Azure Monitor agent SHA-2 enforcement

bwren · bwren · commit 5b5768f79cde · 2020-03-17T18:41:04.000-07:00
diff --git a/articles/azure-monitor/platform/log-analytics-agent.md b/articles/azure-monitor/platform/log-analytics-agent.md
@@ -124,8 +124,8 @@ The following table highlights the packages required for supported Linux distros
 
 |Required package |Description |Minimum version |
 |-----------------|------------|----------------|
-|Glibc |	GNU C Library | 2.5-12 
-|Openssl	| OpenSSL Libraries | 1.0.x or 1.1.x |
+|Glibc |    GNU C Library | 2.5-12 
+|Openssl    | OpenSSL Libraries | 1.0.x or 1.1.x |
 |Curl | cURL web client | 7.15.5 |
 |Python-ctypes | | 
 |PAM | Pluggable Authentication Modules | | 
@@ -137,6 +137,18 @@ The following table highlights the packages required for supported Linux distros
 
 To ensure the security of data in transit to Azure Monitor logs, we strongly encourage you to configure the agent to use at least Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**.  For additional information, review [Sending data securely using TLS 1.2](data-security.md#sending-data-securely-using-tls-12). 
 
+## SHA-2 Code Signing Support Requirement for Windows
+The Windows agent will begin to exclusively use SHA-2 signing on May 18, 2020. This change will impact customers using the Log Analytics agent on a legacy OS as part of any Azure service (Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP). The change does not require any customer action unless you are running the agent on a legacy OS version (Windows 7, Windows Server 2008 R2 and Windows Server 2008). Customers running on a legacy OS version are required to take the following actions on their machines before May 18, 2020 or their agents will stop sending data to their Log Analytics workspaces:
+
+1. Install the latest Service Pack for your OS. The required service pack versions are:
+    - Windows 7 SP1
+    - Windows Server 2008 SP2
+    - Windows Server 2008 R2 SP1
+
+2. Install the SHA-2 signing Windows updates for your OS as described in [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus)
+3. Update to the latest version of the Windows agent (version 10.20.18029).
+4. Recommended to configure the agent to [use TLS 1.2](agent-windows.md#configure-agent-to-use-tls-12). 
+
 
 ## Network requirements
 The agent for Linux and Windows communicates outbound to the Azure Monitor service over TCP port 443, and if the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration required. If your IT security policies do not allow computers on the network to connect to the Internet, you can set up a [Log Analytics gateway](gateway.md) and then configure the agent to connect through the gateway to Azure Monitor logs. The agent can then receive configuration information and send data collected depending on what data collection rules and monitoring solutions you have enabled in your workspace.
@@ -178,7 +190,7 @@ For example:
 `https://user01:password@proxy01.contoso.com:30443`
 
 > [!NOTE]
-> If you use special characters such as “\@” in your password, you receive a proxy connection error because value is parsed incorrectly.  To work around this issue, encode the password in the URL using a tool such as [URLDecode](https://www.urldecoder.org/).  
+> If you use special characters such as "\@" in your password, you receive a proxy connection error because value is parsed incorrectly.  To work around this issue, encode the password in the URL using a tool such as [URLDecode](https://www.urldecoder.org/).  
 
 
 
diff --git a/articles/virtual-machines/extensions/oms-windows.md b/articles/virtual-machines/extensions/oms-windows.md
@@ -32,6 +32,7 @@ The following table provides a mapping of the version of the Windows Log Analyti
 
 | Log Analytics Windows agent bundle version | Log Analytics Windows VM extension version | Release Date | Release Notes |
 |--------------------------------|--------------------------|--------------------------|--------------------------|
+| 10.20.18029 | 1.0.18029 | March 2020   | <ul><li>Adds SHA-2 code signing support</li><li>Improves VM extension installation and management</li><li>Resolves a bug in Azure Arc for Servers integration</li><li>Adds a built-in troubleshooting tool for customer support</li><li>Adds support for additional Azure Government regions</li> |
 | 10.20.18018 | 1.0.18018 | October 2019 | <ul><li> Minor bug fixes and stabilization improvements </li></ul> |
 | 10.20.18011 | 1.0.18011 | July 2019 | <ul><li> Minor bug fixes and stabilization improvements </li><li> Increased MaxExpressionDepth to 10000 </li></ul> |
 | 10.20.18001 | 1.0.18001 | June 2019 | <ul><li> Minor bug fixes and stabilization improvements </li><li> Added ability to disable default credentials when making proxy connection (support for WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH) </li></ul>|
@@ -56,25 +57,25 @@ The following JSON shows the schema for the Log Analytics agent extension. The e
 
 ```json
 {
-	"type": "extensions",
-	"name": "OMSExtension",
-	"apiVersion": "[variables('apiVersion')]",
-	"location": "[resourceGroup().location]",
-	"dependsOn": [
-		"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
-	],
-	"properties": {
-		"publisher": "Microsoft.EnterpriseCloud.Monitoring",
-		"type": "MicrosoftMonitoringAgent",
-		"typeHandlerVersion": "1.0",
-		"autoUpgradeMinorVersion": true,
-		"settings": {
-			"workspaceId": "myWorkSpaceId"
-		},
-		"protectedSettings": {
-			"workspaceKey": "myWorkspaceKey"
-		}
-	}
+    "type": "extensions",
+    "name": "OMSExtension",
+    "apiVersion": "[variables('apiVersion')]",
+    "location": "[resourceGroup().location]",
+    "dependsOn": [
+        "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
+    ],
+    "properties": {
+        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
+        "type": "MicrosoftMonitoringAgent",
+        "typeHandlerVersion": "1.0",
+        "autoUpgradeMinorVersion": true,
+        "settings": {
+            "workspaceId": "myWorkSpaceId"
+        },
+        "protectedSettings": {
+            "workspaceKey": "myWorkspaceKey"
+        }
+    }
 }
 ```
 ### Property values
@@ -107,51 +108,51 @@ The following example assumes the Log Analytics extension is nested inside the v
 
 ```json
 {
-	"type": "extensions",
-	"name": "OMSExtension",
-	"apiVersion": "[variables('apiVersion')]",
-	"location": "[resourceGroup().location]",
-	"dependsOn": [
-		"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
-	],
-	"properties": {
-		"publisher": "Microsoft.EnterpriseCloud.Monitoring",
-		"type": "MicrosoftMonitoringAgent",
-		"typeHandlerVersion": "1.0",
-		"autoUpgradeMinorVersion": true,
-		"settings": {
-			"workspaceId": "myWorkSpaceId"
-		},
-		"protectedSettings": {
-			"workspaceKey": "myWorkspaceKey"
-		}
-	}
+    "type": "extensions",
+    "name": "OMSExtension",
+    "apiVersion": "[variables('apiVersion')]",
+    "location": "[resourceGroup().location]",
+    "dependsOn": [
+        "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
+    ],
+    "properties": {
+        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
+        "type": "MicrosoftMonitoringAgent",
+        "typeHandlerVersion": "1.0",
+        "autoUpgradeMinorVersion": true,
+        "settings": {
+            "workspaceId": "myWorkSpaceId"
+        },
+        "protectedSettings": {
+            "workspaceKey": "myWorkspaceKey"
+        }
+    }
 }
 ```
 
 When placing the extension JSON at the root of the template, the resource name includes a reference to the parent virtual machine, and the type reflects the nested configuration. 
 
 ```json
 {
-	"type": "Microsoft.Compute/virtualMachines/extensions",
-	"name": "<parentVmResource>/OMSExtension",
-	"apiVersion": "[variables('apiVersion')]",
-	"location": "[resourceGroup().location]",
-	"dependsOn": [
-		"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
-	],
-	"properties": {
-		"publisher": "Microsoft.EnterpriseCloud.Monitoring",
-		"type": "MicrosoftMonitoringAgent",
-		"typeHandlerVersion": "1.0",
-		"autoUpgradeMinorVersion": true,
-		"settings": {
-			"workspaceId": "myWorkSpaceId"
-		},
-		"protectedSettings": {
-			"workspaceKey": "myWorkspaceKey"
-		}
-	}
+    "type": "Microsoft.Compute/virtualMachines/extensions",
+    "name": "<parentVmResource>/OMSExtension",
+    "apiVersion": "[variables('apiVersion')]",
+    "location": "[resourceGroup().location]",
+    "dependsOn": [
+        "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
+    ],
+    "properties": {
+        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
+        "type": "MicrosoftMonitoringAgent",
+        "typeHandlerVersion": "1.0",
+        "autoUpgradeMinorVersion": true,
+        "settings": {
+            "workspaceId": "myWorkSpaceId"
+        },
+        "protectedSettings": {
+            "workspaceKey": "myWorkspaceKey"
+        }
+    }
 }
 ```
 
