Enable Azure ARC Machines with Windows Admin Center

Azure ARC is a new service from Microsoft announced at Ignite 2019. The service promises the ability to use the same Azure management tools to manage and monitor your on-prem workloads or even in another cloud. At present Azure ARC Machines is in preview and limited to Guest Configuration and Monitoring. That said, if you’ve ever read my blog before you already know you don’t need Azure ARC to use Azure Monitor for your on-prem workloads. Still I wanted to on board my VMs to Azure ARC and more specifically with Windows Admin Center. If you’re not using Windows Admin Center, you really should be, its amazing and completely free.

Enabling Azure ARC Preview

Because the service is in preview, you need to explicitly enable the service on your Azure subscription(s). You can do this in the Azure Portal and with PowerShell.

In Azure Portal

First, find “Machines – Azure Arc” in the portal. Then select Create Machine – Azure Arc.

Azure ARC Windows Admin Center

Next, click Generate script

Azure ARC Windows Admin Center

Now click on Register.

Azure ARC Windows Admin Center

This will enable Hyrbid Compute and GuestConfiguration resource providers.

Enable via Powershell

If the Azure Portal isn’t your thing, here’s the Powershell way:

Connect-AzAccount

Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

If you miss this step, when you try to on board a machine to ARC, you will get this nice error.

Azure ARC Windows Admin Center

Connect Windows Admin Center and Azure

In your Windows Admin Center(WAC), if you haven’t already registered Windows Admin Center with Azure you’ll be asked to do that, or you can do it separately under the Azure tab within WAC.

 Azure ARC Windows Admin Center

Follow the steps outlined here. Essentially you are creating a new Azure AD application for WAC to have permissions to your Azure environment.

Azure ARC Windows Admin Center

Next you need to find the app in Azure AD, and grant the permissions.

Azure ARC Windows Admin Center

Once done if you connect to any VM, under the Azure Hybrid Services tab, you’ll now see a bunch of Azure services available to you.

Azure ARC Windows Admin Center

Setup Azure ARC with Windows Admin Center

For the purposes of this blog I created a brand new VM, arctest, and joined it to my lab domain. Once connected to a VM you can see the services available in this case we’re doing Arc for Servers.

Azure ARC Windows Admin Center

 

Because these machines are going to be treated like Azure Resources, it will ask you what subscription and resource group you want to put the machines in.

Azure ARC Windows Admin Center

 

In my experience it will take around 5 minutes per machine to setup. Once setup you get this screen here.

 

Azure ARC Windows Admin Center

and the Azure Connected Machine Agent will be installed.

Azure ARC Windows Admin Center

The reason I created a brand new VM in my lab is because all my other machines have already been using Azure Monitor. I wanted to see what would happen on a fresh machine. And if it would install the Microsoft Monitoring Agent, aka Log Analytics Agent. It did not. The Query and Analyze logs section above should be modified to make it clear that you haven’t connected the machine to Azure Monitor. Or that should be added as an optional step. Right now it implies that the machine is connected.

You can read about all the changes made to VMs that are on-boarded here.

Azure Management with Azure Arc

Once you’ve on-boarded all your machines. They’ll be in the Resource Group that was specified when joining them.

You can treat them as regular resources in Azure. They’re given a ResourceId, location, Resource Group, just like all your Azure native resources.

Which will also show up in Log Analytics Heartbeat table, once you’ve connected them to a Log Analytics workspace.

Management with Policy

Right now the most useful policies are in the Guest Configuration category.

Looking through them, I immediately found one I had to try out, which was the Initiative “Audit Windows VMs that are not set to the specified time zone” which contains two policies. I set it to Central time and sure enough it worked on my Arctest machine. I can’t tell you how many times thats thrown me off. “How is it only 10am, I already had lunch?”

At some point I would expect to see deployIfNotExist work as part of Azure Policy against Azure Arc servers. That would be really cool to be able to set an Azure Backup policy that automatically on boards your on-prem machines to Azure Recovery Services vaults for Azure Backup.

 

Improvements for Windows Admin Center and Azure Arc Machines

For me, Windows Admin Center exists because Microsoft recognizes that having every admin know PowerShell is unfeasible. *Gasp* I know, I know, I’m supposed to say “learn powershell or learn to ask if you want fries.” But its simply not true, which is part of the reason WAC exists in my opinion. It allows Admins to manage servers remotely without RDP, using more secure WinRM with Powershell behind the scenes. With all that said I would like to see a Select All or multi-select option to enable multiple machines for Azure Arc at once, instead of having to do it singularly. Yes I know there is a bulk add script, but again see above about Admins and Powershell. Its likely going to take someone not familiar with Powershell longer to get setup and figure that out than just “select all, add” would.

As mentioned above I would like to see the Log Analytics portion clarified and potentially add an optional step to on-board the machines to Log Analytics as well.

 

Other Azure Arc Content

Interested in other Azure Arc content? Check out Thomas Mauer’s blog. He has an Azure Advent Calendar video, and an interview with the a member of the Azure Arc team.

Leave a Comment