Azure arc servers rework (#236)

* changed create_vms.sh: added win2012r2 vm and updated OS of others

* updated folder structure to reflect new challanges

* updated walkthrough challenge 1 - reverted to use ubuntu 20.04 due to problems with newer versions

* Az Arc Server - Changed standard SKU for VM script

* Arc ESU Challenge 6

* Fix Arc Srv Challenge 2

Renamed Policy, missing word

* Add BPA Challenge 5

* Added challenge 5 to readme

* added script to onboard vms to Azure

* removed password

* removed passwords

* typos

* added VBS activation as Hotpatch prerequisite

* added comments

* Arc - removal of NEU and WEU - Update create_vms.sh

* Arc - Update README.md to remove password suggestion & regions

* Update template-linux.json - remove whitespace

* Delete 03-Azure/01-03-Infrastructure/07_Azure_Monitor/resources/terraform/providers.tf

does not belong to this rework branch. File was added accidentally.

* Arc - Update solution.md

Fixed directly named RG

---------

Co-authored-by: skiddder <[email protected]>
Co-authored-by: Christoph Suesser <[email protected]>
Co-authored-by: TheFitzZZ <[email protected]>

.gitignore

@@ -159,6 +159,7 @@ local.settings.json
 *.tfstate
 tfstate
 *.tfstate.*
+*tfplan
 
 # Crash log files
 crash.log
@@ -201,4 +202,4 @@ id_rsa.pub
 *.private.pub
 
 # Ignore ARM Parameter files
-*.parameters.json
+*.parameters.json

03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/Readme.md

@@ -12,7 +12,10 @@
   - [Challenge 2 - Azure Monitor integration](#challenge-2---azure-monitor-integration)
   - [Challenge 3 - Access Azure resources using Managed Identities from your on-premises servers](#challenge-3---access-azure-resources-using-managed-identities-from-your-on-premises-servers)
   - [Challenge 4 - Microsoft Defender for Cloud integration with Azure Arc](#challenge-4---microsoft-defender-for-cloud-integration-with-azure-arc)
-  - [Challenge 5 - Azure Automanage Machine Configuration](#challenge-5---azure-automanage-machine-configuration)
+  - [Challenge 5 - Best Practices assessment for Windows Server](#challenge-5---best-practices-assessment-for-windows-server)
+  - [Challenge 6 - Activate ESU for Windows Server 2012 R2 via Arc (optional)](#challenge-6---activate-esu-for-windows-server-2012-r2-via-arc---optional)
+  - [Challenge 7 - Azure Automanage Machine Configuration (optional)](#challenge-7---azure-automanage-machine-configuration---optional)
+
 - [**Contributors**](#contributors)
 
 ## MicroHack introduction
@@ -67,9 +70,9 @@ This MicroHack has a few but important prerequisites to be understood before sta
 
 * Your own Azure subscription with Owner RBAC rights at the subscription level
   * [Azure Evaluation free account](https://azure.microsoft.com/en-us/free/search/?OCID=AIDcmmzzaokddl_SEM_0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&ef_id=0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&msclkid=0fa7acb99db91c1fb85fcfd489e5ca6e)
-* You need to have 2 Virtual Machines ready and updated. One with a Linux Operating System (tested with Ubuntu Server 22.04) and one with Windows Server Operating System (tested with Windows Server 2022). You can use Machines in Azure for this following this Guide: [Azure Arc Jumpstart Servers](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/azure/)
+* You need to have 3 virtual machines ready and updated. One with a Linux operating system (tested with Ubuntu Server 24.04), one with Windows Server 2025 and one with Windows Server 2012 R2 (optional). You can use machines in Azure for this following this guide: [Azure Arc Jumpstart Servers](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/azure/)
     > **Note**  
-    >  When using the Jumpstart the Virtual Machines will already be onboarded to Azure Arc and therefore "Challenge 1 - Azure Arc prerequisites & onboarding" is not needed.
+    >  When using the Jumpstart the virtual machines will already be onboarded to Azure Arc and therefore "Challenge 1 - Azure Arc prerequisites & onboarding" is not needed.
 * [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) (Hint: Make sure to use the lastest version)
 * [Azure PowerShell Guest Configuration Cmdlets](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/machine-configuration-create-setup#install-the-module-from-the-powershell-gallery)
   * It is not possible to run those commands from Azure Cloud Shell
@@ -81,23 +84,23 @@ This MicroHack has a few but important prerequisites to be understood before sta
 
 ### Goal
 
-In challenge 1 you will prepare your Azure Environemnt for onboarding of existing Windows- and Linux Servers and onboard them to Azure Arc.
+In challenge 1 you will prepare your Azure environemnt for onboarding of existing Windows- and Linux servers and onboard them to Azure Arc.
 
 ### Actions
 
-* Create all necessary Azure Resources
+* Create all necessary Azure resources
   * Resource Group (Name: mh-arc-servers-rg)
   * Service Principal (Name: mh-arc-servers-sp)
-* Enable required Resource Provider
-* Prep existing Server Operating System on-prem
-* Onboard existing Server to Azure Arc
+* Enable required Resource Providers
+* Prep existing server operating system on-prem
+* Onboard existing server to Azure Arc
 
 ### Success criteria
 
-* You created an Azure Resource Group
-* You created an Service Principal with the required role membership
+* You created an Azure resource group
+* You created an service principal with the required role membership
 * Prepared successfully an existing Server OS
-* Onboarded Server OS is visible in the Azure Arc plane in the Azure Portal
+* Onboarded server is visible in the Azure Arc plane in the Azure Portal
 
 ### Learning resources
 
@@ -114,14 +117,14 @@ In challenge 1 you will prepare your Azure Environemnt for onboarding of existin
 
 ### Goal
 
-In challenge 2 you will successfully onboard your Windows and Linux Virtual Machines to Azure Monitor using the Azure Monitoring Agent to leverage Azure Update Management, Change Tracking, Inventory and more. Be aware that Microsoft curently shifts from the retiering Log Analytics Agent to Azure Monitoring Agent. By that some of the features used in challange 2 are currently in preview.
+In challenge 2 you will onboard your Windows and Linux virtual machines to Azure Monitor using the Azure Monitoring Agent (AMA) to leverage Azure Update Management, Change Tracking, Inventory and more. Be aware that Microsoft curently shifts from the retiring Log Analytics Agent to Azure Monitoring Agent. By that some of the features used in challange 2 are currently in preview.
 
 ### Actions
 
-* Create all necessary Azure Resources
-  * Log Analytics Workspace (Name: mh-arc-servers-kv-law)
+* Create all necessary Azure resources
+  * Log Analytics workspace (Name: mh-arc-servers-kv-law)
 * Configure Data Collection Rules in Log Analytics to collect Windows event logs and Linux syslog
-* Enable Azure Monitor for Azure Arc enabled Servers with Azure Policy initiative
+* Enable Azure Monitor for Azure Arc enabled servers with Azure Policy initiative
 * Enable and configure Update Management
 * Enable Change Tracking and Inventory
 * Enable VM Insights
@@ -131,10 +134,10 @@ In challenge 2 you will successfully onboard your Windows and Linux Virtual Mach
 
 * You have a Log Analytics Workspace
 * You successfully linked the necessary Azure Policy initiative to the Azure resource group
-* You can query the Log Analytics Workspace for events of your Virtual Machines
-* All Virtual Machines have the latest Windows and Linux updates installed
-* You can browse through the software inventory of your Virtual Machines
-* You can use VM Insights to get a detailed view of your Virtual Machines
+* You can query the Log Analytics Workspace for events of your virtual machines
+* All virtual machines have the latest Windows and Linux updates installed
+* You can browse through the software inventory of your virtual machines
+* You can use VM Insights to get a detailed view of your virtual machines
 
 ### Learning resources
 
@@ -155,13 +158,13 @@ In challenge 2 you will successfully onboard your Windows and Linux Virtual Mach
 
 ### Goal
 
-Managing secrets, credentials or certificates to secure communication between different services is a main challenge for developers and administrators. Managed Identities is Azure's answer to all these challenges and eliminates the need to manage and securely store secrets, credentials or certificates on the Virtual Machine. In challenge 3 you will leverage Managed Identities via Azure Arc to securely access an Azure Key Vault secret from your Azure Arc enabled servers without the need of managing any credential. 
+Managing secrets, credentials or certificates to secure communication between different services is a main challenge for developers and administrators. Managed Identities is Azure's answer to all these challenges and eliminates the need to manage and securely store secrets, credentials or certificates on the virtual machine. In challenge 3 you will leverage Managed Identities via Azure Arc to securely access an Azure Key Vault secret from your Azure Arc enabled servers without the need of managing any credential. 
 
 ### Actions
 
 * Create an Azure Key Vault in your Azure resource group
-* Create a secret in the Azure Key Vault and assign permissions to your Virtual Machine microhack-arc-servers-lin01
-* Access the secret via Bash script
+* Create a secret in the Azure Key Vault and assign permissions to your virtual machine vm-linux-mh0
+* Access the secret via bash script
 
 ### Success Criteria
 
@@ -182,15 +185,15 @@ Managing secrets, credentials or certificates to secure communication between di
 
 ### Goal
 
-* In this challenge, we will integrate your Azure Arc connected machines with Azure Security Center (ASC). After completing the previous challenges, you should now have an Azure subscription with one or more Azure Arc managed servers. You should also have an available Log Analytics workspace and have deployed the Log Analytics agent to your server(s).
+* In this challenge, we will integrate your Azure Arc connected machines with Azure Defender for Cloud. After completing the previous challenges, you should now have an Azure subscription with one or more Azure Arc-enabled servers. You should also have an available Log Analytics workspace and have deployed the Log Analytics agent to your server(s).
 
 ### Actions
 
-* Enable Microsoft Defender for Cloud with Azure Security Center on your Azure Arc connected machines.
+* Enable Microsoft Defender for Cloud on your Azure Arc-enabled machines.
 
 ### Success criteria
 
-* Open Microsoft Defender for Cloud with Azure Security Center and view the Secure Score for your Azure Arc connected machine.
+* Open Microsoft Defender for Cloud and view the Secure Score for your Azure Arc-enabled machine(s).
 
 ### Learning resources
 
@@ -205,16 +208,68 @@ Managing secrets, credentials or certificates to secure communication between di
 
 [Solution Steps](./walkthrough/challenge-4/solution.md)
 
-## Challenge 5 - Azure Automanage Machine Configuration
+## Challenge 5 - Best Practices assessment for Windows Server
 
 ### Goal
 
-Challenge 5 is all about interacting with the Client Operating System. We will have a look at Machine Configurations as the final step of this journey.
+In this challenge, you will configure and deploy the Best Practices Assessment for Windows Servers onboarded to Azure Arc. The assessment will evaluate the server’s configuration against Windows best practices, generate actionable remediation steps for identified issues, and help you enhance your server infrastructure's performance, security, and stability.
 
 ### Actions
 
-* Create all necessary Azure Resources
-  * Azure Storage Account
+* Set Up Best Practices Assessment for one machine
+* Run the Best Practices Assessment
+* Analyze Results
+
+### Success criteria
+
+* Best Practices Assessment is enabled and installed on your Arc-enabled Windows Server
+* The Assessment Platform, Windows Server Assessment, and Azure Monitor Agent (AMA)  extensions are installed successfully
+* The first Best Practices Assessment is run successfully
+
+### Learning resources
+
+* [Configure Best Practices Assessment for Arc-enabled Windows servers](https://learn.microsoft.com/en-us/windows-server/manage/azure-arc/best-practices-assessment-for-windows-server)
+
+
+### Solution - Spoilerwarning
+
+[Solution Steps](./walkthrough/challenge-5/solution.md)
+
+## Challenge 6 - Activate ESU for Windows Server 2012 R2 via Arc - optional
+
+### Goal
+
+In this challenge, you will activate Extended Security Updates (ESU) for Windows Server 2012 R2 via Azure Arc. This will ensure that your server continues to receive critical security updates beyond the end of support date and allows you to stop paying for updates once the server gets decommissioned or upgraded.
+
+### Actions
+
+* Purchase and activate the ESU license for your Windows Server 2012 R2.
+* Apply the ESU license to your server.
+
+### Success criteria
+
+* The ESU license is purchased and activated.
+* The server has an attached ESU license and its ESU status shows as "Enabled"
+
+### Learning resources
+
+* [Extended Security Updates for Windows Server 2012 and 2012 R2](https://learn.microsoft.com/en-us/lifecycle/faq/extended-security-updates)
+* [Deploy Extended Security Updates using Azure Arc](https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates?tabs=azure-cloud)
+
+### Solution - Spoilerwarning
+
+[Solution Steps](./walkthrough/challenge-6/solution.md)
+
+## Challenge 7 - Azure Automanage Machine Configuration - optional
+
+### Goal
+
+This challenge is about interacting with the client operating system. We will have a look at Machine Configurations as the final step of this journey.
+
+### Actions
+
+* Create all necessary Azure resources
+  * Azure Storage account
 * Setup a Policy that checks if the user "FrodoBaggins" is part of the local administrators group
 * Setup a Custom Machine Configuration, for the Windows Server, that creates a registry key in ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ```
 
@@ -233,7 +288,7 @@ Challenge 5 is all about interacting with the Client Operating System. We will h
 
 ### Solution - Spoilerwarning
 
-[Solution Steps](./walkthrough/challenge-5/solution.md)
+[Solution Steps](./walkthrough/challenge-7/solution.md)
 
 ## Finish
 
@@ -248,3 +303,4 @@ Thank you for investing the time and see you next time!
 * Christian Thönes [Github](https://github.com/cthoenes); [LinkedIn](https://www.linkedin.com/in/christian-t-510b7522/)
 * Nils Bankert [GitHub](https://github.com/nilsbankert); [LinkedIn](https://www.linkedin.com/in/nilsbankert/)
 * Alexander Ortha [GitHub](https://github.com/alexor-ms/); [LinkedIn](https://www.linkedin.com/in/alexanderortha/)
+* Christoph Süßer (Schmidt) [GitHub](https://github.com/TheFitzZZ); [LinkedIn](https://www.linkedin.com/in/suesser/)

03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md

@@ -1,7 +1,7 @@
 # Overview
 As a coach (or participant) you might need to have some VMs available which you can use in this microhack to onboard via Arc to Azure. This folder provides scripts and templates to quickly create such VMs. As deployment platform Azure IaaS will be used. Azure VMs need to be [reconfigured](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine) in order to simulate on-prem VMs, so that the Azure Guest agent does not interfere with the Azure Arc agent. The scripts to reconfigure this are included in the ```create_vms.sh```. 
 
-For each partipant, you will need one Windows and one Linux VM. You can provide the number of participants in the script. The script will then create 1 Windows 2019-datacenter-gensecond and 1 Ubuntu 20_04-lts-gen2 VM for each participant. 
+For each participant, you will need one Windows 2012 R2, one Windows 2025 and one Linux VM. You can provide the number of participants in the script. The script will then create 1 Windows 2012 R2, 1 Windows 2025 and 1 Ubuntu 24_04-lts-gen2 VM for each participant. 
 
 ## Deployment instructions
 Open a bash shell and login to Azure:
@@ -16,10 +16,10 @@ Open the file ```create_vms.sh``` in an editor and adjust the parameters as need
 |-----------------      |---------------|------------|
 |resourceGroupName      |The name of the resource group the VMs willl get deployed to. Will be created if not existing|rg-on-prem-vms|
 |resourceGroupLocation  |Azure region where your resource group will be created in|germanywestcentral|
-|adminUsername          |local admin/root account in your VMs (will be the same for all machines)|MHAdmin|
-|adminPassword          |local admin/root password (will be the same for all machines). Use a password which honors complexity rules for Windows & Ubuntu|SecretP@$$W0rd|
+|adminUsername          |local admin/root account in your VMs (will be the same for all machines)|mhadmin|
+|adminPassword          |local admin/root password (will be the same for all machines). Use a password which honors complexity rules for Windows & Ubuntu|Pick a safe one|
 |number_of_participants |Adjust this to the number of participants in your cohort. For each particpants 2 VMs are created|10|
-|regions                |An array of regions to which you want to deploy. If using a Sponsored subscription, you might have core limits per region. If providing more than one region in the array, the script will iterate through the regions and distribute the VMs evenly to the named regions. 1 Win and 1 Linux VM will be deployed to a region before moving on in the iteration|("germanywestcentral" "northeurope" "swedencentral" "francecentral" "westeurope")|
+|regions                |An array of regions to which you want to deploy. If using a Sponsored subscription, you might have core limits per region. If providing more than one region in the array, the script will iterate through the regions and distribute the VMs evenly to the named regions. 2 Win and 1 Linux VM will be deployed to a region before moving on in the iteration|("germanywestcentral" "swedencentral" "francecentral")|
 |virtualMachineSize     |You can adjust the VM size if needed|Standard_D2ads_v5|
 
 Save the file. Make sure the shell script has execution permission in your directory (if not add it: ```chmod +x create_vms.sh```). Now, execute the shell script