Merge pull request #289889 from MicrosoftDocs/main

11/5/2024 AM Publish

Author: Taojunshen

articles/api-management/add-api-manually.md

@@ -91,7 +91,7 @@ Test the operation in the Azure portal. You can also test it in the **Developer
 This section shows how to add a wildcard operation. A wildcard operation lets you pass an arbitrary value with an API request. Instead of creating separate GET operations as shown in the previous sections, you could create a wildcard GET operation.
 
 > [!CAUTION]
-> Use care when configuring a wildcard operation. This configuration may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#improper-assets-management).
+> Use care when configuring a wildcard operation. This configuration may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#improper-inventory-management).
 
 ### Add the operation
 

articles/api-management/mitigate-owasp-api-threats.md

@@ -9,7 +9,9 @@
   - name: About App Service Environments
     href: environment/overview.md
   - name: Compare web hosting options
-    href: /azure/architecture/guide/technology-choices/compute-decision-tree
+    href: /azure/architecture/guide/technology-choices/compute-decision-tree?toc=/azure/app-service/toc.json&bc=/azure/app-service/breadcrumb/toc.json
+  - name: Compare JBoss EAP options
+    href: /azure/developer/java/ee/jboss-on-azure?toc=/azure/app-service/toc.json&bc=/azure/app-service/breadcrumb/toc.json
 - name: Quickstarts
   expanded: true
   items:

articles/app-service/toc.yml

@@ -31,9 +31,11 @@ Refer to the table to find details about resolution dates or possible workaround
 | [VMSA-2024-0012](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453) Multiple Vulnerabilities in the DCERPC Protocol and Local Privilege Escalations | June 2024 | Microsoft, working with Broadcom, adjudicated the risk of these vulnerabilities at an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:H/MUI:R) or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. A plan is being put in place to address these vulnerabilities at a future date TBD. | N/A |
 | Zerto DR isn't currently supported with the AV64 SKU. The AV64 SKU uses ESXi host secure boot and Zerto DR hasn't implemented a signed VIB for the ESXi install. | 2024  | Continue using the AV36, AV36P, and AV52 SKUs for Zerto DR. | N/A |
 | [VMSA-2024-0013 (CVE-2024-37085)](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505) VMware ESXi Active Directory Integration Authentication Bypass | July 2024 | Azure VMware Solution does not provide Active Directory integration and isn't vulnerable to this attack. | N/A |
-| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | The AV36P SKU is waiting for a Hotfix to be deployed, which will resolve this issue. | N/A |
+| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | AV36P SKU Hotfix deployed, issue resolved. | September 2024 |
 | [VMSA-2024-0019](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968) Vulnerability in the DCERPC Protocol and Local Privilege Escalations | September 2024 | Microsoft, working with Broadcom, adjudicated the risk of CVE-2024-38812 at an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:H/MUI:R) and CVE-2024-38813 with an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/MAV:A/MAC:H/MPR:L/MUI:R). Adjustments from the base scores were possible due to the network isolation of the Azure VMware Solution vCenter Server DCERPC protocol access (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the Azure VMware Solution vCenter Server. A plan is being put in place to address these vulnerabilities at a future date TBD. | N/A |
 [VMSA-2024-0020](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25047) VMware NSX command injection, local privilege escalation & content spoofing vulnerability| October 2024 | The vulnerability mentioned in the Broadcom document is not applicable to Azure VMware Solution, as attack vector mentioned does not apply. | N/A |
+| New Stretched Clusters private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | Stretched Clusters is waiting for a Hotfix to be deployed, which will resolve this issue. | Planned November 2024 |
+| New Standard private cloud deploys with vSphere 7, not vSphere 8 in Australia East region (Pods 4 and 5). | October 2024 |  Pods 4 and 5 in Australia East are waiting for a Hotfix to be deployed, which will resolve this issue. | Planned November 2024 |
 
 In this article, you learned about the current known issues with the Azure VMware Solution.
 

articles/azure-vmware/azure-vmware-solution-known-issues.md

@@ -12,6 +12,8 @@ ms.custom: template-how-to-pattern
 This article describes the legacy method for connecting your OT sensor or on-premises management console to Microsoft Sentinel. Stream data into Microsoft Sentinel whenever you want to use Microsoft Sentinel's advanced threat hunting, security analytics, and automation features when responding to security incidents and threats across your network.
 
 > [!IMPORTANT]
+> This feature will be deprecated in **January 2025**.
+>
 > If you're using a cloud connected sensor, we recommend that you connect Defender for IoT data using the Microsoft Sentinel solution instead of the legacy integration method. For more information, see:
 >
 > - [OT threat monitoring in enterprise SOCs](../concept-sentinel-integration.md)

articles/defender-for-iot/organizations/integrations/on-premises-sentinel.md

@@ -95,14 +95,14 @@ If you're an existing customer using an on-premises management console to manage
 
 1. After your transition is complete, decommission the on-premises management console.
 
+### Retirement timeline of the Central Manager
 
-### Retirement timeline
+The on-premises management console will be retired on **January 1, 2025** with the following updates/changes:
 
-The on-premises management console retirement includes the following details:
-
-- Sensor versions released after **January 1, 2025** won't be able to be managed by an on-premises management console.
-- Sensor software versions released between **January 1st, 2024 – January 1st, 2025** will continue to support an on-premises management console release.
-- Air-gapped sensors that cannot connect to the cloud can be managed directly via the sensor console, CLI, or API.
+- Sensor versions released after **January 1, 2025** won't be managed by an on-premises management console.
+- Air-gapped sensor support isn't affected by these changes to the on-premises management console support. We continue to support air-gapped deployments and assist with the transition to the cloud. The sensors retain a full user interface so that they can be used in "lights out" scenarios and continue to analyze and secure the network in the event of an outage.
+- Air-gapped sensors that can't <!-- or don't / aren't connected to-->connect to the cloud can be managed directly via the sensor console GUI, CLI, or API.
+- Sensor software versions released between **January 1st, 2024 – January 1st, 2025** still support the on-premises management console.
 
 For more information, see [OT monitoring software versions](../release-notes.md).
 

articles/defender-for-iot/organizations/ot-deploy/air-gapped-deploy.md

@@ -120,6 +120,8 @@ Parameters of the `New-GuestConfigurationPackage` cmdlet when creating Windows c
 - **Type**: (`Audit`, `AuditandSet`) Determines whether the configuration should only audit or if
   the configuration should change the state of the machine if it's out of the desired state. The
   default is `Audit`.
+- **FrequencyMinutes**: The frequency of evaluation of the package on the machine in minutes.
+- **FilesToInclude**: An array list of paths to additional files to include in the generated package.
 
 This step doesn't require elevation. The **Force** parameter is used to overwrite existing
 packages, if you run the command more than once.

articles/governance/machine-configuration/how-to/develop-custom-package/2-create-package.md

@@ -37,6 +37,16 @@ You can view the per-setting results from configurations in the [Guest assignmen
 Azure Policy assignment orchestrated the configuration is orchestrated, you can select the "Last
 evaluated resource" link on the ["Compliance details" page][07].
 
+## Enforcement Modes for Custom Policies
+
+In order to provide greater flexibility in the enforcement and monitoring of server settings, applications and workloads, Machine Configuration offers three main enforcement modes for each policy assignment as described in the following table.
+
+| Mode                  | Description                                                                                  |
+|:----------------------|:---------------------------------------------------------------------------------------------|
+| Audit                 | Only report on the state of the machine                                                      |
+| Apply and Monitor     | Configuration applied to the machine and then monitored for changes                          |
+| Apply and Autocorrect | Configuration applied to the machine and brought back into conformance in the event of drift |
+
 [A video walk-through of this document is available][08]. (Update coming soon)
 
 ## Enable machine configuration
@@ -75,6 +85,11 @@ If you prefer to deploy the extension and managed identity to a single machine,
 To use machine configuration packages that apply configurations, Azure VM guest configuration
 extension version 1.26.24 or later is required.
 
+> [!IMPORTANT]
+> The creation of a managed identity or assignment of a policy with "Guest Configuration 
+> Resource Contributor" role are actions that require appropriate Azure RBAC permissions to perform.
+> To learn more about Azure Policy and Azure RBAC, see [role-based access control in Azure Policy][45].
+
 ### Limits set on the extension
 
 To limit the extension from impacting applications running inside the machine, the machine
@@ -138,7 +153,8 @@ symbolic to represent new minor versions of Linux distributions.
 \* Red Hat CoreOS isn't supported.
 
 Machine configuration policy definitions support custom virtual machine images as long as they're
-one of the operating systems in the previous table.
+one of the operating systems in the previous table. Machine Configuration does not support VMSS 
+uniform but does support [VMSS Flex][46].
 
 ## Network requirements
 
@@ -483,3 +499,5 @@ Machine configuration built-in policy samples are available in the following loc
 [42]: ./how-to/develop-custom-package/overview.md
 [43]: ./how-to/create-policy-definition.md
 [44]: ../policy/how-to/determine-non-compliance.md#compliance-details-for-guest-configuration
+[45]: ../policy/overview.md
+[46]: /azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#scale-sets-with-flexible-orchestration

articles/governance/machine-configuration/overview.md

@@ -56,7 +56,7 @@ To sign in to the operations experience, go to the [operations experience](https
 
 ## Select your site
 
-After you sign in, the web UI displays a list of sites. Each site is a collection of Azure IoT Operations instances where you can configure and manage your assets. A site typically represents a physical location where you have physical assets deployed. Sites make it easier for you to locate and manage assets. Your [IT administrator is responsible for grouping instances in to sites](/azure/azure-arc/site-manager/overview). Any Azure IoT Operations instances that aren't assigned to a site appear in the **Unassigned instances** node. Select the site that you want to use:
+After you sign in, the operations experience displays a list of sites. Each site is a collection of Azure IoT Operations instances where you can configure and manage your assets. A site typically represents a physical location where you have physical assets deployed. Sites make it easier for you to locate and manage assets. Your [IT administrator is responsible for grouping instances in to sites](/azure/azure-arc/site-manager/overview). Any Azure IoT Operations instances that aren't assigned to a site appear in the **Unassigned instances** node. Select the site that you want to use:
 
 :::image type="content" source="media/howto-manage-assets-remotely/site-list.png" alt-text="Screenshot that shows a list of sites in the operations experience.":::
 
@@ -116,7 +116,7 @@ An Azure IoT Operations deployment can include an optional built-in OPC PLC simu
 Run the following command:
 
 ```azurecli
-az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name} 
+az iot ops asset endpoint opcua create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --instance {your instance name} 
 ```
 
 > [!TIP]
@@ -153,7 +153,7 @@ To use the `UsernamePassword` authentication mode, complete the following steps:
 1. Use a command like the following example to create your asset endpoint:
 
     ```azurecli
-    az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name} --username-ref "aio-opc-ua-broker-user-authentication/username" --password-ref "aio-opc-ua-broker-user-authentication/password"
+    az iot ops asset endpoint opcua create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --instance {your instance name} --username-ref "aio-opc-ua-broker-user-authentication/username" --password-ref "aio-opc-ua-broker-user-authentication/password"
     ```
 
 ---
@@ -261,15 +261,23 @@ You can import up to 1000 OPC UA tags at a time from a CSV file:
 
 # [Azure CLI](#tab/cli)
 
-Use the following command to add a "thermostat" asset by using the Azure CLI. The command adds two tags to the asset by using the `--data` parameter:
+Use the following commands to add a "thermostat" asset by using the Azure CLI. The commands add two tags/datapoints to the asset by using the `point add` command:
 
 ```azurecli
-az iot ops asset create --name thermostat -g {your resource group name} --cluster {your cluster name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset' --data  data_source='ns=3;s=FastUInt10', name=temperature --data data_source='ns=3;s=FastUInt100', name='Tag 10'
+# Create the asset
+az iot ops asset create --name thermostat -g {your resource group name} --instance {your instance name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset'
+
+# Add the datapoints
+az iot ops asset dataset point add --asset thermostat -g {your resource group name} --dataset default --data-source 'ns=3;s=FastUInt10' --name temperature
+az iot ops asset dataset point add --asset thermostat -g {your resource group name} --dataset default --data-source 'ns=3;s=FastUInt100' --name 'Tag 10'
+
+# Show the datapoints
+az iot ops asset dataset show --asset thermostat -n default -g {your resource group name}
 ```
 
 When you create an asset by using the Azure CLI, you can define:
 
-- Multiple tags by using the `--data` parameter multiple times.
+- Multiple datapoints/tags by using the `point add` command multiple times.
 - Multiple events by using the `--event` parameter multiple times.
 - Optional information for the asset such as:
   - Manufacturer
@@ -281,7 +289,7 @@ When you create an asset by using the Azure CLI, you can define:
   - Serial number
   - Documentation URI
 - Default values for sampling interval, publishing interval, and queue size.
-- Tag specific values for sampling interval, publishing interval, and queue size.
+- Datapoint specific values for sampling interval, publishing interval, and queue size.
 - Event specific values for sampling publishing interval, and queue size.
 - The observability mode for each tag and event
 
@@ -330,7 +338,7 @@ Review your asset and OPC UA tag and event details and make any adjustments you
 
 # [Azure CLI](#tab/cli)
 
-When you create an asset by using the Azure CLI, you can define multiple events by using the `--event` parameter multiple times. The syntax for the `--event` parameter is similar to the `--data` parameter:
+When you create an asset by using the Azure CLI, you can define multiple events by using the `--event` parameter multiple times:
 
 ```azurecli
 az iot ops asset create --name thermostat -g {your resource group name} --cluster {your cluster name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset' --event event_notifier='ns=3;s=FastUInt12', name=warning
@@ -343,6 +351,8 @@ For each event that you define, you can specify the:
 - Observability mode.
 - Queue size.
 
+You can also use the a[z iot ops asset event](/cli/azure/iot/ops/asset/event) commands to add and remove events from an asset.
+
 ---
 
 ## Update an asset
@@ -393,7 +403,7 @@ az iot ops asset update --name thermostat --description 'A simulated thermostat
 To list the thermostat asset's tags, use the following command:
 
 ```azurecli
-az iot ops asset data-point list --asset thermostat -g {your resource group}
+az iot ops asset dataset show --asset thermostat --name default -g {your resource group}
 ```
 
 To list the thermostat asset's events, use the following command:
@@ -405,10 +415,10 @@ az iot ops asset event list --asset thermostat -g {your resource group}
 To add a new tag to the thermostat asset, use a command like the following example:
 
 ```azurecli
-az iot ops asset data-point add --asset thermostat -g {your resource group} --data-source 'ns=3;s=FastUInt1002' --name 'humidity'
+az iot ops asset dataset point add --asset thermostat -g {your resource group name} --dataset default --data-source 'ns=3;s=FastUInt1002' --name 'humidity'
 ```
 
-To delete a tag, use the `az iot ops asset data-point remove` command.
+To delete a tag, use the `az iot ops asset dataset point remove` command.
 
 You can manage an asset's events by using the `az iot ops asset event` commands.