first draft

Author: Ryan Willis

articles/azure-arc/servers/agent-release-notes-archive.md

@@ -19,6 +19,29 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. Thi
 - Known issues
 - Bug fixes
 
+## Version 1.36 - November 2023
+
+Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
+
+### Known issues
+
+The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
+
+### New features
+
+- [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.
+- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.
+- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.
+- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.
+- New executable names for the extension manager (`gc_extension_service`) and machine configuration (`gc_arc_service`) agents on Windows to help you distinguish the two services. For more information, see [Windows agent installation details](./agent-overview.md#windows-agent-installation-details).
+
+### Bug fixes
+
+- [azcmagent connect](azcmagent-connect.md) now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.
+- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.
+- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.
+- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.
+
 ## Version 1.35 - October 2023
 
 Download for [Windows](https://download.microsoft.com/download/e/7/0/e70b1753-646e-4aea-bac4-40187b5128b0/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

articles/azure-arc/servers/agent-release-notes.md

@@ -16,6 +16,29 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. To
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Connected Machine agent](agent-release-notes-archive.md).
 
+## Version 1.41 - May 2024
+
+### New features
+
+- Certificate-based authentication is now supported when using a service principal to connect or disconnect the agent. For more information, see [authentication options for the azcmagent CLI](azcmagent-connect.md#authentication-options).
+- [azcmagent check](azcmagent-check.md) now allows you to also check for the endpoints used by the SQL Server enabled by Azure Arc extension using the new `--extensions` flag. This can help you troubleshoot networking issues for both the OS and SQL management components. You can try this out by running `azcmagent check --extensions sql --location eastus` on a server, either before or after it is connected to Azure Arc.
+
+### Fixed
+
+- Fixed a memory leak in the Hybrid Instance Metadata service
+- Better handling when IPv6 local loopback is disabled
+- Improved reliability when upgrading extensions
+- Improved reliability when enforcing CPU limits on Linux extensions
+- PowerShell telemetry is now disabled by default for the extension manager and policy services
+- The extension manager and policy services now support OpenSSL 3
+- Colors are now disabled in the onboarding progress bar when the `--no-color` flag is used
+- Improved detection and reporting for Windows machines that have custom [logon as a service rights](prerequisites.md#local-user-logon-right-for-windows-systems) configured.
+- Improved accuracy when obtaining system metadata on Windows:
+  - VMUUID is now obtained from the Win32 API
+  - Physical memory is now checked using WMI
+- Fixed an issue that could prevent the region selector in the [Windows GUI installer](onboard-windows-server.md) from loading
+- Fixed permissions issues that could prevent the "himds" service from accessing necessary directories on Windows
+
 ## Version 1.40 - April 2024
 
 Download for [Windows](https://download.microsoft.com/download/2/1/0/210f77ca-e069-412b-bd94-eac02a63255d/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
@@ -93,29 +116,6 @@ Download for [Windows](https://download.microsoft.com/download/f/6/4/f64c574f-d3
 - Removed the scheduled tasks for automatic agent upgrades (introduced in agent version 1.30). We'll reintroduce this functionality when the automatic upgrade mechanism is available.
 - Resolved [Azure Connected Machine Agent Elevation of Privilege Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35624)
 
-## Version 1.36 - November 2023
-
-Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
-
-### Known issues
-
-The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
-
-### New features
-
-- [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.
-- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.
-- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.
-- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.
-- New executable names for the extension manager (`gc_extension_service`) and machine configuration (`gc_arc_service`) agents on Windows to help you distinguish the two services. For more information, see [Windows agent installation details](./agent-overview.md#windows-agent-installation-details).
-
-### Bug fixes
-
-- [azcmagent connect](azcmagent-connect.md) now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.
-- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.
-- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.
-- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.
-
 ## Next steps
 
 - Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods.

articles/azure-arc/servers/azcmagent-check.md

@@ -2,7 +2,7 @@
 title: azcmagent check CLI reference
 description: Syntax for the azcmagent check command line tool
 ms.topic: reference
-ms.date: 04/20/2023
+ms.date: 05/22/2024
 ---
 
 # azcmagent check
@@ -29,6 +29,13 @@ Check connectivity with the East US region using public endpoints.
 azcmagent check --location "eastus"
 ```
 
+Check connectivity for supported extensions (SQL Server enabled by Azure Arc) using public endpoints:
+
+```
+azcmagent check --extensions all
+```
+
+
 Check connectivity with the Central India region using private endpoints.
 
 ```
@@ -47,6 +54,15 @@ Supported values:
 * AzureUSGovernment (Azure US Government regions)
 * AzureChinaCloud (Microsoft Azure operated by 21Vianet regions)
 
+`-e`, `--extensions`
+
+Includes additional checks for extension endpoints to help validate end-to-end scenario readiness. This flag is available in agent version 1.41 and later.
+
+Supported values:
+
+* all (checks all supported extension endpoints)
+* sql (SQL Server enabled by Azure Arc)
+
 `-l`, `--location`
 
 The Azure region to check connectivity with. If the machine is already connected to Azure Arc, the current region is selected as the default.

articles/azure-arc/servers/azcmagent-connect.md

@@ -55,11 +55,19 @@ This option generates a code that you can use to log in on a web browser on anot
 
 To authenticate with a device code, use the `--use-device-code` flag. If the account you're logging in with and the subscription where you're registering the server aren't in the same tenant, you must also provide the tenant ID for the subscription with `--tenant-id [tenant]`.
 
-### Service principal
+### Service principal with secret
 
 Service principals allow you to authenticate non-interactively and are often used for at-scale deployments where the same script is run across multiple servers. It's recommended that you provide service principal information via a configuration file (see `--config`) to avoid exposing the secret in any console logs. The service principal should also be dedicated for Arc onboarding and have as few permissions as possible, to limit the impact of a stolen credential.
 
-To authenticate with a service principal, provide the service principal's application ID, secret, and tenant ID: `--service-principal-id [appid] --service-principal-secret [secret] --tenant-id [tenantid]`
+To authenticate with a service principal using a secret, provide the service principal's application ID, secret, and tenant ID: `--service-principal-id [appid] --service-principal-secret [secret] --tenant-id [tenantid]`
+
+### Service principal with certificate
+
+Certificate-based authentication is a more secure way to authenticate using service principals. The agent accepts both PCKS #12 (PFX) files and ASCII-encoded files (such as PEM) that contain both the private and public keys. The certificate must be available on the local disk and the user running the `azcmagent` command must have read access to the file. Password-protected PFX files are not supported.
+
+To authenticate with a service principal using a certificate, provide the service principal's application ID, tenant ID and path to the certificate file: `--service-principal-id [appId] --service-principal-cert [pathToPEMorPFXfile] --tenant-id [tenantid]`
+
+For more information, see [create a service principal for RBAC with certificate-based authentication](/cli/azure/azure-cli-sp-tutorial-3).
 
 ### Access token
 

articles/azure-arc/servers/azcmagent-disconnect.md

@@ -54,11 +54,19 @@ This option generates a code that you can use to log in on a web browser on anot
 
 To authenticate with a device code, use the `--use-device-code` flag.
 
-### Service principal
+### Service principal with secret
 
-Service principals allow you to authenticate non-interactively and are often used for at-scale operations where the same script is run across multiple servers. It's recommended that you provide service principal information via a configuration file (see `--config`) to avoid exposing the secret in any console logs.
+Service principals allow you to authenticate non-interactively and are often used for at-scale deployments where the same script is run across multiple servers. It's recommended that you provide service principal information via a configuration file (see `--config`) to avoid exposing the secret in any console logs. The service principal should also be dedicated for Arc onboarding and have as few permissions as possible, to limit the impact of a stolen credential.
 
-To authenticate with a service principal, provide the service principal's application ID and secret: `--service-principal-id [appid] --service-principal-secret [secret]`
+To authenticate with a service principal using a secret, provide the service principal's application ID, secret, and tenant ID: `--service-principal-id [appid] --service-principal-secret [secret] --tenant-id [tenantid]`
+
+### Service principal with certificate
+
+Certificate-based authentication is a more secure way to authenticate using service principals. The agent accepts both PCKS #12 (PFX) files and ASCII-encoded files (such as PEM) that contain both the private and public keys. The certificate must be available on the local disk and the user running the `azcmagent` command must have read access to the file. Password-protected PFX files are not supported.
+
+To authenticate with a service principal using a certificate, provide the service principal's application ID, tenant ID and path to the certificate file: `--service-principal-id [appId] --service-principal-cert [pathToPEMorPFXfile] --tenant-id [tenantid]`
+
+For more information, see [create a service principal for RBAC with certificate-based authentication](/cli/azure/azure-cli-sp-tutorial-3).
 
 ### Access token