Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into rb-post-ignite-minor

Author: ronmiab

azure-local/deploy/deployment-arc-register-server-permissions.md

@@ -57,7 +57,7 @@ Before you begin, make sure you've completed the following prerequisites:
 > [!IMPORTANT]
 > Run these steps on every Azure Local machine that you intend to cluster.
 
-1. Install the [Arc registration script](https://www.powershellgallery.com/packages/AzSHCI.ARCInstaller) from PSGallery. **This step is only required if you're using an OS ISO that's older than 2408**. For more information, see [What's new in 2408](../whats-new.md#features-and-improvements-in-2408).
+<!-- 1. Install the [Arc registration script](https://www.powershellgallery.com/packages/AzSHCI.ARCInstaller) from PSGallery. **This step is only required if you're using an OS ISO that's older than 2408**. For more information, see [What's new in 2408](../whats-new.md#features-and-improvements-in-2408).
 
     # [PowerShell](#tab/powershell)
     ```powershell
@@ -88,7 +88,7 @@ Before you begin, make sure you've completed the following prerequisites:
     and import the NuGet provider now?
     [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
     PS C:\Users\SetupUser>
-    ```
+    ``` -->
 
 1. Set the parameters. The script takes in the following parameters:
 

azure-local/known-issues-2411.md

@@ -46,8 +46,9 @@ The following table lists the known issues in this release:
 |---------|---------|---------|
 | Security vulnerability <!--ADO--> |Microsoft has identified a security vulnerability that could expose the local admin credentials used during the creation of Arc VMs on Azure Local to non-admin users on the VM and on the hosts. <br> Arc VMs running on releases prior to Azure Local 2411 release are vulnerable.  |To identify the Arc VMs that require this change and to change the account passwords, see detailed instructions in: [Security vulernability for Arc VMs on Azure Local](https://aka.ms/CVE-2024-49060).|
 | Deployment <!--30273426--> |If the timezone is not set to UTC before you deploy Azure Local, an *ArcOperationTimeOut* error occurs during validation. The following error message is displayed: *OperationTimeOut, No updates received from device for operation.*   |Depending on your scenario, choose one of the following workarounds for this issue: <br><br> **Scenario 1.** Before you start the deployment, make sure that the timezone is set to UTC. <br><br>Connect to each of the Azure Local nodes and change the timezone to UTC. <br><br> Run the following command: `Set-TimeZone -Id "UTC"`. <br><br> **Scenario 2.** If you started the deployment without setting the UTC timezone and received the error mentioned in the validation phase, follow these steps:<br><br> 1. Connect to each Azure Local node. Change the time zone to UTC with `Set-TimeZone -Id "UTC"`. Reboot the nodes.<br><br> 2. After the nodes have restarted, go to the Azure Local resource in Azure portal. Start the validation again to resolve the issue and continue with the deployment.|
-| Update <!--ADO--> | With the 2411 release, applying a Solution Builder Extension package requires a separate update run. Solution and Solution Builder Extension update are not combined in a single update run. ||
-| Update <!--ADO--> | When applying solution update, the update fails at the step "update ARB and extension" error "Clear-AzContext failed with 0 and Exception calling "Initialize" with "1" argument(s): "Object reference not set to an instance of an object." |Follow these steps on each node of the system. <br> 1. Check if `Az.Accounts` PowerShell module version 3.0.4 is installed. Run the following command: <br><br> `Get-InstalledModule Az.Accounts`<br><br> Verify that the version in output is 3.0.4. <br><br> 2. Force install `Az.Accounts` PowerShell module version 3.0.3. Run the following commands: <br><br> `Uninstall-Module -Name Az.Accounts -RequiredVersion 3.0.4 -Force`<br> `Install-Module -Name Az.Accounts -RequiredVersion 3.0.3 -Force` <br><br> 3. Confirm `Az.Accounts` PowerShell module version 3.0.3 is installed. Run the following command:<br><br> `Get-InstalledModule Az.Accounts`. <br><br>Verify that the version in the output is 3.0.3. <br><br>4. Retry the update.    |
+| Update <!--ADO--> | With the 2411 release, solution and Solution Builder Extension update are not combined in a single update run.  |To apply a Solution Builder Extension package, you need a separate update run.|
+| Update <!--30221399--> | When applying solution update in this release, the update can fail. The issue that causes the failure can result in one of the following error messages: <br><br>**Error 1** - The step "update ARB and extension" error "Clear-AzContext failed with 0 and Exception calling "Initialize" with "1" argument(s): "Object reference not set to an instance of an object." at "Clear-AzPowerShellCache". <br><br>**Error 2** - The step "EvalTVMFlow" error "CloudEngine.Actions.InterfaceInvocationFailedException: Type 'EvalTVMFlow' of Role 'ArcIntegration' raised an exception: This module requires `Az.Accounts` version 3.0.5. An earlier version of `Az.Accounts` is imported in the current PowerShell session. Please open a new session before importing this module. This error could indicate that multiple incompatible versions of the Azure PowerShell cmdlets are installed on your system. Please see https://aka.ms/azps-version-error for troubleshooting information." <br><br> Depending on the version of PowerShell modules, the above error could be reported for both versions 3.0.4 and 3.0.5.|For detailed steps on how to mitigate this issue, go to: [https://aka.ms/azloc-update-30221399](https://aka.ms/azloc-update-30221399).     |
+
 
 
 ## Known issues from previous releases

azure-local/manage/azure-site-recovery.md

@@ -241,7 +241,7 @@ Here's a list of known issues and the associated workarounds in this release:
 | \# | Issue                   | Workaround/Comments    |
 |----|----------------------|---------------------------|
 | 1. | When you register Azure Site Recovery with a system, a machine fails to install Azure Site Recovery or register to the Azure Site Recovery service.  | In this instance, your VMs may not be protected. Verify that all machines in the system are registered in the Azure portal by going to the **Recovery Services vault** \> **Jobs** \> **Site Recovery Jobs**. |
-| 2. | Azure Site Recovery agent fails to install. No error details are seen at the system or machine levels in the Azure Local portal. | When the Azure Site Recovery agent installation fails, it is because of the one of the following reasons:  <br><br> - Installation fails as Hyper-V isn't set up on the . </br><br> - The Hyper-V host is already associated to a Hyper-V site and you're trying to install the extension with a different Hyper-V site. </br>  |
+| 2. | Azure Site Recovery agent fails to install. No error details are seen at the system or machine levels in the Azure Local portal. | When the Azure Site Recovery agent installation fails, it is because of the one of the following reasons:  <br><br> - Installation fails as Hyper-V isn't set up on the host. </br><br> - The Hyper-V host is already associated to a Hyper-V site and you're trying to install the extension with a different Hyper-V site. </br>  |
 | 3. | Azure Site Recovery agent fails to install. Error message of "Microsoft Azure Site Recovery Provider installation has failed with exit code - 1." appears in the portal with the failed installation. | The installation fails when WDAC is enforced. <br><br> - Setting WDAC to "Audit" mode will allow the installation to complete.  To set the WDAC mode to be Audit, you can follow the instructions in [Manage WDAC settings with PowerShell](/azure-stack/hci/manage/manage-wdac#manage-wdac-settings-with-powershell) |
 
 ## Next steps

azure-local/manage/manage-secure-baseline.md

@@ -44,6 +44,23 @@ The following table explains the rules that aren't compliant and the rationale o
 | Interactive logon: Message title for users attempting to log on| Not Compliant | Warning - "" is equal to "" |This must be defined by customer, it does not have drift control enabled.|
 | Minimum password length | Not Compliant | Critical - Seven is less than the minumum value of 14. | This must be defined by customer, it does not have drift control enabled in order to allow this setting to align with your organization's policies.|
 
+### Fixing the compliance for the rules
+
+To fix the compliance for the rules, run the following commands or use any other tool you prefer: 
+
+1. **Legal notice**: Create a custom value for legal notice depending on your organization's needs and policies. Run the following commands:
+
+    ```PowerShell
+    Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeCaption" -Value "Legal Notice"
+    Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeText" -Value "LegalNoticeText"
+    ```
+
+1. **Minimum password length**: Set the minimum password length policy to 14 characthers on the Azure Local machine. The default value is 7, and any value below 14 is still flagged by the monitoring baseline policy. Run the following commands:
+
+    ```PowerShell
+    net accounts /minpwlen:14
+    ```
+
 ## Manage security defaults with PowerShell
 
 With drift protection enabled, you can only modify nonprotected security settings. To modify protected security settings that form the baseline, you must first disable drift protection. To view and download the complete list of security settings, see [Security Baseline](https://aka.ms/hci-securitybase).

azure-local/manage/virtual-machine-image-local-share.md

@@ -7,7 +7,7 @@ ms.topic: how-to
 ms.service: azure-stack-hci
 ms.custom:
   - devx-track-azurecli
-ms.date: 10/28/2024
+ms.date: 11/21/2024
 ---
 
 # Create Azure Local VM image using images in a local share
@@ -251,4 +251,4 @@ You might want to delete a VM image if the download fails for some reason or if
 
 ## Next steps
 
-- [Create logical networks](./create-virtual-networks.md)
+- [Create logical networks](create-logical-networks.md).

azure-local/overview.md

@@ -5,7 +5,7 @@ ms.topic: overview
 author: alkohli
 ms.author: alkohli
 ms.service: azure-stack-hci
-ms.date: 11/18/2024
+ms.date: 11/19/2024
 ms.custom: e2e-hybrid, linux-related-content
 ---
 
@@ -134,4 +134,5 @@ Some Microsoft partners are developing software that extends the capabilities of
 
 ## Next steps
 
+- Read the blog post: [Introducing Azure Local: cloud infrastructure for distributed locations enabled by Azure Arc](https://techcommunity.microsoft.com/blog/azurearcblog/introducing-azure-local-cloud-infrastructure-for-distributed-locations-enabled-b/4296017).
 - Learn more about [Azure Local, version 23H2 deployment](./deploy/deployment-introduction.md).

azure-local/whats-new.md

@@ -5,7 +5,7 @@ ms.topic: overview
 author: alkohli
 ms.author: alkohli
 ms.service: azure-stack-hci
-ms.date: 11/18/2024
+ms.date: 11/19/2024
 ---
 
 # What's new in Azure Local, version 23H2
@@ -48,6 +48,16 @@ This is a baseline release with the following features and improvements:
 
         For more information, see [Add a network interface on your Azure Local](./manage/manage-arc-virtual-machine-resources.md#add-a-network-interface).
 
+- **Security improvements** - Starting this release, the security posture of Azure Local is enhanced with the following improvements:
+
+  - **Security posture following Azure Local, version 22H2 to version 23H2 upgrade** - Warnings and guardrails were added in the upgrade flow. Documentation was also updated to reflect the security posture of Azure Local after upgrading from version 22H2 to version 23H2.
+  
+    For more information, see [Manage security after upgrading Azure Local from version 22H2 to version 23H2](./manage/manage-security-post-upgrade.md).
+
+  - **Improved security baseline compliance** - Starting this release, the security settings on the Azure Local nodes are compared against the security baseline with full accuracy. On the right secured-core hardware, you achieve a 99% compliance score, which you can view in the Azure portal.
+  
+    For more information, see [View security baseline compliance in the Azure portal](./manage/manage-secure-baseline.md#view-security-baseline-compliance-in-the-azure-portal).
+    
 - **AKS on Azure Local** - This release has several new features and enhancements for AKS on Azure Local. For more information, see [What's new in AKS on Azure Local](/azure/aks/hybrid/aks-whats-new-23h2).
 
 ## [2408 releases](#tab/2408releases)