Powered by MukeshLPM

Managing Azure Arc-enabled servers with Machine Configuration – Wim Matthyssen

by


In my blog post contribution for this year’s Azure Spring Clean, we’ll explore how Azure Arc-enabled servers and Azure Machine Configuration (formerly known as Azure Policy Guest Configuration) simplify management and ensure compliance across your hybrid environment.

Spring is here once again! Joe Carlyle and Thomas Thornton are continuing their tradition by leading Azure Spring Clean, a community-driven initiative focused on promoting well-managed Azure tenants.

You can stay updated by following the hashtag #AzureSpringClean on X for the latest tips. To dive deeper, visit https://www.azurespringclean.com to explore additional blog posts and videos offering best practices, lessons learned, and advice on managing Azure.

But let’s now focus on managing Azure Arc-enabled servers with Machine Configuration.

As some of you will probably know, Machine Configuration in Azure is a feature that allows you to enforce and manage the configuration of Azure virtual machines (VMs). What’s even better is that you can now extend this to physical machines or VMs running on-premises or in other public cloud environments using Azure Arc.

With Machine Configuration, which is simply a PowerShell Desired State Configuration-based compliance reporting and configuration tool, you can now define and enforce specific settings on an individual machine or at scale in your hybrid environment. This enables you to manage and audit operating system settings as code on these Arc-enabled machines, such as:

  • Application presence (e.g., ensuring required applications are installed)
  • Environment settings (e.g., configuring network and storage settings)
  • OS configurations (e.g., enforcing system settings like time zone configurations)

In addition, by applying policies through Machine Configuration to these machines, you can also:

  • Enforce configurations: Ensure machines are configured according to your security, compliance, and operational standards.
  • Audit configurations: Verify compliance with predefined settings.
  • Consistent security: Maintain uniform security configurations across hybrid and multi-cloud environments.

Machine Configurations differ from policy definitions. Machine Configuration leverages Azure Policy to dynamically apply configurations to machines, or you can manually assign configurations to machines as needed.

Behind the scenes, this all works via a guest assignment, which is an Azure resource that acts as a link between a machine, whether an Azure VM or an Azure Arc-enabled server, and a machine configuration.

The machine configuration itself contains all the necessary details about the desired settings and policies to be applied to the machine, and these are stored in a .mof (Managed Object Format) file.

💡A .mof file, based on the WMI schema, stores desired configurations for operating systems or applications on VMs or Azure Arc-enabled servers. These files are essential for enforcing settings, rules, and policies, and are often used with DSC to maintain compliance and the desired state across environments.

For example, you might have a policy that ensures all machines in scope have a specific configuration, such as the “AuditSecureProtocol” guest assignment (policy definition). The guest assignment would link this policy to the machines, ensuring they are in compliance with the defined settings.

The guest assignment resource type is Microsoft.GuestConfiguration/guestConfigurationAssignments, and it uses the complianceStatus property to report the compliance status.

⚠️ Machine Configuration policies run with full access to system settings or resources (Local System context on Windows or root on Linux). Ensure that only trusted accounts in your organization have permission to assign Azure Policies or Azure Guest Assignments.

In this blog post, we’ll explore how you can achieve many of these tasks using Machine Configuration on your Azure Arc-enabled servers.

Table of Contents

Azure prerequisites

  • An Azure subscription, preferably more than one if you plan to follow the Cloud Adoption Framework (CAF) enterprise-scale architecture. This includes a connectivity and/or management subscription, with at least one ARC subscription (landing zone) for deploying your Arc-related resources.
  • At least one machine, whether physical or virtual, running Windows Server 2016 or later, part of your hybrid environment and already onboarded into Azure Arc.

Register the required resource provider

To use Machine Configuration with your Azure Arc-enabled servers, the “Microsoft.GuestConfiguration” resource provider must be registered on the Azure subscription where your machines are onboarded.

This registration happens automatically when you assign a machine configuration policy through the Azure Portal or if your subscription is enrolled in Microsoft Defender for Cloud. Alternatively, you can manually register it using the Azure Portal, Azure PowerShell, or Azure CLI.

If you’d like to deploy this resource provider using an Azure PowerShell script, simply save the script below as a .ps1 file and run it via Windows Terminal or Azure Cloud Shell, after specifying the correct Azure subscription.

## -------------------------------------------------------------------------
 
## Variables

$providerNameSpace = "Microsoft.GuestConfiguration"

Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime = Get-Date -Format "dddd MM/dd/yyyy HH:mm"} | Out-Null
$foregroundColor1 = "Green"
$foregroundColor2 = "Yellow"
$foregroundColor3 = "Red"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "
 
## --------------------------------------------------------------------------

## Register the required Azure resource provider (Microsoft.GuestConfiguration) in the current subscription context, if not yet registered

Register-AzResourceProvider -ProviderNamespace $providerNameSpace | Out-Null
 
Write-Host ($writeEmptyLine + "# All required resource providers for an Azure Attestation provider are currently registering or have already registered" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## -------------------------------------------------------------------------

Use the built-in Machine Configuration policies

First, to use machine configuration packages that apply configurations to Azure Arc-enabled Windows servers, the Azure Connected Machine agent version 1.10.0 or later is required. Be sure to check the agent version on your servers locally or via the Azure Portal.

Using the built-in Machine Configurations is quite straightforward, as the audit policy definitions available for machine configuration include the Microsoft.HybridCompute/machines resource type.

This means that any of your machines onboarded to Azure Arc-enabled servers that fall within the scope of the policy assignment are automatically included.

Currently, there are three built-in Machine Configurations (Policy definitions) that are automatically used in combination with your Azure Arc-enabled Windows Servers, all of which are in AuditIfNotExists mode:

  • AuditSecureProtocol: Windows machines should be configured to use secure communication protocols (.mof file)
  • AzureWindowsBaseline: Windows machines should meet requirements of the Azure compute security baseline (.mof file)
  • WindowsDefenderExploitGuard: Windows Defender Exploit Guard should be enabled on your machines (.mof file)

To check the compliance of any of your Arc-enabled servers against one of these built-in Machine Configurations, simply go to the Azure Arc page by typing “Arc” in the Global Search bar and selecting Azure Arc.

Then, go to Machines and select the server you want to check compliance for. After that, scroll down to the Operations section and click on Machine Configuration.

On the Machine Configuration page, then simply click on the Machine Configuration for which you want to check the machine’s compliance.

Good to know is that if something isn’t working as expected, you can check the client log files on the local server.

The machine configuration writes the log files to the following location: C:\ProgramData\GuestConfig\arc_policy_logs\

View machine configuration assignment details at scale

You can easily view the guest configuration compliance states for each machine individually via the Azure Arc page, as shown in the previous section.

However, to see all guest configuration assignments across your tenant at once, open the Guest Assignments page from the Azure portal. To do so in the global search bar, type “guest” to open the Guest Assignments page.

To view detailed compliance information, click on each assignment using the link in the Name column.

Disable Machine Configuration

For Tier 0 servers, such as Domain Controllers or Certificate Servers, it is crucial to implement strong security measures, especially when they are Azure Arc-enabled.

As a best practice, it is recommended to apply local agent security controls to lock down the Azure Connected Machine agent, ensuring that only local server administrators can modify its configuration.

One key recommendation is to disable Machine Configuration to prevent the use of custom Guest Configuration policies that could alter the agent configuration.

💡 It is also advisable to disable remote access capabilities and either set an extension allowlist or completely disable the extension manager on these servers.

To do this, run the following command locally, along with the other commands, to disable remote access and set your preferred extension allowlist on any of these servers:

azcmagent config set incomingconnections.enabled false
 
azcmagent config set guestconfiguration.enabled false
 
azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Windows"

As you can see, this will disable the “Guest Configuration Arc Service” on your server, meaning the desired state of this machine can no longer be monitored.

If these features that rely on an extension were already installed before you modified the allowlist, you will need to manually remove the extensions from the server. This can be done in several ways, such as using the Azure Portal.

💡 Disabling specific capabilities, such as Machine Configuration, can also be useful when you are connecting servers to Azure with Azure Arc for a single purpose, such as collecting event logs, without allowing other management features to be used on the server.

Conclusion

By leveraging the capabilities of Azure Arc and Machine Configuration, organizations can efficiently enforce and manage the configuration of Azure Arc-enabled VMs within their hybrid environments, ensuring compliance and security across their entire infrastructure. I hope the steps explained in this blog post help you keep your Arc deployments secure and well-managed.

Before concluding, I want to express my gratitude for being part of this online event. I hope you find value in the other blog posts and videos as well. A special thanks to Thomas Thornton and Joe Carlyle for organizing this event!

If you have any questions or suggestions regarding this blog post, feel free to reach out to me via my X handle (@wmatthyssen) or leave a comment below. I’m happy to help!

Happy reading 📖 and managing 💻!




Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment

© 2025 Marketer • Built with GeneratePress
Privacy Policy Terms Contact