Manage Windows Servers and workloads in a hybrid environment
- By Orin Thomas
- 11/5/2022
- Skill 2.1: Manage Windows Servers in a hybrid environment
- Skill 2.2: Manage Windows Servers and workloads by using Azure Services
- Chapter summary
- Thought experiment
- Thought experiment answers
Skill 2.2: Manage Windows Servers and workloads by using Azure Services
This objective deals with managing Windows Server instances in hybrid environments using Azure services, including Azure Arc, Microsoft Defender for Cloud, Microsoft Update, and Desired State Configuration.
Manage Windows Servers by using Azure Arc
Azure Arc allows you to manage Windows Server instances in hybrid and multicloud environments. A Windows Server instance enrolled through Azure Arc has an Azure resource ID, which allows you to include those instances in an Azure resource group.
Connecting a Windows Server instance to Azure Arc involves deploying and configuring the Azure Connected Machine Agent on each instance. The Azure Connected Machine Agent is separate from the Log Analytics Agent. You will need both agents installed to perform tasks requiring the Log Analytics Agent. These tasks include OS and workload monitoring as well as management of Azure Automation runbooks, updates, and services such as Microsoft Defender for Cloud.
Azure Arc functionality
Much of the functionality that Azure Arc provides can be achieved by deploying individual elements that are covered in more detail in the rest of this chapter. An advantage of Azure Arc is that rather than deploying this functionality on a per-service basis, Azure Arc allows everything to be configured and maintained from the moment you enroll the connected Windows Server instance. Azure Arc can leverage the following services:
Assign Azure Policy guest configuration Allows you to audit settings inside the Windows Server instance to determine compliance against baselines.
Manage security Allows you to manage Microsoft Defender for Endpoint, which is included with Microsoft Defender for Cloud. Microsoft Defender for Endpoint also provides threat detection, vulnerability management, security threat monitoring, and remediation suggestions.
Configuration management Allows you to deploy Azure Automation runbooks based on PowerShell and Python to connected instances to set instance configuration. VM extensions allow further automation and management tasks to be performed.
Monitoring Azure Arc configures change tracking and inventory and allows you to monitor processes and dependencies through VM insights. Performance data and events are siphoned to a Log Analytics workspace.
Update Management Onboards connected Windows Server instances to Update Management.
Azure Arc also supports Azure Automanage, an umbrella services that automatically onboards and configures a connected Windows Server instance according to Microsoft best practices.
Deploy Azure Arc
You can use a variety of methods to obtain the agent software, deploy that software on a Windows Server instance, and configure the software to communicate with Azure Arc. The method that you use depends on the technologies you have available and the number of Windows Server instances you wish to connect to Azure Arc. Connecting a Windows Server instance to Azure Arc requires access to an account that holds the Azure Connected Machine Onboarding role.
You can use the following techniques to connect Windows Server instances to Azure Arc interactively:
Create an installation script through the Azure portal that automates agent download and installation and the Azure Arc connection.
Use Windows Admin Center to connect a Windows Server instance to Azure Arc by specifying appropriate subscription properties, including resource group, Azure region, and any proxy configuration. The agent will be retrieved, installed, and configured.
Use PowerShell to connect a Windows Server instance to Azure Arc. The script uses the Connect-AzConnectedMachine PowerShell cmdlet to obtain the Connected Machine agent, install that agent, and register the Windows Server instance with Azure Arc. This technique requires Azure PowerShell to be available on an administrative computer, but the process can be performed remotely so it is not necessary to install Azure PowerShell on each Windows Server instance that you wish to configure with Azure Arc.
Use PowerShell Desired State Configuration to connect the Windows Server instance to Azure Arc. Requires the AzureConnectedMachineDsc desired state configuration module. Also requires that an Azure Active Directory service principal be created to connect Windows Server instances to Azure Arc noninteractively.
Creating and configuring an Azure Active Directory service principal allows you to automate the deployment and configuration of Azure Arc because this allows you to bypass the need to log into Azure with an Azure AD account that has been delegated appropriate permissions. This Azure AD service principal must be assigned the Azure Connected Machine Onboarding role to be used for this task. You can use the New-AzADServicePrincipal Azure PowerShell cmdlet to create this principal by specifying the role as Azure Connected Machine Onboarding. For example, to create an Azure AD service principal named WinServArc to be used in the process of automating the onboarding of a large number of on-premises Windows Server instances to Azure Arc, use the following Azure PowerShell command:
New-AzADServicePrincipal -DisplayName WinServArc -Role 'Azure Connected Machine Onboarding'
After you have created and configured the Azure AD service principal, you can use the following techniques to deploy and connect the Connected Machine Agent to Azure Arc:
Use the Azure AD service principal with an installation script generated through the Azure portal. Once the script has installed the agent, the azcmagent command included with the agent is used to connect to Azure Arc.
Use a Configuration Manager script or task sequence to deploy the agent and then connect the Windows Server instance to Azure Arc.
Use Azure Automation Update Management to launch a runbook that downloads, installs, and configures the Connected Machine Agent using Azure PowerShell.
Assign Azure Policy guest configuration
Azure Policy guest configuration allows you to audit or configure Windows Server operating system settings. You can deploy Azure Policy guest configuration on a per-instance basis or apply it to a large number of systems using Azure Policy. Azure Policy guest configuration can be deployed to Windows Server IaaS instances or to Azure Arc–enabled Windows Server instances. To be able to use the Azure Policy guest configuration feature with an Azure virtual machine, the virtual machine must have a system-managed identity.
When using Azure Policy guest configuration for configuration management, you specify which properties the Windows Server should have—for example, to ensure that the server has specific roles installed or services configured in a specific manner. When using Azure Policy guest configuration for compliance auditing, you are checking the configuration of settings on a server and determining which settings are not configured in the manner defined in the configuration baseline. Sometimes it is necessary to audit and then resolve misconfigurations manually since there might be no way to automate remediation actions.
Guest configuration checks for new or altered guest assignments every 300 seconds. Once a guest assignment is obtained, settings related to that configuration will be checked every 15 minutes. When multiple configurations are assigned to a Windows Server instance, each configuration will be checked in sequence. A new configuration will not be checked until the previous configuration has completed validation.
Azure Policy guest configuration uses PowerShell Desired State Configuration v3. This instance is side-loaded to a separate folder and will only be used by Azure Policy. If the server already uses Windows PowerShell DSC, no conflict will occur since the DSC instances are partitioned from each other.
Deploy Azure services using the Azure VM extensions on non-Azure machines
VM extensions are special software that performs configuration and automation tasks on hybrid Windows Server instances. When a hybrid Windows Server instance is Arc-enabled, you can deploy, remove, and update Azure VM extensions through the Azure portal or the Azure CLI. You can also add and remove extensions using Azure PowerShell and ARM templates, but you can’t use these management technologies to update existing extensions in a Windows Server instance.
You can use Azure Arc–enabled VM extensions to configure the following functionality on hybrid Windows Server instances:
Enable and manage the Log Analytics Agent to collect log and performance data and to transmit that data to a Log Analytics Workspace for later analysis.
Enable and manage VM insights to analyze the performance of Windows Server instances as well as workload processes and dependencies.
Download and run scripts using the Custom Script Extension.
Update and refresh certificates stored in Azure Key Vault.
The specific extensions you can deploy and manage with Azure Arc–enabled Windows Server instances include the following:
Microsoft Defender for Cloud Integrated vulnerability scanner
Microsoft Antimalware extension
Custom Script extension
Log Analytics Agent
Azure Monitor for VMs (insights)
Azure Key Vault Certificate Sync
Azure Monitor Agent
Azure Automation Hybrid Runbook Worker extension
Manage updates for Windows machines
Azure Update Management allows you to automate the deployment of updates to computers running both the Windows and the Linux operating systems. You can configure on-premises Windows Servers to use Azure Update Management using Windows Admin Center. You can also manage the deployment of updates to those servers using Windows Admin Center. Update Management also enables you to view update compliance across the Windows Server instances that you are managing with the service, allowing you to quickly determine which instances aren’t patched, something that can be challenging with existing tools such as Windows Server Update Services (WSUS).
Update Management is integrated with Azure Monitor Logs, allowing you to record update assessments and update deployment results as log data. The automation account used for Update Management and the Log Analytics workspaces are linked together. It’s also necessary for the Log Analytics Agent to be configured to communicate with the Log Analytics workspaces.
You can configure a Windows Server instance to use Update Management through Windows Admin Center or by automatically enrolling the instance using Azure Arc or PowerShell.
Update Deployment
To deploy updates, select Schedule Update Deployment in the Update Management blade of the Azure console. When configuring a scheduled update, you need to provide the following information:
Name of the update deployment This is especially useful if you configure a recurring schedule.
Operating system Azure Update Management allows you to deploy updates to computers running either Windows or Linux in a single update deployment, but not to both operating systems in the one deployment.
Groups You can configure query-based groups so that the update deployment targets computers that meet the criteria specified in the query.
Machines to update Allows you to select specific computers to which the update deployment applies.
Update classifications Rather than select specific updates, you configure an update deployment so that all updates that meet a specific update classification will be deployed (though you do have the option of excluding specific updates by Update ID). For Windows computers, the update classifications are Critical Updates, Security Updates, Update Rollups, Feature Packs, Service Packs, Definition Updates, Tools, and Updates.
Include/Exclude Updates Allows you to choose specific updates based on KB identifiers (KBIDs). You can find relevant KBIDS in the list of missing updates in the Azure Update Management console.
Schedule Settings Allows you to specify when updates will be deployed. You can configure a schedule to recur. When you do this, all updates that meet the classification characteristics specified in the update deployment will be deployed.
Maintenance window The amount of time that can be taken to install updates, with the final 20 minutes of the assigned maintenance window reserved for restart operations. For example, if you set a maintenance window of 120 minutes, update installation will be halted after 100 minutes have elapsed so that restart operations can occur.
Reboot options Allow you to specify whether the server can restart automatically after update deployment or whether this step must be performed manually.
Assess update compliance
You can view an update assessment for a Windows Server instance by selecting the instance in the Update Management dashboard. The update assessment will provide information about the Windows Server instance, missing updates, scheduled update deployments, and a list of completed update deployments.
Update Management permissions
The permissions listed in Table 2-4 are required to manage update deployments.
TABLE 2-4 Update Management permissions
Resource |
Role |
Scope |
---|---|---|
Automation account |
Virtual Machine Contributor |
Resource Group |
Log Analytics workspace |
Log Analytics Contributor |
Log Analytics workspace |
Log Analytics workspace |
Log Analytics Reader |
Subscription |
Solution |
Log Analytics Contributor |
Solution |
Virtual Machine |
Virtual Machine Contributor |
Virtual Machine |
Update schedule execution history |
Reader |
Automation account |
Create update schedule |
Microsoft.Compute/virtualMachines/write |
Virtual machine or resource group |
Create update schedule |
Microsoft.OperationalInsights/workspaces/analytics/query/action |
Workspace resource ID |
Integrate Windows Servers with Log Analytics
Azure Monitor is the umbrella solution for collecting, analyzing, and responding to telemetry from workloads in a hybrid environment. You can use Azure Monitor to perform the following tasks:
Detect and diagnose problems with workloads and workload dependencies with application insights.
Correlate infrastructure problems with VM insights and container insights.
Explore monitoring data with Log Analytics.
Perform automated operations tasks with smart alerts and automated actions.
Create visualizations derived from collected data using dashboards and workbooks.
Ingest data from monitored resources using Azure Monitor Metrics.
Azure Monitor data collection fits into one of two distinct categories, metrics and logs. A metric is a point-in-time numerical value that describes a property of the system, such as the amount of disk space used at 10.30 p.m. on November 3. Logs are records, each of which has its own properties. It includes everything recorded by the Windows Server event logs as well as any other application running on a Windows Server instance that generates event log data in an ingestible format. Specifically, Azure Monitor collects the following data:
Application monitoring data Data related to performance and functionality of workloads
Guest OS monitoring data Data about the Windows Server instance on which the application is hosted
Azure resource monitoring data Data generated by Azure resources such as storage, networks, database instances, or any other Azure service that can generate log data (which is almost all of them)
Azure subscription monitoring data Data generated about the operation and management of an Azure subscription
Azure tenant monitoring data Data generated about the operation and management of tenant-level Azure services (Azure Active Directory)
To prepare an Azure subscription for Azure Monitor, you need to deploy at least one Log Analytics workspace. A single Log Analytics workspace can support multiple Azure services, including Microsoft Sentinel and Microsoft Defender for Cloud, though there might be governance reasons why you need different teams to have different levels of access to log data and it may be simpler to store different log information in a separate Log Analytics workspace.
To install Azure Monitor on a Windows Server instance, connect to the server using Windows Admin Center and perform the following steps:
In Windows Admin Center, select Azure Hybrid Services and then select Discover Azure Services. If you haven’t connected the Windows Admin Center instance to an Azure subscription, you’ll be prompted to do so.
On the list of Azure Resources, select Set Up in the section on Azure Monitor.
If an appropriate resource group and Log Analytics workspace already exists within the subscription, the Azure Monitor setup process will detect them automatically. If these workspaces are not present, you will be prompted to create them.
Once the connection is configured, you can review analytics information in the appropriate Log Analytics workspace in the Azure portal.
An alternative to using Windows Admin Center is to download the Azure Monitor Agent (also called the Log Analytics Agent) from your Log Analytics workspace. When installing the agent, you will need to provide the Log Analytics workspace ID and the workspace’s primary key.
Integrate Windows Servers with Microsoft Defender for Cloud
Microsoft Defender for Cloud is the current name for what was Azure Security Center. Microsoft Defender for Servers is an element of Microsoft Defender for Cloud that allows you to add threat detection and defense functionality to Windows Server instances located in Azure or hybrid environments. You have to enable Microsoft Defender for Cloud on a subscription before you can connect Windows Server instances.
You can connect hybrid Windows Server instances to Microsoft Defender for Cloud using the following methods:
Configure the Windows Server as an Arc-enabled instance.
Use Defender for Cloud’s Getting Started and Inventory page.
Deployment of Azure Arc was covered earlier in this chapter. To connect a hybrid Windows Server instance to Microsoft Defender for Cloud to enable Microsoft Defender for Servers, you first need to install and configure the Microsoft Monitoring agent (also called the Log Analytics Agent) on the instance. If the agent is installed, you are able to configure the instance for Microsoft Defender for Cloud by selecting the Windows Server instance on the Asset Inventory page of Microsoft Defender for Cloud.
Manage IaaS VMs in Azure that run Windows Server
Windows Server IaaS VMs are only visible to users in the Azure portal if they have a role that grants them that right. The default Azure IaaS VM role-based access control (RBAC) roles are as follows:
Virtual Machine Contributor Users who hold this role can manage virtual machines through the Azure console and perform operations such as starting, stopping, restarting, and deleting the virtual machine. Membership in this role does not provide the user with access to the VM itself. It also does not provide access to the virtual network or storage account to which the VM is connected.
Virtual Machine Administrator Login If the VM is configured to allow login using Azure AD accounts, assigning this role grants the user local administrator privileges in the virtual machine. Users who hold this role can view the details of a VM in the portal but not change its properties.
Virtual Machine User Login Users who hold this role are able to view the details of a virtual machine in the Azure portal and can log in using their Azure AD account with user permissions. Users who hold this role cannot change the properties of the VM.
As long as a local account with the appropriate permissions is present on a Windows Server IaaS VM instance, you can use that account to make a connection to perform administrative tasks. For example, if you want to allow someone to connect to a Windows Server IaaS VM instance using Remote Desktop, they need to be a member of the Remote Desktop Users group or have local administrative privileges.
You can use the following tools to make connections to a properly configured Windows Server IaaS VM instance to perform management tasks on that VM:
Cloud Shell Cloud Shell is a web app command-line environment that you can use to manage your Azure subscription. You can also initiate a remote PowerShell session from Cloud Shell to a properly configured Windows Server IaaS VM instance.
Remote PowerShell You can establish a remote PowerShell session to a properly configured Windows Server IaaS VM instance.
Azure Bastion Creates a managed temporary jump server through which you can make connections.
Just in Time VM Access Configures temporary firewall rules to allow authorized users to establish remote access connections.
Windows Admin Center in the Azure portal Allows you to make Windows Admin Center connections to specially configured IaaS VMs without deploying a separate Windows Admin Center gateway server.
Azure Serial Console Connect to an IaaS VM through virtual serial console instead of a network connection.
As with any tool that allows you to perform management of a remote computer, you should use the appropriate firewall and network security group tools to allow connections only from approved hosts. You will learn more about these tools and managing Windows Server IaaS VMs in Chapter 3, “Manage virtual machines and containers.”
Create runbooks to automate tasks on target VMs
Process Automation in Azure Automation allows you to create and deploy runbooks. A runbook is a set of executable tasks that run on the target Windows Server instance. Process Automation supports the following types of runbooks:
Graphical A graphical runbook is a set of automation steps that you create and edit in a graphical editor that is then translated into PowerShell code that executes on the target instance.
Graphical PowerShell workflow A graphical PowerShell workflow is a special type of PowerShell script that uses Windows Workflow Foundation. Windows Workflow Foundation is suited to scripts that need to run against multiple instances simultaneously while also being able to automatically recover from failures. Without using Windows Workflow Foundation, this resiliency would need to be built into the script.
PowerShell A text-edited PowerShell script that executes on the target instance.
PowerShell Workflow A PowerShell script that leverages Windows Workflow Foundation to scale to many instances and to be more resilient to failures.
Python A Python script for environments where automation occurs using Python rather than PowerShell.
Automation executes runbooks as jobs. A special process called a worker runs each job during runbook execution. Azure Automation runbooks run either in an Azure sandbox or as a Hybrid Runbook Worker. The Azure sandbox is appropriate for workloads that exist entirely within Azure. Hybrid Runbook Worker is appropriate for automation tasks that will enact on an instance that needs to access local resources in the environment that may not be connected to Azure.
Implement Azure Automation for hybrid workloads
Azure Automation’s Hybrid Runbook Worker feature allows you to enact runbooks on Windows Server instances running as IaaS VMs or registered as an Azure Arc–enabled server. The Hybrid Runbook Worker role is integrated into a connected instance through the Azure virtual machine extension framework. Hybrid Runbook Workers can be deployed in the following manner:
Extension based (V2) This is installed as a VM extension and has no dependency on the Azure Monitor Agent (also known as Log Analytics Agent).
Agent based (V1) This agent is deployed after the Azure Monitor Agent and reports to a Log Analytics workspace.
The two different types of Hybrid Runbook Workers are as follows:
System Used by the Update Management feature and designed to install software updates on Windows Server instances. It’s not a member of a Runbook Worker group and cannot enact runbooks targeted to Runbook Worker groups.
User Used with user-defined runbooks that enact directly on a Windows Server instance that are members of one or more Runbook Worker groups.
Installing the Hybrid Runbook Worker requires enrollment through Azure Arc or that you enable Azure Automation in a Log Analytics workspace and then deploy the Azure Monitor Agent.
Implement Desired State Configuration to prevent configuration drift in IaaS machines
State Configuration in Azure Automation is the current version of the functionality provided by Desired State Configuration (DSC). State Configuration uses DSC version 3 with PowerShell version 7. DSC version 3 can coexist with older versions of DSC since implementations are separate. It is important to note that no conflict detection exists if you are running DSC version 3 with prior implementations.
State Configuration allows you to write, manage, and compile DSC configuration for Windows Server instances running as IaaS VMs or hybrid instances connected to Azure. State Configuration hosts a DSC pull server that functions in a manner similar to the Windows Feature DSC-Service. State Configuration target nodes receive configurations, converge with the desired state, and report on compliance status to the State Configuration service. Data returned to State Configuration is forwarded to a Log Analytics workspace.