MicrosoftDocs
diff --git a/‎articles/azure-arc/servers/agent-overview.md
Lines changed: 227 additions & 0 deletions b/‎articles/azure-arc/servers/agent-overview.md
Lines changed: 227 additions & 0 deletions
diff --git a/‎articles/azure-arc/servers/manage-agent.md
Lines changed: 16 additions & 6 deletions b/‎articles/azure-arc/servers/manage-agent.md
Lines changed: 16 additions & 6 deletions
@@ -0,0 +1,227 @@
+---
+title:  Overview of the Connected Machine Windows agent
+description: This article provides a detailed overview of the Azure Arc for servers agent available which support monitoring virtual machines hosted in hybrid environments.
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-servers
+author: mgoedtel
+ms.author: magoedte
+ms.date: 05/18/2020
+ms.topic: conceptual
+---
+
+# Overview of Azure Arc for servers agent
+
+The Azure Arc for servers Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud provider. This article provides a detailed overview of the agent, system and network requirements, and the different deployment methods.
+
+## Download agents
+
+You can download the Azure Connected Machine agent package for Windows and Linux from the locations listed below.
+
+- [Windows agent Windows Installer package](https://aka.ms/AzureConnectedMachineAgent) from the Microsoft Download Center.
+- Linux agent package is distributed from Microsoft's [package repository](https://packages.microsoft.com/) using the preferred package format for the distribution (.RPM or .DEB).
+
+>[!NOTE]
+>During this preview, only one package has been released, which is suitable for Ubuntu 16.04 or 18.04.
+
+The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. For more information, see [here](manage-agent.md).
+
+## Windows agent installation details
+
+The Connected Machine agent for Windows can be installed by using one of the following three methods:
+
+* Double-click the file `AzureConnectedMachineAgent.msi`.
+* Manually by running the Windows Installer package `AzureConnectedMachineAgent.msi` from the Command shell.
+* From a PowerShell session using a scripted method.
+
+After installing the Connected Machine agent for Windows, the following additional system-wide configuration changes are applied.
+
+* The following installation folders are created during setup.
+
+    |Folder |Description |
+    |-------|------------|
+    |C:\Program Files\AzureConnectedMachineAgent |Default installation path containing the agent support files.|
+    |%ProgramData%\AzureConnectedMachineAgent |Contains the agent configuration files.|
+    |%ProgramData%\AzureConnectedMachineAgent\Tokens |Contains the acquired tokens.|
+    |%ProgramData%\AzureConnectedMachineAgent\Config |Contains the agent configuration file `agentconfig.json` recording its registration information with the service.|
+    |%ProgramData%\GuestConfig |Contains the (applied) Azure policies related files.|
+
+* The following Windows services are created on the target machine during installation of the agent.
+
+    |Service name |Display name |Process name |Description |
+    |-------------|-------------|-------------|------------|
+    |himds |Azure Hybrid Instance Metadata Service |himds.exe |This service implements the Azure Instance Metadata service (IMDS) to track the machine.|
+    |DscService |Guest Configuration Service |dsc_service.exe |This is the Desired State Configuration (DSC v2) codebase used inside Azure to implement In-Guest Policy.|
+
+* The following environmental variables are created during agent installation.
+
+    |Name |Default value |Description |
+    |-----|--------------|------------|
+    |IDENTITY_ENDPOINT |http://localhost:40342/metadata/identity/oauth2/token ||
+    |IMDS_ENDPOINT |http://localhost:40342 ||
+    
+* There are four log files available for troubleshooting. They are described in the following table.
+
+    |Log |Description |
+    |----|------------|
+    |%ProgramData%\AzureConnectedMachineAgent\Log\himds.log |Records details of the agents (himds) service and interaction with Azure.|
+    |%ProgramData%\AzureConnectedMachineAgent\Log\azcmagent.log |Contains the output of the azcmagent tool commands, when the verbose (-v) argument is used.|
+    |%ProgramData%\GuestConfig\gc_agent_logs\gc_agent.log |Records details of the DSC service activity,<br> in particular the connectivity between the himds service and Azure Policy.|
+    |%ProgramData%\GuestConfig\gc_agent_logs\gc_agent_telemetry.txt |Records details about DSC service telemetry and verbose logging.|
+
+* The local security group **Hybrid agent extension applications** is created. 
+
+* During uninstall of the agent, the following artifacts are not removed.
+
+    * C:\Program Files\AzureConnectedMachineAgent\Logs
+    * %ProgramData%\AzureConnectedMachineAgent and subdirectories
+    * %ProgramData%\GuestConfig
+
+## Linux agent installation details
+
+The Connected Machine agent for Linux is provided in the preferred package format for the distribution (.RPM or .DEB) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/). The agent is installed and configured with the shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent). 
+
+After installing the Connected Machine agent for Linux, the following additional system-wide configuration changes are applied.
+
+* The following installation folders are created during setup.
+
+    |Folder |Description |
+    |-------|------------|
+    |/var/opt/azcmagent/ |Default installation path containing the agent support files.|
+    |/opt/azcmagent/ |
+    |/opt/DSC/ |
+    |/var/opt/azcmagent/tokens |Contains the acquired tokens.|
+    |/var/lib/GuestConfig |Contains the (applied) Azure policies related files.|
+
+* The following daemons are created on the target machine during installation of the agent.
+
+    |Service name |Display name |Process name |Description |
+    |-------------|-------------|-------------|------------|
+    |himdsd.service |Azure Hybrid Instance Metadata Service |/opt/azcmagent/bin/himds |This service implements the Azure Instance Metadata service (IMDS) to track the machine.|
+    |dscd.service |Guest Configuration Service |/opt/DSC/dsc_linux_service |This is the Desired State Configuration (DSC v2) codebase used inside Azure to implement In-Guest Policy.|
+
+* There are four log files available for troubleshooting. They are described in the following table.
+
+    |Log |Description |
+    |----|------------|
+    |/var/opt/azcmagent/log/himds.log |Records details of the agents (himds) service and interaction with Azure.|
+    |/var/opt/azcmagent/log/azcmagent.log |Contains the output of the azcmagent tool commands, when the verbose (-v) argument is used.|
+    |/opt/logs/dsc.log |Records details of the DSC service activity,<br> in particular the connectivity between the himds service and Azure Policy.|
+    |/opt/logs/dsc.telemetry.txt |Records details about DSC service telemetry and verbose logging.|
+
+* The following environmental variables are created during agent installation. These variables are set in `/lib/systemd/system.conf.d/azcmagent.conf`.
+
+    |Name |Default value |Description |
+    |-----|--------------|------------|
+    |IDENTITY_ENDPOINT |http://localhost:40342/metadata/identity/oauth2/token ||
+    |IMDS_ENDPOINT |http://localhost:40342 ||
+
+* During uninstall of the agent, the following artifacts are not removed.
+
+    * /var/opt/azcmagent
+    * /opt/logs
+
+## Prerequisites
+
+### Supported operating systems
+
+The following versions of the Windows and Linux operating system are officially supported for the Azure Connected Machine agent: 
+
+- Windows Server 2012 R2 and higher (including Windows Server Core)
+- Ubuntu 16.04 and 18.04
+- CentOS Linux 7
+- SUSE Linux Enterprise Server (SLES) 15
+- Red Hat Enterprise Linux (RHEL) 7
+- Amazon Linux 2
+
+>[!NOTE]
+>This preview release of the Connected Machine agent for Windows only supports Windows Server configured to use the English language.
+>
+
+### Required permissions
+
+- To onboard machines, you are a member of the **Azure Connected Machine Onboarding** role.
+
+- To read, modify, re-onboard, and delete a machine, you are a member of the **Azure Connected Machine Resource Administrator** role. 
+
+### Azure subscription and service limits
+
+Before configuring your machines with Azure Arc for servers (preview), you should review the Azure Resource Manager [subscription limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#subscription-limits) and [resource group limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#resource-group-limits) to plan for the number of machines to be connected.
+
+## TLS 1.2 protocol
+
+To ensure the security of data in transit to Azure, we strongly encourage you to configure machine to use Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**. 
+
+|Platform/Language | Support | More Information |
+| --- | --- | --- |
+|Linux | Linux distributions tend to rely on [OpenSSL](https://www.openssl.org) for TLS 1.2 support. | Check the [OpenSSL Changelog](https://www.openssl.org/news/changelog.html) to confirm your version of OpenSSL is supported.|
+| Windows Server 2012 R2 and higher | Supported, and enabled by default. | To confirm that you are still using the [default settings](https://docs.microsoft.com/windows-server/security/tls/tls-registry-settings).|
+
+### Networking configuration
+
+The Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. If the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration requirements.
+
+If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. If you only allow the IP ranges or domain names required for the agent to communicate with the service, you must also allow access to the following Service Tags and URLs.
+
+Service Tags:
+
+- AzureActiveDirectory
+- AzureTrafficManager
+
+URLs:
+
+| Agent resource | Description |
+|---------|---------|
+|management.azure.com|Azure Resource Manager|
+|login.windows.net|Azure Active Directory|
+|dc.services.visualstudio.com|Application Insights|
+|agentserviceapi.azure-automation.net|Guest Configuration|
+|*-agentservice-prod-1.azure-automation.net|Guest Configuration|
+|*.his.arc.azure.com|Hybrid Identity Service|
+
+For a list of IP addresses for each service tag/region, see the JSON file - [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. For more information, review [Service tags](https://docs.microsoft.com/azure/virtual-network/security-overview#service-tags).
+
+The URLs in the previous table are required in addition to the Service Tag IP address range information because the majority of services do not currently have a Service Tag registration. As such, the IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the **AzureCloud** Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
+
+### Register Azure resource providers
+
+Azure Arc for servers (preview) depends on the following Azure resource providers in your subscription in order to use this service:
+
+- **Microsoft.HybridCompute**
+- **Microsoft.GuestConfiguration**
+
+If they are not registered, you can register them using the following commands:
+
+Azure PowerShell:
+
+```azurepowershell-interactive
+Login-AzAccount
+Set-AzContext -SubscriptionId [subscription you want to onboard]
+Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
+Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration
+```
+
+Azure CLI:
+
+```azurecli-interactive
+az account set --subscription "{Your Subscription Name}"
+az provider register --namespace 'Microsoft.HybridCompute'
+az provider register --namespace 'Microsoft.GuestConfiguration'
+```
+
+You can also register the resource providers in the Azure portal by following the steps under [Azure portal](../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
+
+
+## Installation and configuration
+
+Connecting machines in your hybrid environment directly with Azure can be accomplished using different methods depending on your requirements. The following table highlights each method to determine which works best for your organization.
+
+| Method | Description |
+|--------|-------------|
+| Interactively | Manually install the agent on a single or small number of machines following the steps in [Connect machines from Azure portal](onboard-portal.md).<br> From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.|
+| At scale | Install and configure the agent for multiple machines following the [Connect machines using a Service Principal](onboard-service-principal.md).<br> This method creates a service principal to connect machines non-interactively.|
+| At scale | Install and configure the agent for multiple machines following the method [Using Windows PowerShell DSC](onboard-dsc.md).<br> This method uses a service principal to connect machines non-interactively with PowerShell DSC. |
+
+## Next steps
+
+To begin evaluating Azure Arc for servers (preview), follow the article [Connect hybrid machines to Azure from the Azure portal](onboard-portal.md).
@@ -6,7 +6,7 @@ ms.service: azure-arc
 ms.subservice: azure-arc-servers
 author: mgoedtel
 ms.author: magoedte
-ms.date: 04/29/2020
+ms.date: 05/18/2020
 ms.topic: conceptual
 ---
 
@@ -23,11 +23,19 @@ The Azure Connected Machine agent for Windows and Linux can be upgraded to the l
 | Windows | Manually<br> Windows Update |
 | Ubuntu | [Apt](https://help.ubuntu.com/lts/serverguide/apt.html) |
 | SUSE Linux Enterprise Server | [zypper](https://en.opensuse.org/SDB:Zypper_usage_11.3) |
-| RedHat Enterprise, Amazon, CentOS Linux | [yum](https://wiki.centos.org/PackageManagement/Yum) | 
+| RedHat Enterprise, Amazon, CentOS Linux | [yum](https://wiki.centos.org/PackageManagement/Yum) |
 
 ### Windows agent
 
-To update the agent on a Windows machine to the latest version, the agent is available from Microsoft Update and can be deployed using your existing software update management process. It can also be run manually from the Command Prompt, from a script or other automation solution, or from the UI wizard by executing `AzureConnectedMachine.msi`. 
+Update package for the Connected Machine agent for Windows is available from:
+
+* Microsoft Update
+
+* [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx)
+
+* [Windows agent Windows Installer package](https://aka.ms/AzureConnectedMachineAgent) from the Microsoft Download Center.
+
+The agent can be upgraded following a variety of methods to support your software update management process. Outside of obtaining from Microsoft Update, you can download and run manually from the Command Prompt, from a script or other automation solution, or from the UI wizard by executing `AzureConnectedMachine.msi`.
 
 > [!NOTE]
 > * To upgrade the agent, you must have *Administrator* permissions.
@@ -55,7 +63,9 @@ The Setup Wizard discovers if a previous version exists, and then it automatical
 
 ### Linux agent
 
-To update the agent on a Linux machine to the latest version, it involves two commands. One command to update the local package index with the list of latest available packages from the repositories, and one command to upgrade the local package. 
+To update the agent on a Linux machine to the latest version, it involves two commands. One command to update the local package index with the list of latest available packages from the repositories, and one command to upgrade the local package.
+
+You can download the latest agent package from Microsoft's [package repository](https://packages.microsoft.com/).
 
 > [!NOTE]
 > To upgrade the agent, you must have *root* access permissions or with an account that has elevated rights using Sudo.
@@ -166,7 +176,7 @@ To disconnect with your elevated logged-on credentials (interactive), run the fo
 
 This parameter reconnects the already registered or connected machine with Azure Arc for servers (preview). This may be necessary if the machine has been turned off, at least 45 days, for its certificate to expire. This parameter uses the authentication options provided to retrieve new credentials corresponding to the Azure Resource Manager resource representing this machine.
 
-This command requires higher privileges than the [Azure Connected Machine Onboarding](overview.md#required-permissions) role.
+This command requires higher privileges than the [Azure Connected Machine Onboarding](agent-overview.md#required-permissions) role.
 
 To reconnect using a service principal, run the following command:
 
@@ -202,7 +212,7 @@ Both of the following methods remove the agent, but they do not remove the *C:\P
 #### Uninstall from the command line
 
 To uninstall the agent manually from the Command Prompt or to use an automated method, such as a script, you can use the following example. First you need to retrieve the product code, which is a GUID that is the principal identifier of the application package, from the operating system. The uninstall is performed by using the Msiexec.exe command line - `msiexec /x {Product Code}`.
-    
+
 1. Open the Registry Editor.
 
 2. Under registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall`, look for and copy the product code GUID.