Azure arc machines Windows & Linux – extend of chapter 3

By /

Let’s check the blades on a machine resource

Overview

When you select an Arc-enabled machine in the Azure portal, the Overview page is the first thing you see. It provides a snapshot of the machine’s current state and configuration. This high-level dashboard includes:

  • Status: Whether the machine is connected, disconnected, or in an error state.
  • Operating System: Displays OS type and version.
  • Resource Group and Subscription: Contextual placement in Azure.
  • Location: Azure region to which the Arc machine is logically connected.
  • Tags: Any metadata tags applied for categorization.
  • Activity Log Access: Shortcut to view recent operations.
  • Monitoring Summary: Overview of performance metrics, alerts, and security recommendations.
  • License type: pay-as-you-go, retail, ..
  • Azure benefits: helps you reduce costs ex: Windows, SQL licensing, update manager..

The Overview page acts as a command center, allowing you to assess the machine’s health and quickly jump to more detailed sections such as monitoring, security, and configuration. It’s especially valuable in large environments to prioritize troubleshooting and action.

The next tabs are very common in Azure as you know the Activity log, Access control (IAM), Tags, Diagnose and solve problems and resource visualizer. For who starts with Azure Arc should have this knowledge or at least know what it is and what can be found here.

Settings

Connect

You can connect to your machine through SSH.

  • No public IP needed
  • No open SSH ports needed
  • Log in with local user or Azure user, last one is only with Linux.
  • Windows or Linux machines

Security

The Security blade integrates with Microsoft Defender for Cloud. You can:

  • View security recommendations
  • Identify vulnerable configurations
  • Monitor threat protection status
  • Enable Just-in-Time VM access

Security posture management is enhanced with real-time alerts and compliance scoring.

Extensions

VM Extensions are lightweight agents that provide post-deployment configuration and automation. Common extensions include:

  • Azure Monitor Agent (AMA) for telemetry
  • Custom Script Extension to execute scripts
  • Dependency Agent for Service Map and Change Tracking

These are crucial for centralized monitoring and configuration enforcement.

As I don’t allow the SQL server agent extension you get this, reason can be found if you click on View Details:

 Extension updates:

Extension up to date and working properly:

Properties

Displays metadata including:

  • OS type and version
  • Azure resource ID
  • Resource group and subscription
  • Connected location and region

This blade helps admins quickly assess configuration and placement of each machine.

Locks

Azure Locks protect resources from accidental changes. Two types:

  • Read-only: Users can read but not modify or delete
  • Delete: Prevents deletion of the resource

Operations

Policies

Enforce compliance with Azure Policy. For Arc machines, you can assign:

  • Allowed locations
  • Required tags
  • OS version enforcement
  • Guest configuration policies
  • And much much more

This standardizes environments across cloud and on-prem infrastructures.

I’m still working on the policies, so don’t judge :’]

Machine configuration

This feature lets you:

  • Operating system settings
  • Application configuration or presence
  • Environment settings
  • DSC

This helps maintain a secure and predictable configuration state.

Wim Matthyssen has a nice blog about this subject:

Azure Arc: Managing Azure Arc-enabled servers with Machine Configuration

Run command

Run Command uses the Connected Machine agent to let you remotely and securely run a script inside this Azure Arc-enabled servers.

Agent must be minimal at 1.33

 

As you see, you cannot do much in the portal itself but you can do it through PowerShell or Azure CLI.

Check John Savills video on youtube: Arc-Enabled Server Run Command

Sql server configuration

If the machine is Arc-enabled with SQL Server, this section offers:

  • Licensing management (pay-as-you-go, License or License with SA)
  • SQL assessment reports
  • Transparent patching and backup configuration

This provides SQL-specific governance within Arc’s broader management model.

 

Updates

Manage updates using Azure Update Manager:

  • Schedule patch deployments
  • View update compliance
  • Target groups using dynamic queries

Update automation ensures critical patches are deployed consistently across environments.

Check my other posts:

Azure update manager: https://blog.enter-consult.be/azure-update-manager-the-basics/

Hotpatching: https://blog.enter-consult.be/enable-hotpatching-preview-in-azure-arc/

Inventory

This tool queries and displays:

  • Installed software
  • Windows features
  • System roles

Inventory data is collected via the Log Analytics agent or AMA. It supports filtering and exporting.

Change tracking

Detects configuration drift and tracks changes to:

  • Files
  • Registry keys
  • Services and software

Supports alerting and integrates with automation runbooks for remediation.

Licenses

Windows server

Manage Windows Server licensing with Azure Hybrid Benefit. This allows you to:

  • Use existing on-prem licenses
  • Save costs by applying Azure Hybrid Benefit to eligible machines

Validation is automatic if connected to Azure; otherwise, manual tagging may be required.

Windows management

Windows Admin Center

WAC provides GUI-based administration via browser. Features include:

  • Disk management
  • Certificate store access
  • Remote PowerShell
  • Event viewer
  • RDP through SSH
  • And much more

Integrated into Azure, WAC bridges the gap between GUI admin and cloud-native operations.

You MUST be a member of Windows Admin Center Administrator Login RBAC.

Incomingconnections.enabled must be set on true else it will not be able to contact the agent.

If you plan to use WAC then use rather a chromium based browser. Firefox didn’t do it for me and for alot of others too.

Check out my app for troubleshooting the agent: https://github.com/enderalci/AACMAToolkit

Azure site recovery Configuration

Protect workloads using Azure Site Recovery. Arc machines can be replicated to Azure, supporting:

  • Disaster recovery
  • Failover testing
  • Recovery plan automation

Azure site recovery integration ensures business continuity and data resilience.

Only eligible with pay-as-you-go or SA license type.

 

More detailed info and how to set it up:

https://learn.microsoft.com/en-us/windows-server/manage/azure-arc/azure-site-recovery-for-windows-server

Best practices assessment

Provides assessments based on Microsoft’s guidance. Evaluates:
 

  • Security configuration
  • Update status
  • Backup settings
  • Resource tagging
     

Helpful for audits and aligning with industry standards.

And again only eligible with pay-as-you-go or SA license type.

Monitoring

Insights

Visual dashboards powered by Azure Monitor show:

  • CPU and memory usage
  • Disk I/O
  • Network throughput

Insights can be tailored to specific performance thresholds and historical trends.

Logs

All diagnostics and telemetry are forwarded to Log Analytics Workspace. This enables:

  • KQL-based querying
  • Alert rule creation
  • Custom dashboards

Logs provide a central, scalable way to collect operational data.

Workbooks

Workbooks are interactive dashboards that visualize data from:

  • Azure Monitor Logs
  • Metrics
  • External sources (via APIs)

They support sharing, customization, and templating for repeated use across machines.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top