MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/troubleshoot-with-application-insights.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/troubleshoot-with-application-insights.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/api-management/how-to-server-sent-events.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/how-to-server-sent-events.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/app-service/includes/tutorial-dotnetcore-sqldb-app/azure-portal-sql-db-create-03.md
Lines changed: 1 addition & 1 deletion b/‎articles/app-service/includes/tutorial-dotnetcore-sqldb-app/azure-portal-sql-db-create-03.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-arc/servers/agent-release-notes-archive.md
Lines changed: 9 additions & 1 deletion b/‎articles/azure-arc/servers/agent-release-notes-archive.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/azure-arc/servers/agent-release-notes.md
Lines changed: 13 additions & 9 deletions b/‎articles/azure-arc/servers/agent-release-notes.md
Lines changed: 13 additions & 9 deletions
diff --git a/‎articles/azure-arc/servers/manage-agent.md
Lines changed: 11 additions & 1 deletion b/‎articles/azure-arc/servers/manage-agent.md
Lines changed: 11 additions & 1 deletion
diff --git a/‎articles/azure-arc/servers/security-overview.md
Lines changed: 111 additions & 1 deletion b/‎articles/azure-arc/servers/security-overview.md
Lines changed: 111 additions & 1 deletion
diff --git a/‎articles/azure-monitor/app/api-custom-events-metrics.md
Lines changed: 2 additions & 3 deletions b/‎articles/azure-monitor/app/api-custom-events-metrics.md
Lines changed: 2 additions & 3 deletions
diff --git a/‎articles/azure-monitor/app/azure-ad-authentication.md
Lines changed: 3 additions & 3 deletions b/‎articles/azure-monitor/app/azure-ad-authentication.md
Lines changed: 3 additions & 3 deletions
@@ -173,7 +173,7 @@ After you save the settings the Application insights logs appear on the **Azure
 
 ## Configure Application Insights in Production
 
-To improve your production environment performance and better user experience, it's important to configure your policy to ignore messages that are unimportant. Use the following configuration in production environments. 
+To improve your production environment performance and better user experience, it's important to configure your policy to ignore messages that are unimportant. Use the following configuration in production environments and no logs will be sent to your application insights.
 
 1. Set the `DeploymentMode` attribute of the [TrustFrameworkPolicy](trustframeworkpolicy.md) to `Production`. 
 
@@ -202,4 +202,4 @@ To improve your production environment performance and better user experience, i
 
 - Learn how to [troubleshoot Azure AD B2C custom policies](troubleshoot.md)
 
-::: zone-end
+::: zone-end
@@ -46,5 +46,5 @@ Follow these guidelines when using API Management to reach a backend API that im
 
 ## Next steps
 
-* Learn more about [configuring policies](/api-management-howto-policies.md) in API Management.
+* Learn more about [configuring policies](/azure/api-management/api-management-howto-policies) in API Management.
 * Learn about API Management [capacity](api-management-capacity.md).
@@ -6,7 +6,7 @@ ms.date: 02/03/2022
 ---
 
 On the Create Server page, fill out the form as follows.
-1. **Resource Group** - choose the **ms-docs-core-sql-tutorial** group you created.
+1. **Resource Group** - choose the **msdocs-core-sql** group you created.
 
 1. **Server name** - enter a globally unique name such as *coredbserverXYZ* where XYZ are random numbers.
 
 
@@ -2,7 +2,7 @@
 title: Archive for What's new with Azure Arc-enabled servers agent
 description: The What's new release notes in the Overview section for Azure Arc-enabled servers agent contains six months of activity. Thereafter, the items are removed from the main article and put into this article.
 ms.topic: overview
-ms.date: 02/28/2022
+ms.date: 03/17/2022
 ms.custom: references_regions
 ---
 
@@ -16,6 +16,14 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. Thi
 - Known issues
 - Bug fixes
 
+## Version 1.11 - September 2021
+
+### Fixed
+
+- The agent can now be installed on Windows systems with the [System objects: Require case insensitivity for non-Windows subsystems](/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems) policy set to Disabled.
+- The guest configuration policy agent will now automatically retry if an error is encountered during service start or restart events.
+- Fixed an issue that prevented guest configuration audit policies from successfully executing on Linux machines.
+
 ## Version 1.10 - August 2021
 
 ### Fixed
 
@@ -2,7 +2,7 @@
 title: What's new with Azure Arc-enabled servers agent
 description: This article has release notes for Azure Arc-enabled servers agent. For many of the summarized issues, there are links to more details.
 ms.topic: overview
-ms.date: 03/02/2022
+ms.date: 03/17/2022
 ms.custom: references_regions
 ---
 
@@ -16,9 +16,20 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. To
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Arc-enabled servers agent](agent-release-notes-archive.md).
 
+## Version 1.16 - March 2022
+
+### New features
+
+- You can now granularly control which extensions are allowed to be deployed to your server and whether or not Guest Configuration should be enabled. See [local agent controls to enable or disable capabilities](security-overview.md#local-agent-security-controls) for more information.
+
+### Fixed
+
+- The "Arc" proxy bypass keyword no longer includes Azure Active Directory endpoints on Linux. Azure Storage endpoints for extension downloads are now included with the "Arc" keyword.
+
 ## Version 1.15 - February 2022
 
 ### Known issues
+
 - The "Arc" proxy bypass feature on Linux includes some endpoints that belong to Azure Active Directory. As a result, if you only specify the "Arc" bypass rule, traffic destined for Azure Active Directory endpoints will not use the proxy server as expected. This issue will be fixed in an upcoming release.
 
 ### New features
@@ -27,6 +38,7 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite
   - Added TLS 1.2 check
   - Azure Arc network endpoints are now required, onboarding will abort if they are not accessible
   - New `--skip-network-check` flag to override the new network check behavior
+  - On-demand network check now available using `azcmagent check`
 - [Proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) is now available for customers using private endpoints. This allows you to send Azure Active Directory and Azure Resource Manager traffic through a proxy server, but skip the proxy server for traffic that should stay on the local network to reach private endpoints.
 - Oracle Linux 8 is now supported
 
@@ -68,14 +80,6 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite
 - `azcmagent_proxy remove` command on Linux now correctly removes environment variables on Red Hat Enterprise Linux and related distributions.
 - `azcmagent logs` now includes the computer name and timestamp to help disambiguate log files.
 
-## Version 1.11 - September 2021
-
-### Fixed
-
-- The agent can now be installed on Windows systems with the [System objects: Require case insensitivity for non-Windows subsystems](/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems) policy set to Disabled.
-- The guest configuration policy agent will now automatically retry if an error is encountered during service start or restart events.
-- Fixed an issue that prevented guest configuration audit policies from successfully executing on Linux machines.
-
 ## Next steps
 
 - Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods.
 
@@ -1,7 +1,7 @@
 ---
 title:  Managing the Azure Arc-enabled servers agent
 description: This article describes the different management tasks that you will typically perform during the lifecycle of the Azure Connected Machine agent.
-ms.date: 02/28/2022
+ms.date: 03/17/2022
 ms.topic: conceptual
 ---
 
@@ -13,6 +13,8 @@ After initial deployment of the Azure Connected Machine agent, you may need to r
 
 The azcmagent tool is used to configure the Azure Connected Machine agent during installation, or modify the initial configuration of the agent after installation. azcmagent.exe provides command-line parameters to customize the agent and view its status:
 
+* **check** - To troubleshoot network connectivity issues
+
 * **connect** - To connect the machine to Azure Arc
 
 * **disconnect** - To disconnect the machine from Azure Arc
@@ -38,6 +40,14 @@ You can perform a **Connect** and **Disconnect** manually while logged on intera
 >[!NOTE]
 >You must have *Administrator* permissions on Windows or *root* access permissions on Linux machines to run **azcmagent**.
 
+### Check
+
+This parameter allows you to run the network connectivity tests to troubleshoot networking issues between the agent and Azure services. The network connectivity check includes all [required Azure Arc network endpoints](network-requirements.md#urls), but does not include endpoints accessed by extensions you install.
+
+When running a network connectivity check, you must provide the name of the Azure region (for example, eastus) that you want to test. It's also recommended to use the `--verbose` parameter to see the results of both successful and unsuccessful tests.
+
+`azcmagent check --location <regionName> --verbose`
+
 ### Connect
 
 This parameter specifies a resource in Azure Resource Manager representing the machine is created in Azure. The resource is in the subscription and resource group specified, and data about the machine is stored in the Azure region specified by the `--location` setting. The default resource name is the hostname of the machine if not specified.
 
@@ -2,7 +2,7 @@
 title: Security overview
 description: Security information about Azure Arc-enabled servers.
 ms.topic: conceptual
-ms.date: 08/30/2021
+ms.date: 03/17/2022
 ---
 
 # Azure Arc-enabled servers security overview
@@ -38,6 +38,116 @@ The Azure Connected Machine agent is composed of three services, which run on yo
 
 The guest configuration and extension services run as Local System on Windows, and as root on Linux.
 
+## Local agent security controls
+
+Starting with agent version 1.16, you can optionally limit the extensions that can be installed on your server and disable Guest Configuration. These controls can be useful when connecting servers to Azure that need to be monitored or secured by Azure, but should not allow arbitrary management capabilities like running scripts with Custom Script Extension or configuring settings on the server with Guest Configuration.
+
+These security controls can only be configured by running a command on the server itself and cannot be modified from Azure. This approach preserves the server admin's intent when enabling remote management scenarios with Azure Arc, but also means that changing the setting is more difficult if you later decide to change them. This feature is intended for particularly sensitive servers (for example, Active Directory Domain Controllers, servers that handle payment data, and servers subject to strict change control measures). In most other cases, it is not necessary to modify these settings.
+
+### Extension allowlists and blocklists
+
+To limit which [extensions](manage-vm-extensions.md) can be installed on your server, you can configure lists of the extensions you wish to allow and block on the server. The extension manager will evaluate all requests to install, update, or upgrade extensions against the allowlist and blocklist to determine if the extension can be installed on the server. Delete requests are always allowed.
+
+The most secure option is to explicitly allow the extensions you expect to be installed. Any extension not in the allowlist is automatically blocked. To configure the Azure Connected Machine agent to allow only the Log Analytics Agent for Linux and the Dependency Agent for Linux, run the following command on each server:
+
+```bash
+azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/OMSAgentForLinux,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentLinux"
+```
+
+You can block one or more extensions by adding them to the blocklist. If an extension is present in both the allowlist and blocklist, it will be blocked. To block the Custom Script extension for Linux, run the following command:
+
+```bash
+azcmagent config set extensions.blocklist "Microsoft.Azure.Extensions/CustomScript"
+```
+
+Extensions are specified by their publisher and type, separated by a forward slash. See the list of the [most common extensions](manage-vm-extensions.md) in the docs or list the VM extensions already installed on your server in the [portal](manage-vm-extensions-portal.md#list-extensions-installed), [Azure PowerShell](manage-vm-extensions-powershell.md#list-extensions-installed), or [Azure CLI](manage-vm-extensions-cli.md#list-extensions-installed).
+
+The table below describes the behavior when performing an extension operation against an agent that has the allowlist or blocklist configured.
+
+| Operation | In the allowlist | In the blocklist | In both the allowlist and blocklist | Not in any list, but an allowlist is configured |
+|--|--|--|--|
+| Install extension | Allowed | Blocked | Blocked | Blocked |
+| Update (reconfigure) extension | Allowed | Blocked | Blocked | Blocked |
+| Upgrade extension | Allowed | Blocked | Blocked | Blocked |
+| Delete extension | Allowed | Allowed | Allowed | Allowed |
+
+> [!IMPORTANT]
+> If an extension is already installed on your server before you configure an allowlist or blocklist, it will not automatically be removed. It is your responsibility to delete the extension from Azure to fully remove it from the machine. Delete requests are always accepted to accommodate this scenario. Once deleted, the allowlist and blocklist will determine whether or not to allow future install attempts.
+
+### Enable or disable Guest Configuration
+
+Azure Policy's Guest Configuration feature enables you to audit and configure settings on your server from Azure. You can disable Guest Configuration from running on your server if you don't want to allow this functionality by running the following command:
+
+```bash
+azcmagent config set guestconfiguration.enabled false
+```
+
+When Guest Configuration is disabled, any Guest Configuration policies assigned to the machine in Azure will report as non-compliant. Consider [creating an exemption](../../governance/policy/concepts/exemption-structure.md) for these machines or [changing the scope](../../governance/policy/concepts/assignment-structure.md#excluded-scopes) of your policy assignments if you don't want to see these machines reported as non-compliant.
+
+### Locked down machine best practices
+
+When configuring the Azure Connected Machine agent with a reduced set of capabilities, it is important to consider the mechanisms that someone could use to remove those restrictions and implement appropriate controls. Anybody capable of running commands as an administrator or root user on the server can change the Azure Connected Machine agent configuration. Extensions and guest configuration policies execute in privileged contexts on your server, and as such may be able to change the agent configuration. If you apply these security controls to lock down the agent, Microsoft recommends the following best practices to ensure only local server admins can update the agent configuration:
+
+* Use allowlists for extensions instead of blocklists whenever possible.
+* Don't include the Custom Script Extension in the extension allowlist to prevent execution of arbitrary scripts that could change the agent configuration.
+* Disable Guest Configuration to prevent the use of custom Guest Configuration policies that could change the agent configuration.
+
+### Example configuration for monitoring and security scenarios
+
+It's common to use Azure Arc to monitor your servers with Azure Monitor and Microsoft Sentinel and secure them with Microsoft Defender for Cloud. The following configuration samples can help you configure the Azure Arc agent to only allow these scenarios.
+
+#### Azure Monitor Agent only
+
+On your Windows servers, run the following commands in an elevated command console:
+
+```powershell
+azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent"
+azcmagent config set guestconfiguration.enabled false
+```
+
+On your Linux servers, run the following commands:
+
+```bash
+sudo azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorLinuxAgent"
+sudo azcmagent config set guestconfiguration.enabled false
+```
+
+#### Log Analytics and dependency (Azure Monitor VM Insights) only
+
+This configuration is for the legacy Log Analytics agents and the dependency agent.
+
+On your Windows servers, run the following commands in an elevated console:
+
+```powershell
+azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentWindows"
+azcmagent config set guestconfiguration.enabled false
+```
+
+On your Linux servers, run the following commands:
+
+```bash
+sudo azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/OMSAgentForLinux,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentLinux"
+sudo azcmagent config set guestconfiguration.enabled false
+```
+
+#### Monitoring and security
+
+Microsoft Defender for Cloud enables additional extensions on your server to identify vulnerable software on your server and enable Microsoft Defender for Endpoint (if configured). Microsoft Defender for Cloud also uses Guest Configuration for its regulatory compliance feature. Since a custom Guest Configuration assignment could be used to undo the agent limitations, you should carefully evaluate whether or not you need the regulatory compliance feature and, as a result, Guest Configuration to be enabled on the machine.
+
+On your Windows servers, run the following commands in an elevated command console:
+
+```powershell
+azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent,Qualys/WindowsAgent.AzureSecurityCenter,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.Azure.AzureDefenderForSQL/AdvancedThreatProtection.Windows"
+azcmagent config set guestconfiguration.enabled true
+```
+
+On your Linux servers, run the following commands:
+
+```bash
+sudo azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/OMSAgentForLinux,Qualys/LinuxAgent.AzureSecurityCenter,Microsoft.Azure.AzureDefenderForServers/MDE.Linux"
+sudo azcmagent config set guestconfiguration.enabled true
+```
+
 ## Using a managed identity with Azure Arc-enabled servers
 
 By default, the Azure Active Directory system assigned identity used by Arc can only be used to update the status of the Azure Arc-enabled server in Azure. For example, the *last seen* heartbeat status. You can optionally assign other roles to the identity if an application on your server uses the system assigned identity to access other Azure services. To learn more about configuring a system-assigned managed identity to access Azure resources, see [Authenticate against Azure resources with Azure Arc-enabled servers](managed-identity-authentication.md). 
 
@@ -1113,14 +1113,13 @@ To determine how long data is kept, see [Data retention and privacy](./data-rete
 
 ## Reference docs
 
-* [ASP.NET reference](/dotnet/api/overview/azure/insights)
+* [.NET reference](/dotnet/api/overview/azure/insights)
 * [Java reference](/java/api/overview/azure/appinsights)
 * [JavaScript reference](https://github.com/Microsoft/ApplicationInsights-JS/blob/master/API-reference.md)
 
 ## SDK code
 
-* [ASP.NET Core SDK](https://github.com/Microsoft/ApplicationInsights-dotnet)
-* [ASP.NET](https://github.com/Microsoft/ApplicationInsights-dotnet)
+* [.NET](https://github.com/Microsoft/ApplicationInsights-dotnet)
 * [Windows Server packages](https://github.com/Microsoft/ApplicationInsights-dotnet)
 * [Java SDK](https://github.com/Microsoft/ApplicationInsights-Java)
 * [Node.js SDK](https://github.com/Microsoft/ApplicationInsights-Node.js)
 
@@ -56,7 +56,7 @@ Below are SDKs/scenarios not supported in the Public Preview:
 
 1. Follow the configuration guidance per language below.
 
-### [ASP.NET and .NET](#tab/net)
+### [.NET](#tab/net)
 
 > [!NOTE]
 > Support for Azure AD in the Application Insights .NET SDK is included starting with [version 2.18-Beta3](https://www.nuget.org/packages/Microsoft.ApplicationInsights/2.18.0-beta3).
@@ -82,7 +82,7 @@ config.SetAzureTokenCredential(credential);
 
 ```
 
-Below is an example of configuring the `TelemetryConfiguration` using ASP.NET Core:
+Below is an example of configuring the `TelemetryConfiguration` using .NET Core:
 ```csharp
 services.Configure<TelemetryConfiguration>(config =>
 {
@@ -428,7 +428,7 @@ Next steps should be to review the Application Insights resource's access contro
 
 ### Language specific troubleshooting
 
-### [ASP.NET and .NET](#tab/net)
+### [.NET](#tab/net)
 
 #### Event Source