With Windows Admin Center in the Azure portal you can manage the Windows Server operating system of your Arc-enabled servers, known as hybrid machines. You can securely manage hybrid machines from anywhere–without needing a VPN, public IP address, or other inbound connectivity to your machine.
With Windows Admin Center extension in Azure, you get the management, configuration, troubleshooting, and maintenance functionality for managing your Arc-enabled servers in the Azure portal. Windows Server infrastructure and workload management no longer requires you to establish line-of-sight or Remote Desktop Protocol (RDP)–it can all be done natively from the Azure portal. Windows Admin Center provides tools that you’d normally find in Server Manager, Device Manager, Task Manager, Hyper-V Manager, and most other Microsoft Management Console (MMC) tools.
In the following steps we will install Azure Windows Admin Center (Preview) on a Microsoft Azure Arc enabled Server from the Azure Portal.
Click on Windows Admin Center (Preview) on the Left side.
Then click op Setup
Set the port.
Click on Install
Installing extension Windows Admin Center
At the Activity log you can follow the installation.
and See the Quick Insights
No Problems here 😉
Let’s Connect
Sign in with your Username and Password
Running Windows Admin Center from the Azure Portal.
Azure Windows Admin Center of the Azure Arc enabled Server.
PowerShell session remote on the Azure Arc enabled Server.
Events of the Azure Arc enabled Server.
Conclusion
With Microsoft Azure Windows Admin Center and Azure Arc enabled Servers you can manage your servers from anywhere.
You got all the benefits of Microsoft Azure Hybrid features. Try it yourself, Windows Admin Center is still in preview and for testing only.
You can experience this awesome Azure Hybrid solution before it goes in production 😉
Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud providers. VM insights monitors the performance and health of your virtual machines and virtual machine scale sets, including their running processes and dependencies on other resources. It can help deliver predictable performance and availability of vital applications by identifying performance bottlenecks and network issues.
In the following steps you see more Azure Arc Insights of this On-premises domain controller.
Azure Arc Insights Performance monitor
Here you see by default performance counters in a dashboard of the Azure Arc enabled Server :
CPU Utilization
Available Memory
Logical Disk IOPS
Logical Disk MB/s
Max Logical Disk Used %
Bytes sent rate
Bytes received rate
In the right corner you can show your own workbooks.
Azure Arc Insights Map dependencies
I really like this feature to see more Insights of your dependencies with this map. See if there are any communication issues
in your solution is great!
Here you see connections of the Azure Arc enabled domain controller from on-premises.
You even can see if you have Malicious Connections in your process, here they are all green 🙂
Azure Arc Insights Map Changes
You can Investigate Changes
Azure Arc Insights Map Alerts
Here you can Investigate the Alerts.
Azure Arc Insights Overview
Make your own Data Collection Rule.
Here is the Data Source MSVMI-HybridIT
Here you can configure your resources with the Data Sources.
Create your own Data Collection endpoint for your Azure Arc enabled Server
Create your endpoint and select your Tag
with Tags you can set the Owner or cost number on the data collection endpoint.
When It’s ready you can here select the Data collection endpoint for your Server.
We only have Performance Counters, so we will add more Data Sources.
Here you can see some default Data sources.
I select Windows Event Logs.
Here you can configure the event logs and levels to Collect.
I selected only these.
Click on Next : Destination>
Select the right destination.
Then Click on Add Data Source
When you have your Servers Azure Arc enabled, you will work with Azure Arc extensions to work with Azure hybrid features like Defender for Cloud, Azure Monitor, Windows Admin Center and more. For each Azure Arc extension you can get updates, and it’s important to keep them up-to-date for new functionality and security. You have Azure Arc extensions for Windows Servers but also for Linux Servers.
Some of the Azure Arc extensions will automatic upgrade when you have enabled it and some must go manually from the Azure Portal.
More information about Azure Arc extensions you can find them here
In the next steps you will see the Update management of the Azure Arc enabled extensions :
Here I update one extension.
Inside the WindowsOsUpdateExtension
Here you can see that the WindowsOsUpdateExtension is up-to-date
and Status Succeeded
On the right of this screenshot you see Automatic Upgrade and some extensions are enabled, but some are not supported.
That’s why it’s important to check these updates.
Here you can see in the Status that two Azure Arc extensions are updating
And sometimes it failed to update.
But you can see what you can do best with this failed Status.
Here you see the error message and the Tips.
And when you can’t fix it yourself you can make a Support ticket right away.
Here you can see that all the Azure Arc extensions are updated successfully
So I selected all my Azure Arc enabled Servers and updated them all.
Conclusion
With Microsoft Azure Arc enabled Servers you have do some IT management to keep your Azure Arc extensions up-to-date.
I did this without rebooting Servers, just from the Azure Portal update Azure Arc extension.
Here you find more information about Microsoft Azure Arc for Azure Hybrid IT
I like to thank you Community for Supporting, Sharing and Reading New Microsoft technologies on my Blog, Twitter, Facebook and
LinkedIn Community Groups 💗 I wish you all happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
I’m very proud and Honored on the Microsoft Global MVP Awards 2022-2023 !
MVP Award for Cloud and Datacenter Management
MVP Award for Windows Insiders
MVP Award for Azure Hybrid
Thank you Microsoft Product Groups, MVP Award Program, Windows Insider Team, Azure Hybrid Team, Windows Server and Azure Stack HCI Team for all your support, NDA PGI sessions, and for the Awesome software, Features, solutions you are building 🙂
Wish you all Happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
Here are some Great links for Reading and Sharing :
JOIN these LinkedIn Community Groups for free and Share New Microsoft Technologies Together:
To keep your Business running, It’s important to secure and monitor your data. One of the security measures is doing Vulnerability assessments in your datacenter(s) to see the status and results for remediation. With Microsoft Azure Arc Defender for Cloud you can do a SQL Server vulnerability assessment in your on-premises datacenter or anywhere with the Azure Arc agent running. Here you find more information about Azure Arc enabled SQL Server
Microsoft Defender for Cloud on Azure Arc enabled SQL Server
Here I activated Microsoft Defender for Cloud on Azure Arc enabled SQL Server, and Azure Defender for Cloud is doing a SQL vulnerability assessment to get the security status and results for remediation.
On this same Azure portal page you will see the Vulnerability assessment findings.
When you Open a Vulnerability finding, you get more information and the remediation for the issue.
Here you see the complete Resource Health of the Azure Arc enabled SQL Server.
Look at the Status of each severity.
Here you see all the vulnerability findings on these four databases.
When you do the remediation you will see the healthy status.
on the Passed tab.
Here I open only the OperationsManager database.
Now you see only the Vulnerability findings on this database.
Here you see a vulnerability finding on the SCOM database with the Remediation 🙂
You can make your Own Workbooks or use them from the Gallery.
Workbook example of Vulnerability Assessment findings.
Conclusion
With Azure Defender for Cloud vulnerability assessment and management you will learn a lot to set your Security Baseline on a higher level in your datacenter(s). Getting the right remediation of Microsoft to solve security issues is Great! You can do your assessments frequently to show your current status on demand. I Really like these Azure Hybrid Tools to make my work easier and the data more secure for the business.
Microsoft Azure Update Management Center (Preview)
Update management center (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. Using Update management center (preview), you can make updates in real-time or schedule them within a defined maintenance window. Here you can find more information about Azure Update Management Center
In the following step-by-step guide, we will start with Azure Update Management Center (Preview) and Microsoft Azure Arc enabled Windows Servers running on-premises in my mvplab.local domain.
With getting started you can configure the environment.
I start here with my Azure Arc enabled Storage Server.
Updates installed on the Azure Arc Enabled Windows Server.
In Azure Update Management Center Overview Dashboard
you can see that one machine is completed.
For Monitoring you can make your own workbooks.
I like this History, to see if updates are successful or not.
Conclusion
Microsoft Azure Update Management Center is still in Preview but it’s a new way to manage all of your updates on your Servers on-premises with Azure Arc enabled, or on Azure Cloud, but also in other Clouds if you want. One Update Management Center from the Azure Portal is Awesome to work with and gives you control and overview of your update compliance in your datacenter(s). Important: This Great tool is still in preview and not for production environments yet until it’s made GA by Microsoft and you have the full support on this awesome management tool.
In the last blogpost of MVPLABSerie we learned how to add Servers from anywhere to Microsoft Azure Arc services to get the Azure Hybrid benefit with awesome features and Management tools. you can find that blogpost over here:
With Windows Admin Center in the Azure Portal you can manage the Windows Server operating system of your Arc-enabled servers, known as hybrid machines. You can securely manage hybrid machines from anywhere–without needing a VPN, public IP address, or other inbound connectivity to your machine.
Open Servers and open your Azure Arc Enabled Server.
First of all we have to add the right Role assignment.
Click on Access Control on the Left.
Click on Add => Add Role Assignment.
Here you have to add the following Role Assignment. Windows Admin Center Administrator Login. Add this to your account
When the account is done, then go to Windows Admin Center (Preview)
on the left panel. Click then on Setup.
Click on Install
Setup Successfully!
Now you can Connect your Azure Arc Enabled Windows Server.
Here we have my Storage Windows Insider Server in mvplab.local domain.
From here you can do your IT Management with WAC.
Remote PowerShell on Azure Arc enabled Server.
Microsoft Azure Arc Insights Monitoring and Log Analytics
For IT Management and troubleshooting, monitoring and getting Insights is important to act quickly to keep the business and IT solutions running. With Azure Arc Insights you can see with Maps the connections of the Windows Server.
Azure Arc Insights with Map.
See also the Quick Link to Connection details
This is a really cool overview of your connections.
Here you can see if you have a Malicious connection!
Here I do a Query on the Arc Enabled Server mvpstore01 Update Summary.
There are a lot of Log Analytics queries to play with and mark them as your favorite for your Arc enabled Windows Server 😉
In the following blogpost we will have a closer look at Microsoft Azure Auto Manage and Update Management Center for
Microsoft Azure Arc enabled Windows Servers. We will not forget Security with Azure Defender for Cloud coming in the next blogposts.
Conclusion
With Microsoft Azure Arcenabled Servers you get a Microsoft Azure Hybrid environment with Great features and solutions.
Some features are still in preview and not supported for production workloads, but you can test them now like I do with my mvplab.local
This new innovative technology is going fast forward for Azure Hybrid Services to Manage your Windows Servers, Azure Stack HCI Clusters or your Linux virtual Machines. Azure Arc rocks and you can connect Microsoft Azure Anywhere 🙂
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems. Here you can see the versions of MS-CIFS and download free white papers
Today SMBv1 is a not save protocol and will be used by hackers for man in the middle attacks to compromise your data and systems. SMBv1 is a weak protocol and should not be used in your environment. There are still a lot of Windows Servers 2012 R2 in the world running in datacenters with SMBv1 by Default enabled. To make your Windows Server more secure, you can disable SMBv1 protocol via a Group Policy Object (GPO).
In the following steps we will disable SMBv1 on Windows Servers via GPO.
Open Group Policy Management in your Domain.
Click on Group Policy Object with your right mouse button.
Click on New.
Give your policy a Name.
I made also an temporary Exception policy.
Right click on your new Policy Object.
Click on Edit.
Go to Computer Configuration => Preferences => Windows Settings
Click on Registry.
Click on New and then on Registry Item.
Here you have to add the following Registry Properties:
Set these settings.
Set Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Click on Apply for these Registry settings.
SMBv1 Disable setting is set in the Policy Object.
This is the path where we push the policy via GPO.
Here we Link the Existing GPO to the OU with the Windows Server 2012 R2
to disable SMBv1 Protocol.
Select your new Policy to disable SMBv1 Protocol.
We have now Linked the new GPO to Disable SMBv1
GPUpdate /force on your Server to disable SMBv1
To get the new GPO active on your Server.
When the Server gets a reboot, SMBv1 will be disabled by GPO again.
When you have maintenance window for updates for example, you can un-install the SMBv1 Feature in Server Manager. This procedure needs a restart of the Windows Server.
Go to Server Manager remove features.
Click on Remove Roles and Features.
Remove the mark at SMB 1.0/CIFS File Sharing Support Feature.
Click on Remove.
Click on Close and Reboot the Server
Now SMBv1 protocol on the Windows Server is disabled and will use a higher version of SMB like version 2.x or 3.x.
SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:
All packets are always encrypted and handshake is authenticated with TLS 1.3
Parallel streams of reliable and unreliable application data
Exchanges application data in the first round trip (0-RTT)
Improved congestion control and loss recovery
Survives a change in the clients IP address or port
SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.
Client Server Handshake and Data transfer differences.
When you still have Windows Servers running with SMBv1 by default enabled, for security you should disable SMBv1 protocol as soon as possible! Otherwise you make it easy for hackers to compromise your data with man in the middle attacks. In Windows Server 2019 and higher SMBv1 is disabled by default. Have a look at SMB over QUIC in your test environment and learn how secure it is and how it works for your security and data.
I’m working with Windows Admin Center every day to manage our datacenter and to mange my MVP LAB. When you have to install Windows Server Core
or Microsoft Azure Stack HCI Operating system, then Windows Admin Center is the right tool for you as an Administrator. You can use all the Server Manager tools via WAC
and you don’t have to work with Command-line tools only like CMD and PowerShell.
In my MVP LAB I have a Microsoft Windows Server 2022 Datacenter Edition Hyper-V Host, and I like to make a Docker Host Server for my Containers.
With Windows Admin Center it’s easy to roll out a Docker host Server for your Containers.
In the following steps I will Install a Docker Host Server on Windows Server 2022.
Open Windows Admin Center and connect to your Server.
I Have Container Extension installed version 1.150.0
Click on Containers and Click on Install Windows Admin Center will Restart your Server for the Docker Installation!
Hang on while Docker Host will be Installed on Windows Server 2022.
Docker Host Installed Successfully.
Docker Host Container Overview Screen on Windows Server 2022.
From here you can Pull containers images to the Docker Host.
This is what I did but…..
Instead of pulling a Container Image you can also Create your Own Container Image.
Here I’m Pulling a ASP.NET Container Image from Microsoft.
Pulled Container Image Successfully.
The ASP.NET Container Image is now Available on the Docker Host.
Select the Container Image and Click on Run.
Give the Docker Container a name.
You can Manage the ports,
Hyper-V Isolation,
Memory,
CPU
And add addition Docker Run options,
Click on Run.
The ASP.NET Docker Container is running on Windows Server 2022.
When you Click on the running Container you will get options like :
Stats, Details, Logs, Console and Events.
When you Click on Console you will go remote by PowerShell to the Docker Host.
Here you got all the Docker commands 😉
And of course when you want to develop Containers as a developer you can use Microsoft Visual Studio Code as well.
(I’m using Visual Studio Code Insiders version in my MVP LAB)
Microsoft Azure Container Instances
Containers are becoming the preferred way to package, deploy, and manage cloud applications. Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.
Azure Container Instances is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend Azure Kubernetes Service (AKS).
For my MVP LAB Azure Container Instances (ACI) is a great way to run Containers fast in the Cloud and have a overview with Windows Admin Center for :
Here you have a overview of your Azure Container Instances in Windows Admin Center.
In the following steps I will create an Azure Container Instance via the Microsoft Azure Portal and show it in Windows Admin Center. For this you need to integrate Windows Admin Center with your Microsoft Azure Subscription. This you can do in settings of WAC:
When you have your Azure Account active in Windows Admin Center, go to the Microsoft Azure Portal and search for Container instances.
Click on Create Container Instances
Here you set the basics of your Azure Container Instance
Here you set the following items for your Azure Container Instance (ACI) :
Select your Azure Subscription which is integrated with your Microsoft Windows Admin Center.
Select or Create the Resource Group for your Azure Container Instance.
Give your Container a name.
Select the Region in Microsoft Azure where you want your Azure Container Instance to run.
Availability zones to select.
Select your Image Source, I selected Quickstart images of Microsoft, but you can also select your own Container image.
Then select the size for vcpu, memory, gpus for your Azure Container Instance application.
Click on Next for Networking.
I Selected Public for testing but here you can select private too
with your own DNS name Label with the
right ports and protocols.
At Advanced settings you can configure additional container properties and variables
here you can TAG the Owner of the Azure Container Instance.
Click on Review + Create.
Now you can Click Create or Download the template for Automation.
Have a look at the Options here what you can do with the Template from here.
Microsoft Azure Container Instance is Deployed and running.
Nginx Container Instance is running on Azure.
Now we have the Microsoft Azure Container Instance with Nginx running in the Cloud, we can see that in Windows Admin Center.
Azure Container Instance in Windows Admin Center in running state.
When you don’t need it anymore you can end it here or in the Azure Portal.
Azure Container Instance is stopped by Windows Admin Center.
Run your Own Azure Container Instances from the ACR via
Windows Admin Center.
Manage Kubernetes Clusters and Containers with Windows Admin Center
Azure Kubernetes Service (AKS) on Azure Stack HCI is an on-premises implementation of Azure Kubernetes Service, which automates running containerized applications at scale. Azure Kubernetes Service is available on Azure Stack HCI, Windows Server 2019 Datacenter, and Windows Server 2022 Datacenter, making it quicker to get started hosting Linux and Windows containers in your datacenter. This is the High Available Container Solution on-premises from Microsoft, where you can run Containers and microservices in a isolated way in your datacenter with your DevOps Team. But you can also make your Azure Stack HCI Cluster hybrid with Azure integration and Azure Arc Services to benefit of Azure Hybrid Services.
Create your Own locally Azure Stack HCI Cluster with Azure Kubernetes Services
Conclusion
Microsoft product team of Windows Admin Center | Windows Server | Azure Stack HCI are working hard to make the Windows Admin Center Tool better and better to install and manage Container / microservices solutions. With Microsoft Azure extensions in Windows Admin Center and Azure Arc Services, Microsoft features from the Azure Cloud becomes available for your Containers like Azure Defender for Cloud with Container Insights, Azure Monitor, Azure App Services and much more.
Windows Admin Center is a Great Server Manager tool for your Windows Servers in your Datacenter. Especially when you use Windows Server Core or Azure Stack HCI.
Hope you started year 2022 in Good Health in a difficult pandemic time.
Starting 2022 by asking yourself, how is your Security by Design doing in 2022
Your Security is one of the most important aspects of any architecture for your Business.
It provides confidentiality, integrity, and availability assurances against attacks and abuse of your valuable data and systems. Losing these assurances can negatively impact your business operations and revenue, and your organization’s reputation.
Here you find Awesome information about Applying security principles to your architecture to protect against attacks on your data and systems:
Security recommendations that are in private preview
Programmatic remediation tools for security recommendations
PowerShell scripts for programmatic management
Azure Policy custom definitions for at-scale management of Microsoft Defender for Cloud
Logic App templates that work with Defender for Cloud’s Logic App connectors (to automate response to Security alerts and recommendations)
Logic App templates that help you run regular tasks or reports within the scope of Microsoft Defender for Cloud
Custom workbooks to visualize Defender for Cloud data
Become a Microsoft Defender for Cloud Ninja
Security and Learning is a ongoing process, I always say Learning on the Job 😉 is important to keep Up-to-Date every day of the week. Microsoft Tech Community platform and Microsoft Learning can support you to get the knowledge.
Microsoft and the community has a lot of good security information to start with for your Data and Systems to keep your business solution as save as possible. Here they write New blogposts for the community about Defender for Cloud
Keep in Mind “Security is only as strong as the weakest component in the Chain”
So keep your Security up-to-date and do assessments on vulnerabilities to keep your data and systems secure. Monitoring => Alerting => Remediation is 24/7/365 Process with Security people in the business.
Cloud and Datacenter Management Blog 