Merge pull request #261177 from rpsqrd/arc-server-updates

denrea · web-flow · commit 073a032a2bb0 · 2023-12-14T11:14:43.000-08:00
Arc server updates
diff --git a/articles/azure-arc/servers/agent-release-notes.md b/articles/azure-arc/servers/agent-release-notes.md
@@ -27,6 +27,7 @@ Download for [Windows](https://download.microsoft.com/download/f/6/4/f64c574f-d3
 
 ### Fixed
 
+- Restored access to servers with Windows Admin Center in Azure
 - Improved detection logic for Microsoft SQL Server
 - Agents connected to sovereign clouds should now see the correct cloud and portal URL in [azcmagent show](azcmagent-show.md)
 - The installation script for Linux now automatically approves the request to import the packages.microsoft.com signing key to ensure a silent installation experience
@@ -38,6 +39,10 @@ Download for [Windows](https://download.microsoft.com/download/f/6/4/f64c574f-d3
 
 Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
 
+### Known issues
+
+The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
+
 ### New features
 
 - [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.
@@ -57,6 +62,10 @@ Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2e
 
 Download for [Windows](https://download.microsoft.com/download/e/7/0/e70b1753-646e-4aea-bac4-40187b5128b0/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
 
+### Known issues
+
+The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.35. Upgrade to version 1.37 or later to use this feature.
+
 ### New features
 
 - The Linux installation script now downloads supporting assets with either wget or curl, depending on which tool is available on the system
diff --git a/articles/azure-arc/servers/license-extended-security-updates.md b/articles/azure-arc/servers/license-extended-security-updates.md
@@ -39,7 +39,7 @@ An additional scenario (scenario 1, below) is a candidate for VM/Virtual core li
 
 ### License limits
 
-Each WS2012 ESU license can cover up to and including 10,000 cores. If you need ESUs for more than 10,000 cores, split the total number of cores across multiple licenses.
+Each WS2012 ESU license can cover up to and including 10,000 cores. If you need ESUs for more than 10,000 cores, split the total number of cores across multiple licenses. Additionally, only 800 licenses can be created in a single resource group. Use additional resource groups if you need to create more than 800 license resources.
 
 ### SA/SPLA conformance
 
diff --git a/articles/azure-arc/servers/media/prerequisites/arc-server-user-rights-assignment.png b/articles/azure-arc/servers/media/prerequisites/arc-server-user-rights-assignment.png
diff --git a/articles/azure-arc/servers/prerequisites.md b/articles/azure-arc/servers/prerequisites.md
@@ -82,6 +82,18 @@ Linux operating systems:
 * openssl
 * gnupg (Debian-based systems, only)
 
+## Local user logon right for Windows systems
+
+The Azure Hybrid Instance Metadata Service runs under a low-privileged virtual account, `NT SERVICE\himds`. This account needs the "log on as a service" right in Windows to run. In most cases, there's nothing you need to do because this right is granted to virtual accounts by default. However, if your organization uses Group Policy to customize this setting, you will need to add `NT SERVICE\himds` to the list of accounts allowed to log on as a service.
+
+You can check the current policy on your machine by opening the Local Group Policy Editor (`gpedit.msc`) from the Start menu and navigating to the following policy item:
+
+Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service
+
+Check if any of `NT SERVICE\ALL SERVICES`, `NT SERVICE\himds`, or `S-1-5-80-4215458991-2034252225-2287069555-1155419622-2701885083` (the static security identifier for NT SERVICE\\himds) are in the list. If none are in the list, you'll need to work with your Group Policy administrator to add `NT SERVICE\himds` to any policies that configure user rights assignments on your servers. The Group Policy administrator will need to make the change on a computer with the Azure Connected Machine agent installed so the object picker resolves the identity correctly. The agent doesn't need to be configured or connected to Azure to make this change.
+
+:::image type="content" source="media/prerequisites/arc-server-user-rights-assignment.png" alt-text="Screen capture of the Local Group Policy Editor showing which users have permissions to log on as a service." border="true":::
+
 ## Required permissions
 
 You'll need the following Azure built-in roles for different aspects of managing connected machines:
@@ -104,6 +116,7 @@ To use Azure Arc-enabled servers, the following [Azure resource providers](../..
 * **Microsoft.GuestConfiguration**
 * **Microsoft.HybridConnectivity**
 * **Microsoft.AzureArcData** (if you plan to Arc-enable SQL Servers)
+* **Microsoft.Compute** (for Azure Update Manager and automatic extension upgrades)
 
 You can register the resource providers using the following commands:
 
