Arc GPO Deployment project contains the necessary files to onboard Non Azure machines to Azure Arc automatically, using a GPO
The project also contains Azure Workbooks to keep track of the onboarding process.
- DeployGPO.ps1: PowerShell script to deploy the GPO in a certain AD domain
- EnableAzureArc.ps1: PowerShell script that has to be placed in the network share and will execute the onboarding process.
- RenewSPSecretDPAPI.ps1: This PowerShell script securely stores the renewed secret in an encrypted file within the Arc Onboarding share.
- ParseArcOnboardingPrerequisites.ps1: PowerShell scripts that parses the information of the machines that didn't meet the onboard requirements.
- ArcGPO: Folder structure that contains the GPO settings to be imported in AD
- ARMTemplates: Folder with Azure Function Template to monitor Azure Arc Agent version updates.
- Workbooks: Folder with Azure Workbooks to monitor your Azure Arc onboarding Status and your Azure Arc Servers
- ScheduledTask: Folder with a scheduled task that can, programmatically, upload on-prem XMLs report files to Azure Log Analytics
-
Create a Service Principal and give it Azure Arc onbarding permissions, following this article: Create a Service Principal for onboarding at scale
-
Register Microsoft.HybridCompute, Microsoft.GuestConfiguration and Microsoft.HybridConnectivity as resource providers in your subscription, following this article: Register Resource Provider
-
Create a Network Share,e.g. AzureArcOnboard that will be used for deployment and reporting files, with the following permissions:
Domain Controllers, Domain Computers and Domain Admins: Change Permissions
-
Copy the project structure to a local folder of a Domain Controller.
-
Copy the 'AzureConnectedMachineAgent.msi' file to the ArcRemoteShare. You can download it from https://aka.ms/AzureConnectedMachineAgent
-
Modify EnableAzureArc.ps1 onboarding file, to customize Azure tags for onboarded servers
$tags = @{ # Tags to be added to the Arc servers Department = "Department" deployedBY = "GPO" Responsible = "Responsible" } -
Execute the deployment script DeployGPO.ps1, with the following syntax:
.\DeployGPO.ps1 -DomainFQDN contoso.com -ReportServerFQDN Server.contoso.com -ArcRemoteShare AzureArcOnBoard -ServicePrincipalSecret $ServicePrincipalSecret -ServicePrincipalClientId $ServicePrincipalClientId -SubscriptionId $SubscriptionId -ResourceGroup $ResourceGroup -Location $Location -TenantId $TenantId [-AgentProxy $AgentProxy] [-PrivateLinkScopeId $PrivateLinkScopeId]Where:
-
ServicePrincipalClientId is the ID from the Service Principal created previously
-
ServicePrincipalSecret is the secret from the Service Principal created previously.
-
ReportServerFQDN is the Fully Qualified Domain Name of the host where the network share resides.
-
SubscriptionId is the subscription ID of your new Arc resources
-
Location is the location (like "westus") of your new Arc resources
-
ResourceGroup is the resource group containing your new Arc resources
-
TenantId is the tenant ID used to onboard new Arc resources
-
ArcRemoteShare is the name of the network share you've created
-
AssessOnly [optional] makes the GPo to work in Assess mode, no onboarding is done.
-
-
-
Deploy the Azure Function that checks for the Arc Agent Releases, using this guide: Azure Function Deployment. This function creates the AzureARCAgentLatestVersion_CL log in Log Analytics.
-
Create a new Workbook and copy the content from this source json file: ArcServers.json:
-
-
-
Use either of these methods to upload data from XML files to Log Analytics programmatically. This will populate the ArcOnboardingStatus_CL log.
-
Create a new Workbook and copy the content from this source json file: ArcOnboardingStatus.json:
-
-
- Deploy the workbook AzureArcServers&VMsExtensionsMonitor, creating a new woorkbook in the portal using the json information as content. Once created, choose up to 4 extensions for Windows & Linux machines, to monitor their status.
This is the full picture of the solution:
- Added Azure Arc Private Link Support
- New version of workbook AzureArcServers&VMsExtensionsMonitor, now with extension version control and extension dynamic parameters filter
- New workbook added in the Workbooks folder AzureArcServers&VMsExtensionsMonitor, to monitor the installation of extensions in Azure Arc & Azure VMs Machines. The workbook must be deployed as an ARM template, selecting the extensions to be monitored.
- Streamlined whole process by adding parameters to Deploy script instead of Enable script
- Changed Encryption method to DPAPI. No keys are stored in target servers
- New PowerShell Script RenewSPSecretDPAPI.ps1 to renew Service Principal Secret.
- Added script RenewSPSecret.ps1, to renew the secret from the Service Principal used to onboard servers
- Moved deployment files from Netlogon folder to a generic shared folder
- Added Service Principal monitoring to the Azure Arc Servers main Workbook
- Minor changes: Updated Help and workbooks filters
- Added -AssessOnly switch parameter to make the GPO work in Assess mode (without onboarding machines)
- FIXES: Automatic update of local agents improved. Added new pre-task to clean the remaining scheduled task that sometimes remained active.
- Added Active Directory Site information to Azure Arc Servers Tags, as follows: Site:ADSiteName
- New Azure Workbooks to monitor your Azure Arc onboarding Status and your Azure Arc Servers
- New Azure Function to track Azure Arc Agent new version releases
- A Scheduled Task was created to programmatically upload all XMLs files to the Log Analytics Workspace.
- Proxy functionality was added to the GPO with a new parameter -AgentProxy
- New mandatory parameter NetlogonSubfolder.The folder structure is now created automatically and assigned the proper permissions
- Removed service principal secret from the netlogon script. Secret is encrypted automatically at runtime and stored in remote registry Key
- Machines automatically updates their Arc Agent in case there is a new version in the netlogon folder
- No connected machines log connection errors to the 'NotConnected' subfolder
- Improved local logging with Agent Error Code
- Local log maintenance (circular logging)
-
Azure Workbooks :
Azure Arc Onboarded Servers
Azure Arc Onboarding Status
Extensions Workbook
- Local loging :
A process where the machine already exists in ARC and throws an error AZCM0044:
- Remote Share :
Permissions needed in shared folder for instalation and reporting purposes