Merge pull request #190469 from rpsqrd/arc-server-fixes

PRMerger12 · web-flow · commit 98882d12c3cc · 2022-03-03T09:24:34.000-08:00
Arc update
diff --git a/articles/azure-arc/servers/agent-overview.md b/articles/azure-arc/servers/agent-overview.md
@@ -1,7 +1,7 @@
 ---
 title:  Overview of the Azure Connected Machine agent
 description: This article provides a detailed overview of the Azure Arc-enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments.
-ms.date: 03/01/2022
+ms.date: 03/03/2022
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -223,9 +223,6 @@ Connecting machines in your hybrid environment directly with Azure can be accomp
 | At scale | [Connect machines with a Configuration Manager custom task sequence](onboard-configuration-manager-custom-task.md)
 | At scale | [Connect machines from Automation Update Management](onboard-update-management-machines.md) to create a service principal that installs and configures the agent for multiple machines managed with Azure Automation Update Management to connect machines non-interactively. |
 
-
-
-
 > [!IMPORTANT]
 > The Connected Machine agent cannot be installed on an Azure Windows virtual machine. If you attempt to, the installation detects this and rolls back.
 
@@ -239,7 +236,7 @@ The Connected Machine agent for Windows can be installed by using one of the fol
 * Manually by running the Windows Installer package `AzureConnectedMachineAgent.msi` from the Command shell.
 * From a PowerShell session using a scripted method.
 
-Installing, updating, and removing the Connected Machine agent will not require you to restart your server.
+Installing, upgrading, or removing the Connected Machine agent will not require you to restart your server.
 
 After installing the Connected Machine agent for Windows, the following system-wide configuration changes are applied.
 
@@ -261,6 +258,21 @@ After installing the Connected Machine agent for Windows, the following system-w
     |GCArcService |Guest configuration Arc Service |gc_service |Monitors the desired state configuration of the machine.|
     |ExtensionService |Guest configuration Extension Service | gc_service |Installs the required extensions targeting the machine.|
 
+* The following virtual service account is created during agent installation.
+
+    | Virtual Account  | Description |
+    |------------------|---------|
+    | NT SERVICE\\himds | Unprivileged account used to run the Hybrid Instance Metadata Service. |
+
+    > [!TIP]
+    > This account requires the "Log on as a service" right. This right is automatically granted during agent installation, but if your organization configures user rights assignments with Group Policy, you may need to adjust your Group Policy Object to grant the right to  "NT SERVICE\\himds" or "NT SERVICE\\ALL SERVICES" to allow the agent to function.
+
+* The following local security group is created during agent installation.
+
+    | Security group name | Description |
+    |---------------------|-------------|
+    | Hybrid agent extension applications | Members of this security group can request Azure Active Directory tokens for the system-assigned managed identity |
+
 * The following environmental variables are created during agent installation.
 
     |Name |Default value |Description |
@@ -290,7 +302,7 @@ After installing the Connected Machine agent for Windows, the following system-w
 
 The Connected Machine agent for Linux is provided in the preferred package format for the distribution (.RPM or .DEB) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/). The agent is installed and configured with the shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent).
 
-Installing, updating, and removing the Connected Machine agent will not require you to restart your server.
+Installing, upgrading, or removing the Connected Machine agent will not require you to restart your server.
 
 After installing the Connected Machine agent for Linux, the following system-wide configuration changes are applied.
 
diff --git a/articles/azure-arc/servers/manage-agent.md b/articles/azure-arc/servers/manage-agent.md
@@ -105,7 +105,7 @@ To clear a configuration property's value, run the following command:
 
 The Azure Connected Machine agent is updated regularly to address bug fixes, stability enhancements, and new functionality. [Azure Advisor](../../advisor/advisor-overview.md) identifies resources that are not using the latest version of machine agent and recommends that you upgrade to the latest version. It will notify you when you select the Azure Arc-enabled server by presenting a banner on the **Overview** page or when you access Advisor through the Azure portal.
 
-The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. Installing, upgrading, and uninstalling the Azure Connected Machine Agent will not require you to restart your server.
+The Azure Connected Machine agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on your requirements. Installing, upgrading, or uninstalling the Azure Connected Machine Agent will not require you to restart your server.
 
 The following table describes the methods supported to perform the agent upgrade.
 
diff --git a/articles/azure-arc/servers/security-overview.md b/articles/azure-arc/servers/security-overview.md
@@ -30,11 +30,11 @@ To manage the Azure Connected Machine agent (azcmagent) on Windows, your user ac
 
 The Azure Connected Machine agent is composed of three services, which run on your machine.
 
-* The Hybrid Instance Metadata Service (himds) service is responsible for all core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service for other apps to learn about the machine’s Azure resource ID, and retrieve Azure AD tokens to authenticate to other Azure services. This service runs as an unprivileged virtual service account on Windows, and as the **himds** user on Linux.
+* The Hybrid Instance Metadata Service (himds) service is responsible for all core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service for other apps to learn about the machine’s Azure resource ID, and retrieve Azure AD tokens to authenticate to other Azure services. This service runs as an unprivileged virtual service account (NT SERVICE\\himds) on Windows, and as the **himds** user on Linux. The virtual service account requires the Log on as a Service right on Windows.
 
 * The Guest Configuration service (GCService) is responsible for evaluating Azure Policy on the machine.
 
-* The Guest Configuration Extension service (ExtensionService) is responsible for installing, updating, and deleting extensions (agents, scripts, or other software) on the machine.
+* The Guest Configuration Extension service (ExtensionService) is responsible for installing, upgrading, and deleting extensions (agents, scripts, or other software) on the machine.
 
 The guest configuration and extension services run as Local System on Windows, and as root on Linux.
 
