, Process, and Technology to continually provide value to customers.
While adopting DevOps practices automates and optimizes processes through technology, it all starts with the culture inside the organization—and the people who play a part in it. The challenge of cultivating a DevOps culture requires deep changes in the way people work and collaborate. But when organizations commit to a DevOps culture, they can create the environment for high-performing teams to develop.
My name is James van den Berg and I’m a MVP in Cloud and Datacenter Management on my DevOps journey as an IT Infrastructure Guy managing datacenters on-prem and in the Microsoft Azure Cloud. Today It’s not only a Virtual Machine or a Website to deploy for your customers, it’s much more then that like :
Time to market, deploy your solution fast without waiting on dependencies because you automated your process with a CI CD Pipeline.
Security and Monitoring to keep you in Controle.
Working together with different Teams who are each responsible for a part of the solution.
Now is the time. Join your global partner community for the Microsoft Inspire digital event experience. Register today and get ready to extend your partner network as we explore what’s coming in the year ahead and work together to find shared solutions for our customers. Join Microsoft Inspire 2020 Global Event on July 21-22 Now at no Cost!
You will be Inspired by Microsoft New Technologies and Innovations !
