I wish you all a Merry Christmas and a Happy & Healthy New Year 2024!
Thank you for all your support in the Community.
Join these Free LinkedIn Community Groups during the Holidays and keep up-to-date 😉
Microsoft Azure Monitor & Security for Hybrid IT
Windows Admin Center Community
Azure Copilot and Security Copilot (NEW)
Azure Arc Enabled Server
With Microsoft Azure Arc Machine agent you can connect your Windows Server 2022 with Microsoft Azure Arc Services.
Microsoft Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. in October 2023 Microsoft released via Windows Update Center the setup of Azure Arc Machine agent. In the following steps I will install Azure Arc via the Windows Server Manager:
Click on Disabled
Click on Next
Azure Connected Machine Agent is installing.
Click on Configure
Click on Next
Sign into your Azure Subscription
Click on Next
Select your Azure Active Directory Tenant.
Select Subscription
Select the Resource Group
Select the Azure Region
Select Network Connectivity.
Click on Next
Your done, your Windows Server is now connected with Azure Arc
Click on Finish
Here is our Azure Arc enabled Windows Server 2022 in the Microsoft Azure Portal.
From here you have all the Azure Arc Services available for your on-prem Server.
When you connect your machine to Azure Arc-enabled servers, you can perform many operational functions, just as you would with native Azure virtual machines. Below are some of the key supported actions for connected machines.
This is handy to install a couple of Servers manually but when you have to do more, you can generate a script for multiple
Servers installation:
From the Azure Portal
Click on Generate Script
Here you can make a Basic script or for Configuration Manager,
or a script for a Group Policy or via Ansible.
Important:
Before you begin with making your Windows Server Azure Hybrid with the Arc Connected Machine Agent, you have to think about Security by Design. with Identity Access Management (IAM) you can manage who will get access to your Arc enabled Servers.
Wo may use Windows Admin Center for example in the Azure portal?
Access Control on Azure Arc enabled Server.
With Microsoft Azure policy you can set your governance and policies for the organization. There are a lot of pre-defined policies, but you can also make your own Azure policies for your Arc enabled Servers.
Make your datacenter(s) securely Hybrid with Microsoft Azure Arc Services is easy to do and gives you a lot of Azure Hybrid benefits.
Start with your test environment and make your own Azure Arc enabled solutions and when the experience is good you can do it in production 😉
 Here you find more about Azure Arc enabled Services:
Microsoft is continuously improving and fixing issues on the Azure Connected Machine agent for Azure Arc Enabled Servers.
Before you make your Servers in your datacenter Hybrid with Azure Arc Connected Machine Agent, you can have a look at Security first when you want to be in Controle of the Azure Arc extensions. For example, who can install Azure Arc Extensions? and which Extensions should be installed and which not. Or in the latest Azure Connected Machine Agent Version 1.35 of October 2023 No Extensions allowed to install on this Server.
With Azure Arc Connected Machine Agent version 1.35 you can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to “Allow/None”. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn’t need to allow any extensions to be installed.
Users and applications granted contributor or administrator role access to the resource can make changes to the resource, including deploying or deleting extensions on the machine. Extensions can include arbitrary scripts that run in a privileged context, so consider any contributor on the Azure resource to be an indirect administrator of the server.
The Azure Connected Machine Onboarding role is available for at-scale onboarding and is only able to read or create new Azure Arc-enabled servers in Azure. It cannot be used to delete servers already registered or manage extensions. As a best practice, we recommend only assigning this role to the Microsoft Entra service principal used to onboard machines at scale.
Users as a member of the Azure Connected Machine Resource Administrator role can read, modify, re-onboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.
Identity and Access Management (IAM) in Azure to Configure Roles.
Azure Arc Portal Agent version.
With AZCMAGENT CLIÂ command, you can see more information from the Arc enabled Server and is handy for
the Administrator to know:
azcmagent check
azcmagent Config get config.mode
azcmagent show
azcmagent logs
in ProgramData you will find the Azure Arc Connected Machine Agent Logs
Guest config logs of Azure Arc extensions
The Azure Connected Machine agent command line tool, azcmagent, helps you configure, manage, and troubleshoot a server’s connection with Azure Arc. I just showed you some azcmagent commands I use for troubleshooting or to just get the right information.
Here you find the complete Azure Connected Machine Agent Command line reference
Hope this information is useful for you and keep your azcmagent up-to-date for fixes and new innovated features!
You can Download Windows Server Insider Preview Build 25967 here
New in Windows Server Insider Preview Build 25967 is Microsoft Azure Arc in your taskbar system tray Icon.
Currently, Azure Arc allows you to manage the following resource types hosted outside of Azure:
Here you find the Azure Arc system tray icon.
Here you can see the Microsoft Azure Arc Status
and
You can connect to the Azure Arc enabled virtual machine in the Cloud.
Azure Arc enabled virtual machine in the Cloud.
Windows Admin Center via Azure Arc enabled Server.
Azure Arc Management in Server Manager!
Here you find more information about Windows Server Insider Preview Build 25967 on Microsoft Tech Community.
Microsoft Azure Update Manager (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. Important: It’s still in Preview but GA is coming SoonÂ
To support management of your Azure VM or non-Azure machine, Update Manager (preview) relies on a new Azure extension designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. This extension is automatically installed when you initiate any Update manager (preview) operations such as check for updates, install one time update, periodic assessment on your machine. The extension supports deployment to Azure VMs or Arc-enabled servers using the extension framework. The Update Manager (preview) extension is installed and managed using the following:
The extension agent installation and configuration are managed by the Update Manager (preview). There’s no manual intervention required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The Update Manager (preview) extension runs code locally on the machine to interact with the operating system, and it includes:
In my case I’m updating Windows Server Insider version which is Azure Arc enabled in the following steps :
Here you see my Azure Arc enabled Domain Controller with Windows Server Insider.
Here you Click on Check for Updates
Go to Update Management Center
When you Click on Machines you will get a Nice Overview of your Servers
When you Click on History, you will see the assessment and keeps all activity history in one place.
Update reports are Important and you can make your Own reports or download
Public Templates.
In the following steps we are going to install the three updates on the Azure Arc Enabled Server :
Select the machine(s) for the One-time updates.
Click on Next
here you see the Updates.
You can select your reboot Options and the Maintenance Window in Minutes.
If everything is correct you can click on Install.
In History you see your job in progress
Update Management Overview
In Progress
This is what I like most, when you have to manage more then 100 Servers and they are in your Own Datacenter On-premises but also at Multi Cloud vendors Like in Azure, AWS, Google Cloud or are not Domain Joined Servers then here you can see your Update Compliance in a Single point of Dashboard Overview in the Microsoft Azure Cloud.
Create your Own Maintenance Configuration.
Click on Next DynamicScopes
Add a Dynamic Scope
Select the Filter(s)
Filter for Arc Servers and OS type Windows.
Then you see the Azure Arc Servers by your Filter.
Dynamic Scope is set.
select.
Machines.
Include Update Classification
Azure Update Management Center Overview with Updates Completed 🙂
Updates completed on Windows Server Insider Domain Controller.
Microsoft Azure Update Management Center is still in Preview but is a Great Single Dashboard Overview for managing your Updates on Windows Servers and Linux at any Place. It gives you Great Overview and you can see the status in one view. GA is coming soon, but you can now test and experience it before you go in production with this Awesome product.
Follow Microsoft Azure Update Manager here on X
More information on Microsoft Azure Update Management Center (Preview) here
Windows Terminal with Azure Cloud Shell CLI
Microsoft Azure Artificial Intelligence (AI) is going fast in the Cloud, It can support you with the tools you use like Azure CLI for example to manage Azure resources. But AI can support you in Security too, like Microsoft Security Copilot
Microsoft security CoPilot Create a visual to explain.
But I was busy with Windows Terminal in Windows 11 Insider Preview Build and Azure Cloud Shell.
First getting the latest Build of Azure CLI in my Windows Terminal :
az upgrade
Installing Azure CLI 2.48.1
Click on Install
Click on Finish
For the Changes you need to Restart your machine.
After the reboot we have the Newest Azure CLI Version 2.48.1
Login Azure with Windows Terminal.
I’m connected with Azure via Windows Terminal Azure Cloud Shell.
Here I’m checking if I have a Connection with Azure AI-examples :
az ai-examples check-connection
Connection was successful.
The Azure AI knowledge base made me find examples 🙂
When a command is incomplete or wrong, the AI knowledge base is doing
a suggestion and gives a link to Microsoft docs.
This is where I Like Microsoft Azure Artificial Intelligence (AI) to make my IT Management easier and faster to do the job.
It’s supporting me in my work and not doing things I don’t like. It’s going fast with AI and It’s important to keep it in Control for doing IT Management tasks.
Watch AKS Edge Essentials Architecture with @liorkamrat
The following Jumpstart scenario will show how to create an AKS Edge Essentials cluster in Azure Windows Server VM and connect the Azure VM and AKS Edge Essentials cluster to Azure Arc using Azure ARM Template. The provided ARM template is responsible for creating the Azure resources as well as executing the LogonScript (AKS Edge Essentials cluster creation and Azure Arc onboarding (Azure VM and AKS Edge Essentials cluster)) on the Azure VM.
When you have your Servers Azure Arc enabled, you will work with Azure Arc extensions to work with Azure hybrid features like Defender for Cloud, Azure Monitor, Windows Admin Center and more. For each Azure Arc extension you can get updates, and it’s important to keep them up-to-date for new functionality and security. You have Azure Arc extensions for Windows Servers but also for Linux Servers.
Some of the Azure Arc extensions will automatic upgrade when you have enabled it and some must go manually from the Azure Portal.
More information about Azure Arc extensions you can find them here
In the next steps you will see the Update management of the Azure Arc enabled extensions :
Here I update one extension.
Inside the WindowsOsUpdateExtension
Here you can see that the WindowsOsUpdateExtension is up-to-date
and Status Succeeded
On the right of this screenshot you see Automatic Upgrade and some extensions are enabled, but some are not supported.
That’s why it’s important to check these updates.
Here you can see in the Status that two Azure Arc extensions are updating
And sometimes it failed to update.
But you can see what you can do best with this failed Status.
Here you see the error message and the Tips.
And when you can’t fix it yourself you can make a Support ticket right away.
Here you can see that all the Azure Arc extensions are updated successfully
So I selected all my Azure Arc enabled Servers and updated them all.
With Microsoft Azure Arc enabled Servers you have do some IT management to keep your Azure Arc extensions up-to-date.
I did this without rebooting Servers, just from the Azure Portal update Azure Arc extension.
Here you find more information about Microsoft Azure Arc for Azure Hybrid IT
Azure Arc enabled SQL Servers Architecture
To keep your Business running, It’s important to secure and monitor your data. One of the security measures is doing Vulnerability assessments in your datacenter(s) to see the status and results for remediation. With Microsoft Azure Arc Defender for Cloud you can do a SQL Server vulnerability assessment in your on-premises datacenter or anywhere with the Azure Arc agent running.
Here you find more information about Azure Arc enabled SQL Server
Microsoft Defender for Cloud on Azure Arc enabled SQL Server
Here I activated Microsoft Defender for Cloud on Azure Arc enabled SQL Server, and Azure Defender for Cloud is doing a SQL vulnerability assessment to get the security status and results for remediation.
On this same Azure portal page you will see the Vulnerability assessment findings.
When you Open a Vulnerability finding, you get more information and the remediation for the issue.
Here you see the complete Resource Health of the Azure Arc enabled SQL Server.
Look at the Status of each severity.
Here you see all the vulnerability findings on these four databases.
When you do the remediation you will see the healthy status.
on the Passed tab.
Here I open only the OperationsManager database.
Now you see only the Vulnerability findings on this database.
Here you see a vulnerability finding on the SCOM database with the Remediation 🙂
You can make your Own Workbooks or use them from the Gallery.
Workbook example of Vulnerability Assessment findings.
With Azure Defender for Cloud vulnerability assessment and management you will learn a lot to set your Security Baseline on a higher level in your datacenter(s). Getting the right remediation of Microsoft to solve security issues is Great! You can do your assessments frequently to show your current status on demand. I Really like these Azure Hybrid Tools to make my work easier and the data more secure for the business.
Please join the Azure Hybrid Community Group on LinkedIn for free ( Sharing is Caring together )
Cloud and Datacenter Management Blog 