Merge pull request #276040 from rpsqrd/azcmagent-1-41

Stacyrch140 · web-flow · commit 8191fd09f022 · 2024-05-22T15:33:48.000-04:00
azcmagent 1.41 relnotes
diff --git a/articles/azure-arc/servers/agent-release-notes-archive.md b/articles/azure-arc/servers/agent-release-notes-archive.md
@@ -19,6 +19,29 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. Thi
 - Known issues
 - Bug fixes
 
+## Version 1.36 - November 2023
+
+Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
+
+### Known issues
+
+The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
+
+### New features
+
+- [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.
+- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.
+- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.
+- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.
+- New executable names for the extension manager (`gc_extension_service`) and machine configuration (`gc_arc_service`) agents on Windows to help you distinguish the two services. For more information, see [Windows agent installation details](./agent-overview.md#windows-agent-installation-details).
+
+### Bug fixes
+
+- [azcmagent connect](azcmagent-connect.md) now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.
+- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.
+- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.
+- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.
+
 ## Version 1.35 - October 2023
 
 Download for [Windows](https://download.microsoft.com/download/e/7/0/e70b1753-646e-4aea-bac4-40187b5128b0/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
diff --git a/articles/azure-arc/servers/agent-release-notes.md b/articles/azure-arc/servers/agent-release-notes.md
@@ -16,6 +16,29 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. To
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Connected Machine agent](agent-release-notes-archive.md).
 
+## Version 1.41 - May 2024
+
+### New features
+
+- Certificate-based authentication is now supported when using a service principal to connect or disconnect the agent. For more information, see [authentication options for the azcmagent CLI](azcmagent-connect.md#authentication-options).
+- [azcmagent check](azcmagent-check.md) now allows you to also check for the endpoints used by the SQL Server enabled by Azure Arc extension using the new `--extensions` flag. This can help you troubleshoot networking issues for both the OS and SQL management components. You can try this out by running `azcmagent check --extensions sql --location eastus` on a server, either before or after it is connected to Azure Arc.
+
+### Fixed
+
+- Fixed a memory leak in the Hybrid Instance Metadata service
+- Better handling when IPv6 local loopback is disabled
+- Improved reliability when upgrading extensions
+- Improved reliability when enforcing CPU limits on Linux extensions
+- PowerShell telemetry is now disabled by default for the extension manager and policy services
+- The extension manager and policy services now support OpenSSL 3
+- Colors are now disabled in the onboarding progress bar when the `--no-color` flag is used
+- Improved detection and reporting for Windows machines that have custom [logon as a service rights](prerequisites.md#local-user-logon-right-for-windows-systems) configured.
+- Improved accuracy when obtaining system metadata on Windows:
+  - VMUUID is now obtained from the Win32 API
+  - Physical memory is now checked using WMI
+- Fixed an issue that could prevent the region selector in the [Windows GUI installer](onboard-windows-server.md) from loading
+- Fixed permissions issues that could prevent the "himds" service from accessing necessary directories on Windows
+
 ## Version 1.40 - April 2024
 
 Download for [Windows](https://download.microsoft.com/download/2/1/0/210f77ca-e069-412b-bd94-eac02a63255d/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
@@ -93,29 +116,6 @@ Download for [Windows](https://download.microsoft.com/download/f/6/4/f64c574f-d3
 - Removed the scheduled tasks for automatic agent upgrades (introduced in agent version 1.30). We'll reintroduce this functionality when the automatic upgrade mechanism is available.
 - Resolved [Azure Connected Machine Agent Elevation of Privilege Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35624)
 
-## Version 1.36 - November 2023
-
-Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
-
-### Known issues
-
-The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
-
-### New features
-
-- [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.
-- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.
-- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.
-- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.
-- New executable names for the extension manager (`gc_extension_service`) and machine configuration (`gc_arc_service`) agents on Windows to help you distinguish the two services. For more information, see [Windows agent installation details](./agent-overview.md#windows-agent-installation-details).
-
-### Bug fixes
-
-- [azcmagent connect](azcmagent-connect.md) now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.
-- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.
-- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.
-- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.
-
 ## Next steps
 
 - Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods.
diff --git a/articles/azure-arc/servers/azcmagent-check.md b/articles/azure-arc/servers/azcmagent-check.md
@@ -2,7 +2,7 @@
 title: azcmagent check CLI reference
 description: Syntax for the azcmagent check command line tool
 ms.topic: reference
-ms.date: 04/20/2023
+ms.date: 05/22/2024
 ---
 
 # azcmagent check
@@ -17,7 +17,7 @@ azcmagent check [flags]
 
 ## Examples
 
-Check connectivity with the agent's currently configured cloud and region.
+Check connectivity with the agent's configured cloud and region.
 
 ```
 azcmagent check
@@ -29,6 +29,13 @@ Check connectivity with the East US region using public endpoints.
 azcmagent check --location "eastus"
 ```
 
+Check connectivity for supported extensions (SQL Server enabled by Azure Arc) using public endpoints:
+
+```
+azcmagent check --extensions all
+```
+
+
 Check connectivity with the Central India region using private endpoints.
 
 ```
@@ -39,14 +46,23 @@ azcmagent check --location "centralindia" --enable-pls-check
 
 `--cloud`
 
-Specifies the Azure cloud instance. Must be used with the `--location` flag. If the machine is already connected to Azure Arc, the default value is the cloud to which the agent is already connected. Otherwise, the default value is "AzureCloud".
+Specifies the Azure cloud instance. Must be used with the `--location` flag. If the machine is already connected to Azure Arc, the default value is the cloud to which the agent is already connected. Otherwise, the default value is AzureCloud.
 
 Supported values:
 
 * AzureCloud (public regions)
 * AzureUSGovernment (Azure US Government regions)
 * AzureChinaCloud (Microsoft Azure operated by 21Vianet regions)
 
+`-e`, `--extensions`
+
+Includes extra checks for extension endpoints to help validate end-to-end scenario readiness. This flag is available in agent version 1.41 and later.
+
+Supported values:
+
+* all (checks all supported extension endpoints)
+* sql (SQL Server enabled by Azure Arc)
+
 `-l`, `--location`
 
 The Azure region to check connectivity with. If the machine is already connected to Azure Arc, the current region is selected as the default.
diff --git a/articles/azure-arc/servers/azcmagent-connect.md b/articles/azure-arc/servers/azcmagent-connect.md
@@ -41,11 +41,11 @@ azcmagent connect --subscription-id "Production" --resource-group "HybridServers
 
 ## Authentication options
 
-There are 4 ways to provide authentication credentials to the Azure connected machine agent. Choose one authentication option and replace the `[authentication]` section in the usage syntax with the recommended flags.
+There are four ways to provide authentication credentials to the Azure connected machine agent. Choose one authentication option and replace the `[authentication]` section in the usage syntax with the recommended flags.
 
 ### Interactive browser login (Windows-only)
 
-This option is the default on Windows operating systems with a desktop experience. It login page opens in your default web browser. This option might be required if your organization has configured conditional access policies that require you to log in from trusted machines.
+This option is the default on Windows operating systems with a desktop experience. It login page opens in your default web browser. This option might be required if your organization configured conditional access policies that require you to log in from trusted machines.
 
 No flag is required to use the interactive browser login.
 
@@ -55,11 +55,19 @@ This option generates a code that you can use to log in on a web browser on anot
 
 To authenticate with a device code, use the `--use-device-code` flag. If the account you're logging in with and the subscription where you're registering the server aren't in the same tenant, you must also provide the tenant ID for the subscription with `--tenant-id [tenant]`.
 
-### Service principal
+### Service principal with secret
 
-Service principals allow you to authenticate non-interactively and are often used for at-scale deployments where the same script is run across multiple servers. It's recommended that you provide service principal information via a configuration file (see `--config`) to avoid exposing the secret in any console logs. The service principal should also be dedicated for Arc onboarding and have as few permissions as possible, to limit the impact of a stolen credential.
+Service principals allow you to authenticate non-interactively and are often used for at-scale deployments where the same script is run across multiple servers. Microsoft recommends providing service principal information via a configuration file (see `--config`) to avoid exposing the secret in any console logs. The service principal should also be dedicated for Arc onboarding and have as few permissions as possible, to limit the impact of a stolen credential.
 
-To authenticate with a service principal, provide the service principal's application ID, secret, and tenant ID: `--service-principal-id [appid] --service-principal-secret [secret] --tenant-id [tenantid]`
+To authenticate with a service principal using a secret, provide the service principal's application ID, secret, and tenant ID: `--service-principal-id [appid] --service-principal-secret [secret] --tenant-id [tenantid]`
+
+### Service principal with certificate
+
+Certificate-based authentication is a more secure way to authenticate using service principals. The agent accepts both PCKS #12 (.PFX) files and ASCII-encoded files (such as .PEM) that contain both the private and public keys. The certificate must be available on the local disk and the user running the `azcmagent` command needs read access to the file. Password-protected PFX files are not supported.
+
+To authenticate with a service principal using a certificate, provide the service principal's application ID, tenant ID, and path to the certificate file: `--service-principal-id [appId] --service-principal-cert [pathToPEMorPFXfile] --tenant-id [tenantid]`
+
+For more information, see [create a service principal for RBAC with certificate-based authentication](/cli/azure/azure-cli-sp-tutorial-3).
 
 ### Access token
 
@@ -128,11 +136,15 @@ Sample value: FileServer01
 
 `-i`, `--service-principal-id`
 
-Specifies the application ID of the service principal used to create the Azure Arc-enabled server resource in Azure. Must be used with the `--service-principal-secret` and `--tenant-id` flags. For more information, see [authentication options](#authentication-options).
+Specifies the application ID of the service principal used to create the Azure Arc-enabled server resource in Azure. Must be used with the  `--tenant-id` and either the `--service-principal-secret` or `--service-principal-cert` flags. For more information, see [authentication options](#authentication-options).
+
+`--service-principal-cert`
+
+Specifies the path to a service principal certificate file. Must be used with the `--service-principal-id` and `--tenant-id` flags. The certificate must include a private key and can be in a PKCS #12 (.PFX) or ASCII-encoded text (.PEM, .CRT) format. Password-protected PFX files are not supported. For more information, see [authentication options](#authentication-options).
 
 `-p`, `--service-principal-secret`
 
-Specifies the service principal secret. Must be used with the `--service-principal-id` and `--tenant-id` flags. To avoid exposing the secret in console logs, it's recommended to pass in the service principal secret in a configuration file. For more information, see [authentication options](#authentication-options).
+Specifies the service principal secret. Must be used with the `--service-principal-id` and `--tenant-id` flags. To avoid exposing the secret in console logs, Microsoft recommended providing the service principal secret in a configuration file. For more information, see [authentication options](#authentication-options).
 
 `-s`, `--subscription-id`
 
diff --git a/articles/azure-arc/servers/azcmagent-disconnect.md b/articles/azure-arc/servers/azcmagent-disconnect.md
