Copyedits

Author: johnmarco

articles/azure-arc/servers/security-extensions.md

@@ -7,7 +7,7 @@ ms.date: 06/06/2024
 
 # Extensions security
 
-This article describes the fundamentals of [VM extensions](manage-vm-extensions.md) for Azure Arc-enabled servers and details how extension settings can be customized. It also covers the execution of scripts using the extension manager and the option to disable the extension manager if extensions aren't needed.
+This article describes the fundamentals of [VM extensions](manage-vm-extensions.md) for Azure Arc-enabled servers and details how extension settings can be customized.
 
 ## Extension basics
 

articles/azure-arc/servers/security-identity-authorization.md

@@ -39,7 +39,7 @@ Generic RBAC roles in Azure also apply to Azure Arc-enabled servers, including R
 
 [Azure role-based access control](../../role-based-access-control/overview.md) is used to control which accounts can see and manage your Azure Arc-enabled server. From the [**Access Control (IAM)**](../../role-based-access-control/role-assignments-portal.yml) page in the Azure portal, you can verify who has access to your Azure Arc-enabled server.
 
-:::image type="content" source="./media/security-identity-authorization/access-control-page.png" alt-text="Azure Arc-enabled server access control" border="false" lightbox="./media/security-overview/access-control-page.png":::
+:::image type="content" source="media/security-identity-authorization/access-control-page.png" alt-text="Azure Arc-enabled server access control":::
 
 Users and applications granted [contributor](../../role-based-access-control/built-in-roles.md#contributor) or administrator role access to the resource can make changes to the resource, including deploying or deleting [extensions](manage-vm-extensions.md) on the machine. Extensions can include arbitrary scripts that run in a privileged context, so consider any contributor on the Azure resource to be an indirect administrator of the server.
 

articles/azure-arc/servers/security-machine-configuration.md

@@ -7,7 +7,7 @@ ms.date: 06/06/2024
 
 # Machine configuration
 
-This article describes the basics of Azure Machine Configuration, a compliance reporting and configuration tool based on PowerShell Desired State Configuration. It explains how the tool can check and optionally remediate security and other settings on machines at scale. Users can utilize built-in policies from Microsoft or author their own. The article also details the permissions needed to assign these policies and provides instructions for disabling the machine configuration agent if not needed. 
+This article describes the basics of Azure Machine Configuration, a compliance reporting and configuration tool that can check and optionally remediate security and other settings on machines at scale. 
 
 ## Machine configuration basics
 
@@ -25,9 +25,9 @@ If you don’t intend to use machine configuration policies, you can disable the
 
 The Azure Connected Machine agent has two possible modes:
 
-1. Full mode, the default mode which allows all use of agent functionality.
+- **Full mode**, the default mode which allows all use of agent functionality.
 
-1. Monitor mode, which applies a Microsoft-managed extension allowlist, disables remote connectivity, and disables the machine configuration agent.
+- **Monitor mode**, which applies a Microsoft-managed extension allowlist, disables remote connectivity, and disables the machine configuration agent.
 
 If you’re using Arc solely for monitoring purposes, setting the agent to Monitor mode makes it easy to restrict the agent to just the functionality required to use Azure Monitor. You can configure the agent mode with the following command (run locally on each machine):
 

articles/azure-arc/servers/security-networking.md

@@ -11,15 +11,15 @@ This article describes the networking requirements and options for Azure Arc-ena
 
 ## General networking
 
-Azure Arc-enabled servers is a software-as-a-service offering with a combination of global and regional endpoints shared by all customers. All network communication from the Azure Connected Machine agent is outbound to Azure. Azure will never reach "into" your network to manage your machines. These connections are always encrypted using TLS certificates. The list of endpoints and IP addresses accessed by the agent are documented in our [network requirements](network-requirements.md).
+Azure Arc-enabled servers is a software-as-a-service offering with a combination of global and regional endpoints shared by all customers. All network communication from the Azure Connected Machine agent is outbound to Azure. Azure will never reach "into" your network to manage your machines. These connections are always encrypted using TLS certificates. The list of endpoints and IP addresses accessed by the agent are documented in the [network requirements](network-requirements.md).
 
-Extensions you install can require extra endpoints not included in the Azure Arc network requirements. Consult the extension documentation for further information on network requirements for that solution.
+Extensions you install may require extra endpoints not included in the Azure Arc network requirements. Consult the extension documentation for further information on network requirements for that solution.
 
 If your organization uses TLS inspection, the Azure Connected Machine agent doesn't use certificate pinning and will continue to work, so long as your machine trusts the certificate presented by the TLS inspection service. Some Azure Arc extensions use certificate pinning and need to be excluded from TLS inspection. Consult the documentation for any extensions you deploy to determine if they support TLS inspection.
 
 ### Private endpoints
 
-Private endpoints are an optional Azure networking technology network traffic to be sent over Express Route or a site-to-site VPN and more granularly control which machines can use Azure Arc. With private endpoints, you can use private IP addresses in your organization’s network address space to access the Azure Arc cloud services. Additionally, only servers you authorize are able to send data through these endpoints, which protects against unauthorized use of the Azure Connected Machine agent in your network.
+[Private endpoints](private-link-security.md) are an optional Azure networking technology that allows network traffic to be sent over Express Route or a site-to-site VPN and more granularly control which machines can use Azure Arc. With private endpoints, you can use private IP addresses in your organization’s network address space to access the Azure Arc cloud services. Additionally, only servers you authorize are able to send data through these endpoints, which protects against unauthorized use of the Azure Connected Machine agent in your network.
 
 It’s important to note that not all endpoints and not all scenarios are supported with private endpoints. You'll still need to make firewall exceptions for some endpoints like Microsoft Entra ID, which doesn't offer a private endpoint solution. Any extensions you install may require other private endpoints (if supported) or access to the public endpoints for their services. Additionally, you can’t use SSH or Windows Admin Center to access your server over a private endpoint.
 

articles/azure-arc/servers/security-onboarding.md

@@ -31,13 +31,13 @@ If a malicious actor gains access to your onboarding credential, they could use
 
 ## Protecting secrets in onboarding script
 
-The onboarding script contains all the information needed to connect your server to Azure. This includes steps to download, install, and configure the Azure Connected Machine agent on your server. It also includes the onboarding credential used to non-interactively connect that server to Azure. It’s important to protect the onboarding credential so that it doesn’t end up in the wrong hands or accidentally captured in logs.
+The onboarding script contains all the information needed to connect your server to Azure. This includes steps to download, install, and configure the Azure Connected Machine agent on your server. It also includes the onboarding credential used to non-interactively connect that server to Azure. It’s important to protect the onboarding credential so it isn't accidentally captured in logs and end up in the wrong hands.
 
-For production deployments, it’s common to orchestrate the onboarding script using an automation tool such as Microsoft Configuration Manager, Red Hat Ansible, or Group Policy. Check with your automation tool to see if it has a way to protect secrets used in the installation script. If it doesn’t, consider moving the onboarding script parameters to a dedicated configuration file. This will prevent secrets from being parsed and potentially logged directly on the command line. The Group Policy onboarding guidance includes extra steps to encrypt the configuration file so that only computer accounts can decrypt it, not users or others outside your organization, providing more protection.
+For production deployments, it’s common to orchestrate the onboarding script using an automation tool such as Microsoft Configuration Manager, Red Hat Ansible, or Group Policy. Check with your automation tool to see if it has a way to protect secrets used in the installation script. If it doesn’t, consider moving the onboarding script parameters to a dedicated configuration file. This prevents secrets from being parsed and potentially logged directly on the command line. The [Group Policy onboarding guidance](onboard-group-policy-powershell.md) includes extra steps to encrypt the configuration file so that only computer accounts can decrypt it, not users or others outside your organization.
 
 If your automation tool copies the configuration file to the server, make sure it also cleans up the file after it's done so the secrets don’t persist longer than necessary.
 
-Additionally, as with all Azure resources, tags for Azure Arc-enabled servers are stored as plain text. Do not put sensitive information in tags.
+Additionally, as with all Azure resources, tags for Azure Arc-enabled servers are stored as plain text. Don't put sensitive information in tags.
 
 ## Using disk encryption
 

articles/azure-arc/servers/security-updates.md

@@ -11,11 +11,11 @@ This article describes the update process for the Azure Connected Machine agent
 
 ## Agent updates
 
-A new version of the Azure Connected Machine agent is typically released every month. There isn’t an exact schedule of when the updates are available, but you should check for and apply updates on a monthly basis. The documentation contains [a list of all the new releases](/azure/azure-arc/servers/agent-release-notes) including what specific changes are included in them. Most updates include security, performance. and quality fixes. Some also include new features and functionality. In the event a hotfix is required to address an issue with a release, it's released as a new agent version and available via the same means as a regular agent release.
+A new version of the Azure Connected Machine agent is typically released every month. There isn’t an exact schedule of when the updates are available, but you should check for and apply updates on a monthly basis. Refer to the [list of all the new releases](/azure/azure-arc/servers/agent-release-notes), including what specific changes are included in them. Most updates include security, performance. and quality fixes. Some also include new features and functionality. When a hotfix is required to address an issue with a release, it's released as a new agent version and available via the same means as a regular agent release.
 
-The Azure Connected Machine agent doesn't update itself. You must update it using your preferred update management tool. For Windows machines, updates are delivered through Microsoft Update. Standalone servers should opt-in to Microsoft Updates (“receive updates for other Microsoft products”). If your organization uses Windows Server Update Services to cache and approve updates locally, your WSUS admin needs to synchronize and approve updates for the Azure Connected Machine agent product.
+The Azure Connected Machine agent doesn't update itself. You must update it using your preferred update management tool. For Windows machines, updates are delivered through Microsoft Update. Standalone servers should opt-in to Microsoft Updates (using the *receive updates for other Microsoft products* option). If your organization uses Windows Server Update Services to cache and approve updates locally, your WSUS admin must synchronize and approve updates for the Azure Connected Machine agent product.
 
-Linux updates are published to packages.microsoft.com. Your package management software (apt, yum, dnf, zypper, etc.) should show “azcmagent” updates alongside all your other system packages. Learn more about [upgrading Linux agents](/azure/azure-arc/servers/manage-agent?tabs=linux-apt).
+Linux updates are published to `packages.microsoft.com`. Your package management software (apt, yum, dnf, zypper, etc.) should show “azcmagent” updates alongside your other system packages. Learn more about [upgrading Linux agents](/azure/azure-arc/servers/manage-agent?tabs=linux-apt).
 
 Microsoft recommends staying up to date with the latest agent version whenever possible. If your maintenance windows are less frequent, Microsoft supports all agent versions released within the last 12 months. However, since the agent updates include security fixes, you should update as frequently as possible.
 
@@ -25,15 +25,13 @@ If you're looking for a patch management tool to orchestrate updates of the Azur
 
 ### Automatic extension updates
 
-By default, every extension you deploy to an Azure Arc-enabled server has automatic extension upgrades enabled. If the extension publisher supports this feature, new versions of the extension will automatically be installed within 60 days of the new version becoming available. Automatic extension upgrades follow a safe deployment practice, meaning that only a small number of extensions are updated at a time. Rollouts continue slowly across regions and subscriptions until every extension is updated.
+By default, every extension you deploy to an Azure Arc-enabled server has automatic extension upgrades enabled. If the extension publisher supports this feature, new versions of the extension are automatically installed within 60 days of the new version becoming available. Automatic extension upgrades follow a safe deployment practice, meaning that only a small number of extensions are updated at a time. Rollouts continue slowly across regions and subscriptions until every extension is updated.
 
-There are no granular controls over automatic extension upgrades. You'll always be upgraded to the most recent version of the extension and can’t choose when the upgrade happens. The extension manager has [built-in resource governance](/azure/azure-arc/servers/agent-overview) to ensure that an extension upgrade doesn't consume too much of the system’s CPU and interfere with your workloads during the upgrade.
+There are no granular controls over automatic extension upgrades. You'll always be upgraded to the most recent version of the extension and can’t choose when the upgrade happens. The extension manager has [built-in resource governance](/azure/azure-arc/servers/agent-overview) to ensure an extension upgrade doesn't consume too much of the system’s CPU and interfere with your workloads during the upgrade.
 
 If you don't want to use automatic upgrades for extensions, you can disable them on a per-extension, per-server basis using the [Azure portal, CLI, or PowerShell](/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal).
 
 ### Manual extension updates
 
 For extensions that don’t support automatic upgrades or have automatic upgrades disabled, you can use the Azure portal, CLI, or PowerShell to upgrade extensions to the newest version. The CLI and PowerShell commands also support downgrading an extension, in case you need to revert to an earlier version.
 
-
-