When you have your Servers Azure Arc enabled, you will work with Azure Arc extensions to work with Azure hybrid features like Defender for Cloud, Azure Monitor, Windows Admin Center and more. For each Azure Arc extension you can get updates, and it’s important to keep them up-to-date for new functionality and security. You have Azure Arc extensions for Windows Servers but also for Linux Servers.
Some of the Azure Arc extensions will automatic upgrade when you have enabled it and some must go manually from the Azure Portal.
More information about Azure Arc extensions you can find them here
In the next steps you will see the Update management of the Azure Arc enabled extensions :
Here I update one extension.
Inside the WindowsOsUpdateExtension
Here you can see that the WindowsOsUpdateExtension is up-to-date
and Status Succeeded
On the right of this screenshot you see Automatic Upgrade and some extensions are enabled, but some are not supported.
That’s why it’s important to check these updates.
Here you can see in the Status that two Azure Arc extensions are updating
And sometimes it failed to update.
But you can see what you can do best with this failed Status.
Here you see the error message and the Tips.
And when you can’t fix it yourself you can make a Support ticket right away.
Here you can see that all the Azure Arc extensions are updated successfully
So I selected all my Azure Arc enabled Servers and updated them all.
Conclusion
With Microsoft Azure Arc enabled Servers you have do some IT management to keep your Azure Arc extensions up-to-date.
I did this without rebooting Servers, just from the Azure Portal update Azure Arc extension.
Here you find more information about Microsoft Azure Arc for Azure Hybrid IT
I like to thank you Community for Supporting, Sharing and Reading New Microsoft technologies on my Blog, Twitter, Facebook and
LinkedIn Community Groups 💗 I wish you all happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
I’m very proud and Honored on the Microsoft Global MVP Awards 2022-2023 !
MVP Award for Cloud and Datacenter Management
MVP Award for Windows Insiders
MVP Award for Azure Hybrid
Thank you Microsoft Product Groups, MVP Award Program, Windows Insider Team, Azure Hybrid Team, Windows Server and Azure Stack HCI Team for all your support, NDA PGI sessions, and for the Awesome software, Features, solutions you are building 🙂
Wish you all Happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true ! 🎄🥂
Here are some Great links for Reading and Sharing :
JOIN these LinkedIn Community Groups for free and Share New Microsoft Technologies Together:
To keep your Business running, It’s important to secure and monitor your data. One of the security measures is doing Vulnerability assessments in your datacenter(s) to see the status and results for remediation. With Microsoft Azure Arc Defender for Cloud you can do a SQL Server vulnerability assessment in your on-premises datacenter or anywhere with the Azure Arc agent running. Here you find more information about Azure Arc enabled SQL Server
Microsoft Defender for Cloud on Azure Arc enabled SQL Server
Here I activated Microsoft Defender for Cloud on Azure Arc enabled SQL Server, and Azure Defender for Cloud is doing a SQL vulnerability assessment to get the security status and results for remediation.
On this same Azure portal page you will see the Vulnerability assessment findings.
When you Open a Vulnerability finding, you get more information and the remediation for the issue.
Here you see the complete Resource Health of the Azure Arc enabled SQL Server.
Look at the Status of each severity.
Here you see all the vulnerability findings on these four databases.
When you do the remediation you will see the healthy status.
on the Passed tab.
Here I open only the OperationsManager database.
Now you see only the Vulnerability findings on this database.
Here you see a vulnerability finding on the SCOM database with the Remediation 🙂
You can make your Own Workbooks or use them from the Gallery.
Workbook example of Vulnerability Assessment findings.
Conclusion
With Azure Defender for Cloud vulnerability assessment and management you will learn a lot to set your Security Baseline on a higher level in your datacenter(s). Getting the right remediation of Microsoft to solve security issues is Great! You can do your assessments frequently to show your current status on demand. I Really like these Azure Hybrid Tools to make my work easier and the data more secure for the business.
In earlier MVPLABSerie blogpost I wrote about making your on-premises Servers hybrid with Azure Arc enabled Servers.
In my mvplab.local domain, there is a SQL 2022 Cluster running which also has the Azure Connected Machine Agent version 1.24.
One of the benefits of Azure Arc enabled Servers for SQL is that you can do on-demand SQL Health assessments on your SQL Environment in your On-premises Datacenter. In the following step-by-step guide we will prepare the SQL Cluster nodes.
Here you see that the Azure Connected Machine Agent already is installed.
But it will now add the SQL Extension.
Installation Completed Successfully.
Now we have two Azure Arc enabled SQL Servers connected.
Overview of SQL 2022 Node in Azure Arc.
You can see the Databases running.
Here you can set your Admin from Azure Active Directory.
But we want to do a SQL Assessment, but the Azure Monitoring Agent is still missing.
Here you see that the SQL extension is installed.
Now we will add the Azure Monitor Agent to my existing Log Analytics Workspace.
Click on Add
Select Log Analytics Agent – Azure Arc.
Add your Workspace ID
Add your Workspace Kay
Click on Review + Create
Validation Passed.
Azure Monitoring Agent is Installed.
From here you can do the On-Demand SQL Assessments via
Microsoft Azure Arc enabled SQL Servers.
The SQL Server Assessment focuses on several key pillars, including:
SQL Server configuration
Database design
Security
Performance
Always On
Cluster
Upgrade readiness
Error log analysis
Operational Excellence
Example of SQL Server Assessment results.
On each assessment result you get a recommendation from Microsoft so you can make your SQL environment Health and Secure!
Conclusion
To get these health results of your SQL environment is Awesome 🙂 You are in control of your Azure Hybrid Arc enabled SQL Servers to keep them Healthy and Secure. The following Azure Arc enabled SQL Server blogpost is about Azure Defender for Cloud for your SQL Servers. With these two Azure Arc for SQL Server features you get the best Insights to keep your data as save as possible.
Microsoft Azure Update Management Center (Preview)
Update management center (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. Using Update management center (preview), you can make updates in real-time or schedule them within a defined maintenance window. Here you can find more information about Azure Update Management Center
In the following step-by-step guide, we will start with Azure Update Management Center (Preview) and Microsoft Azure Arc enabled Windows Servers running on-premises in my mvplab.local domain.
With getting started you can configure the environment.
I start here with my Azure Arc enabled Storage Server.
Updates installed on the Azure Arc Enabled Windows Server.
In Azure Update Management Center Overview Dashboard
you can see that one machine is completed.
For Monitoring you can make your own workbooks.
I like this History, to see if updates are successful or not.
Conclusion
Microsoft Azure Update Management Center is still in Preview but it’s a new way to manage all of your updates on your Servers on-premises with Azure Arc enabled, or on Azure Cloud, but also in other Clouds if you want. One Update Management Center from the Azure Portal is Awesome to work with and gives you control and overview of your update compliance in your datacenter(s). Important: This Great tool is still in preview and not for production environments yet until it’s made GA by Microsoft and you have the full support on this awesome management tool.
Baseline security is very important to have that in place to keep your Servers more secure in your datacenter. You want Hybrid Servers like Azure Arc enabled servers for example to be secure running in your datacenter. This begins to secure and have up-to-date Server hardware running in your datacenter. Monitor for security updates and install Server hardware based on best practices from the vendor.
Then the Operating System like Windows Server 2022 standard needs the OS Baseline security. This is called:
When your Windows Servers are security compliant by the rules of the company and/or Security Officer, then we can have a look at the Well Architected Framework (WAF) for Azure Arc Enabled Servers. Here you find an
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Azure Arc-enabled servers. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Azure Arc-enabled servers.
When you have read about Azure Arc Well Architected Framework (WAF) and you have your security in place, we can start with Microsoft Azure Arc.
Before you start implementing Azure Arc, you must have seen this Awesome website of Azure Arc Jumpstart!
The Azure Arc Jumpstart is designed to provide a “zero to hero” experience so you can start working with Azure Arc right away!
The Jumpstart provides step-by-step guides for independent Azure Arc scenarios that incorporate as much automation as possible, detailed screenshots and code samples, and a rich and comprehensive experience while getting started with the Azure Arc platform.
Our goal is for you to have a working Azure Arc environment spun-up in no time so you can focus on the core values of the platform, regardless of where your infrastructure may be, either on-premises or in the cloud.
You can manage your compliance and security policies with Azure Arc enabled Servers, Kubernetes, or SQL Managed instances to make your hybrid solutions with
the Microsoft Azure Cloud in a secure environment. When you work with security by design based on OSI model with 7 security layers and use Microsoft Arc enabled servers, you get also more Azure Hybrid security features like Azure Defender for Cloud, and much more.
Don’t forget the Microsoft Azure Arc Community Monthly Meetup
In the last blogpost of MVPLABSerie we learned how to add Servers from anywhere to Microsoft Azure Arc services to get the Azure Hybrid benefit with awesome features and Management tools. you can find that blogpost over here:
With Windows Admin Center in the Azure Portal you can manage the Windows Server operating system of your Arc-enabled servers, known as hybrid machines. You can securely manage hybrid machines from anywhere–without needing a VPN, public IP address, or other inbound connectivity to your machine.
Open Servers and open your Azure Arc Enabled Server.
First of all we have to add the right Role assignment.
Click on Access Control on the Left.
Click on Add => Add Role Assignment.
Here you have to add the following Role Assignment. Windows Admin Center Administrator Login. Add this to your account
When the account is done, then go to Windows Admin Center (Preview)
on the left panel. Click then on Setup.
Click on Install
Setup Successfully!
Now you can Connect your Azure Arc Enabled Windows Server.
Here we have my Storage Windows Insider Server in mvplab.local domain.
From here you can do your IT Management with WAC.
Remote PowerShell on Azure Arc enabled Server.
Microsoft Azure Arc Insights Monitoring and Log Analytics
For IT Management and troubleshooting, monitoring and getting Insights is important to act quickly to keep the business and IT solutions running. With Azure Arc Insights you can see with Maps the connections of the Windows Server.
Azure Arc Insights with Map.
See also the Quick Link to Connection details
This is a really cool overview of your connections.
Here you can see if you have a Malicious connection!
Here I do a Query on the Arc Enabled Server mvpstore01 Update Summary.
There are a lot of Log Analytics queries to play with and mark them as your favorite for your Arc enabled Windows Server 😉
In the following blogpost we will have a closer look at Microsoft Azure Auto Manage and Update Management Center for
Microsoft Azure Arc enabled Windows Servers. We will not forget Security with Azure Defender for Cloud coming in the next blogposts.
Conclusion
With Microsoft Azure Arcenabled Servers you get a Microsoft Azure Hybrid environment with Great features and solutions.
Some features are still in preview and not supported for production workloads, but you can test them now like I do with my mvplab.local
This new innovative technology is going fast forward for Azure Hybrid Services to Manage your Windows Servers, Azure Stack HCI Clusters or your Linux virtual Machines. Azure Arc rocks and you can connect Microsoft Azure Anywhere 🙂
Today every company wants to benefit from Cloud to achieve more for the business. Microsoft made Azure Arc to simplify governance and management by delivering a consistent multi-cloud and on-premises management platform.
In the following steps we are going to onboard the Windows Insider Servers and Windows 11 Insider Beta Virtual Machine which are running in mvplab.local domain into the Microsoft Azure Cloud. We will install the Azure Connected Machine Agent via a PowerShell Script in the next steps :
Here you can Choose for the right script.
I choose for Add Multiple Servers with a Service Principle.
Click on Generate Script.
Read the prerequisites access to port 443.
view Outbound URLs link.
Click Next
Select the right Azure Subscription and Resource Group.
Select your Azure Region.
Select Operating System
Select the Connectivity method.
Click on Next
If you don’t have a Azure Service principal, you can create one here.
Click on Create Service principal.
Create your Service Principal
Copy your Client ID and Client Secret !
You need this later.
Choose the Deployment method :
Basic Script or Configuration Manager ( I choose for Basic) Download the Script
I have copied the script to my Domain Controller On-premises here.
Open with PowerShell ISE the OnboardingScript.ps1
and Copy / Paste your
Service Principal Client ID and Secret here in the Script.
Click on save and run the script.
Start PowerShell in Admin modus
Run Script .\OnboardingScript.ps1
Server is connected with Azure 🙂
Here is the Azure Arc Enabled Server, my Domain Controller.
Here I have all the Azure Arc Capabilities available for my Domain Controller.
Azure Hybrid
With the Same Script I added the mvplab.local Windows Insider Servers to Azure
They are all Azure Arc Enabled Servers.
On all Azure Arc enabled Servers is the Azure Connected Machine Agent installed.
Conclusion
In a simple way you can deploy Azure Arc agent on your on-premises Servers to make them Azure Arc Enabled so you can enjoy the Azure Hybrid features from the Cloud. IT management and Security from Azure becomes available for your on-premises Servers.
It’s not only Infrastructure but also Data Services and Application Services what you can use for your Azure Hybrid Solution.
In the next Blogpost we will have a look at the Microsoft Azure Arc Features in my mvplab.local domain.
Microsoft System Center 2022 Operations Manager Web Console
In the Last Blogpost MVPLAB Serie we installed Microsoft System Center 2022 Operations Manager on a Windows Insider SQL Cluster for testing and monitoring. You can find that blogpost here
Before we install Microsoft System Center 2022 Operations Manager Web Console, you should have a look at the requirements of SCOM 2022 Web Console for the IIS settings and features.
In the following steps we will install SCOM 2022 Web Console
First of all you have to install the IIS Features.
See the Microsoft Docs.
Don’t worry if you missed a setting, Microsoft did make a requirements check in the installation procedure before you can move on with the installation of SCOM 2022 Web Console. You will see later.
Run the setup as Administrator of the SCOM 2022 software ISO.
Select Web Console.
Click on Next.
This is what I mean by forgetting a feature Role.
Install the feature Role.
Verify prerequisites again.
Then Click Next.
Check if the Installation Summary is good.
Click on Install
Setup is Completed
SCOM 2022 Web Console is running
Now you can configure your Microsoft System Center 2022 Operations Manager monitoring with the right Management Packs installed via your Edge web browser to get monitoring and alerts in place. Here you find more information about SCOM Management Packs
Now we have in our MVPLAB On-premises Datacenter everything running, we will have a look at Microsoft Azure Hybrid benefit in the following MVPLAB Series. Think about Microsoft Azure Arc Services, Security and more.
Installing Operations Manager creates a management group. The management group is the basic unit of functionality. At a minimum, a management group consists of a management server, the operational database, and the reporting data warehouse database.
The management server is the focal point for administering the management group and communicating with the database. When you open the Operations console and connect to a management group, you connect to a management server for that management group. Depending on the size of your computing environment, a management group can contain a single management server or multiple management servers.
The operational database is a SQL Server database that contains all configuration data for the management group and stores all monitoring data that is collected and processed for the management group. The operational database retains short-term data, by default 7 days.
The data warehouse database is a SQL Server database that stores monitoring and alerting data for historical purposes. Data that is written to the Operations Manager database is also written to the data warehouse database, so reports always contain current data. The data warehouse database retains long-term data.
When Operations Manager reporting functionality is installed, the management group also contains a Reporting server which builds and presents reports from data in the data warehouse database.
These core components of a management group can exist on a single server, or they can be distributed across multiple servers, as shown in the following image.
In my Test LAB mvplab.local I will install the Management Server on a Windows Server Insider member Server and the Operational Database with the Data Warehouse Database on the SQL Cluster Instance. Here you find more Microsoft Information about System Center 2022 Operations Manager
Architecture SCOM 2022
IMPORTANT : In my MVPLAB I’m working with Windows Server Insider Preview Builds and with SQL Server 2022 CTP2.1 Preview version on a Cluster and is not supported yet for Production workloads, then you have to wait for Microsoft to make it General Available!
Now we have a SQL Cluster Instance running in my mvplab.local domain, I’m going to install Microsoft System Center 2022 Operations Manager (SCOM) for monitoring in the following step-by-step guide :
Run SCOM_2022 as Administrator
Click on Next
Click on Accept the Agreement.
Click on Next
Extract the files to your location.
Click on Next
Click on Extract
Completed Click on Finish
Run Setup
Click on Install
I’m installing only the Management Server and Operations Console.
When this was Production I would install every feature on separated Servers with
two Management Servers.
Click on Next
Select installation location
Click on Next
Click on Next
Give your Management Group a Name.
Click on Next
Agree with the License Terms.
Click on Next
Select de SQL Instance and Port.
Set Database Size.
and Data File Folders.
Click on Next
Here you can select de Instance for data warehouse database.
Click Next
Select the Service accounts
Click on Next
Click on Next
Check the Summary.
Click on Install
SCOM 2022 Installation in Progress.
Processing
SCOM License we set later.
I have installed both databases in one SQL Instance for in my MVPLAB.
System Center 2022 Operations Manager (SCOM)
Now you can Configure the Management Packs in SCOM for your environment and set the Alerts. More information about System Center 2022 Operations Manager can you find here :
Cloud and Datacenter Management Blog 