Manage Azure Stack HCI-based virtualized workloads with Azure Arc


As described in the previous unit of this module, Azure Arc expands the scope of a number of the Azure Resource Manager features to non-Azure servers running Windows or Linux, including Azure Stack HCI VMs. In some cases, it also enhances the capabilities of some of the hybrid Azure services that do not depend directly on Azure Arc. In this unit, you will learn how you can benefit from these features and capabilities when managing Azure Stack HCI VMs.

What are the capabilities of Arc enabled Azure Stack HCI VMs?

For any Arc enabled server running Windows or Linux, including Azure Stack HCI VMs, you have access to the following settings directly from the Azure portal:

Setting Explanation
Overview Provides basic information about the Azure resource and the corresponding Arc enabled server, including status, location, subscription, computer name, operating system, and tags.
Activity log Lists Azure Resource Manager-based changes affecting the state of the Azure resource representing the Arc enabled server, including information identifying the initiator of that change.
Access control Enables you to view, grant, and revoke permissions to perform management tasks on the Azure resource representing the Arc enabled server.
Tags Allow you to view, assign, and remove tags consisting of name/value pairs, which provide you with a mechanism to label and categorize the Azure resource representing the Arc enabled server in an arbitrary manner. You can also use them to facilitate consolidated billing by applying tags that map to cost centers reflecting your charge-back policies.
Extensions Allow you to automate configuration of the operating system and applications running within the Arc enabled server by using VM extensions.
Locks Allow you to prevent accidental changes or deletions of the Azure resource corresponding to the Arc enabled server.
Policies Allow you to audit operating system and application settings of the Arc enabled server.
Update management Allows you to implement automatic deployment and reporting of operating system updates on the Arc enabled server.
Inventory Allows you to implement inventory of the Arc enabled server.
Change tracking Allows you to implement change tracking the Arc enabled server.
Insights Allows you to use Azure Monitor to review the host central processing unit (CPU), disks, and the operating system state of the Arc enabled server.
Logs Allows you to collect and analyze logs generated by the operating system and applications on the Arc enabled server.

screenshot of the Identity and Access Management (IAM) page in the Azure portal for the selected VM: ContosoVM1. The details pane displays a number of tabs: Check access (selected), Role assignments, Deny assignments, Classic administrators, and Roles.

What are VM extensions?

VM extensions are lightweight software components that automate post-operating system deployment configuration and automation tasks. Traditionally, VM extensions were available only on Azure VMs, but now it is possible to use selected ones on Azure Arc enabled servers. The following table describes the Windows Server extensions that you can add to Azure Arc enabled servers.

Extension Additional information
CustomScriptExtension Executes a script on the target Arc enabled server.
Desired State Configuration (DSC) Applies a PowerShell DSC configuration on the target Arc enabled server.
Log Analytics agent Installs the Log Analytics agent on the target Arc enabled server and configures it for log forwarding to a Log Analytics workspace.
Microsoft Dependency agent Installs the Dependency agent on the target Arc enabled server to facilitate identifying internal and external dependencies of server workloads.


The equivalent VM extensions are available for Arc enabled servers running Linux.

What is the role of Azure Policy in managing Arc enabled Azure Stack HCI VMs?

Azure Policy is a service that can help organizations to manage and evaluate the internal and regulatory compliance of their Arc enabled servers, in addition to a wide range of Azure services. Azure Policy uses declarative rules based on properties of target resource types, including Windows and Linux operating systems. These rules form policy definitions, which administrators can apply through policy assignment to resource groups, subscriptions, or management groups that host Azure Arc enabled servers. To simplify management of policy definitions, it is possible to combine multiple policies into initiatives, and then create a few initiative assignments in lieu of multiple policy assignments.

Azure Policy supports auditing the state of Arc enabled server with Guest Configuration policies. Guest Configuration policies do not apply configurations, but they audit settings within the target operating system and evaluate their compliance. You can, however, use Azure Policy to apply configuration of the Azure resource representing an Arc enabled server. You can also use Azure Policy to deploy configurations by leveraging VM extensions.

For example, Contoso could use Azure Policy to implement the following rules:

  • Assigning a specific tag to resources representing Arc enabled servers during their registration.
  • Identify Arc enabled servers running Windows with Windows Defender Exploit Guard disabled.
  • Identify Arc enabled servers running Windows that are not joined to a specific Active Directory Domain Services (AD DS) domain.
  • Identify Arc enabled servers running Windows or Linux without Log Analytics agent installed.
  • Identify Arc enabled servers running Linux that are not using SSH keys for authentication.

The screenshot depicts the Assign policy page in the Azure portal. The administrator is selecting from a list of available policies.

The screenshot depicts the applied policies on ContosoVM1. Two policies are applied, and the VM is compliant with one but not the other.

Additional reading

You can learn more by visiting the following webpages:

Choose the best response for each of the following questions. Then select "Check your answers".

Check your knowledge


Which VM extension can an administrator add to Azure Arc enabled servers running Windows Server?


Which software component allows an administrator to use Azure Policy to audit settings within the operating system of Arc enabled servers to evaluate their compliance?