Merging changes synced from https://github.com/MicrosoftDocs/azure-stack-docs-pr (branch live)

Author: Learn Build Service GitHub App

AKS-Arc/aks-arc-diagnostic-checker.md

@@ -105,7 +105,6 @@ $urlArray = @(
     "https://k8connecthelm.azureedge.net",
     "https://guestnotificationservice.azure.com",
     "https://sts.windows.net",
-    "https://k8sconnectcsp.azureedge.net",
     "https://graph.microsoft.com"
 )
 $urlList=$urlArray -join ","

AKS-Arc/aks-hci-network-system-requirements.md

@@ -30,7 +30,7 @@ Kubernetes nodes are deployed as specialized virtual machines in AKS enabled by
 
 The following parameters are required in order to use a logical network for AKS Arc cluster create operation:
 
-| Logical network parameter| Description| Required parameter for AKS Arc cluster|
+| [Az CLI logical networks parameter](/azure-stack/hci/manage/create-logical-networks?tabs=azurecli) | Description| Required parameter for AKS Arc cluster|
 |------------------|---------|-----------|
 | `--address-prefixes` | AddressPrefix for the network. Currently only 1 address prefix is supported. Usage: `--address-prefixes "10.220.32.16/24"`. | ![Supported](media/aks-hybrid-networks/check.png) |
 | `--dns-servers`      | Space-separated list of DNS server IP addresses. Usage: `--dns-servers 10.220.32.16 10.220.32.17`. | ![Supported](media/aks-hybrid-networks/check.png) |
@@ -76,12 +76,12 @@ You need to ensure that the DNS server of the logical network can resolve the FQ
 
 When you deploy Azure Local, you allocate a contiguous block of at least [six static IP addresses on your management network's subnet](/azure-stack/hci/deploy/deploy-via-portal#specify-network-settings), omitting addresses already used by the physical machines. These IPs are used by Azure Local and internal infrastructure (Arc Resource Bridge) for Arc VM management and AKS Arc. If your management network that provides IP addresses to Arc Resource Bridge related Azure Local services are on a different VLAN than the logical network you used to create AKS clusters, you need to ensure that the following ports are opened to successfully create and operate an AKS cluster. 
 
-| Destination Port | Destination | Source | Description | Cross VLAN networking notes |
+| Destination Port | Destination | Source | Description | Bi-directional cross VLAN networking notes |
 |------------------|-------------|--------|-------------|----------------|
-| 22 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to collect logs for troubleshooting. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port.|
-| 6443 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to communicate with Kubernetes APIs. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port.|
-| 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port. |
-| 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port. |
+| 22 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to collect logs for troubleshooting. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port and vice-versa.|
+| 6443 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to communicate with Kubernetes APIs. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port and vice-versa.|
+| 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
+| 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 
 ## Next steps
 [IP address planning and considerations for Kubernetes clusters and applications](aks-hci-ip-address-planning.md)

azure-local/TOC.yml

@@ -182,7 +182,7 @@ items:
     - name: About security features
       href: concepts/security-features.md
     - name: Download Azure Local security book
-      href: https://assetsprod.microsoft.com/mpn/azure-stack-hci-security-book.pdf
+      href: https://github.com/Azure-Samples/AzureLocal/blob/main/SecurityBook/Azure%20Local%20Security%20Book_01172025.pdf
   - name: Assess environment readiness
     href: manage/use-environment-checker.md
   - name: Configure advanced Active Directory settings

azure-local/concepts/security-features.md

@@ -88,7 +88,7 @@ For more information, see the full [List of option rules](/windows/security/appl
 Allow rules in the base policy allow all Microsoft components delivered by the OS and the cloud deployments to be trusted. Deny rules block user mode applications and kernel components considered unsafe for the security posture of the solution.
 
 > [!NOTE]
-> The Allow and Deny rules in the base policy are updated regularly to improve product funtionality and maximize protection of your solution.
+> The Allow and Deny rules in the base policy are updated regularly to improve product functionality and maximize protection of your solution.
 
 To learn more about Deny rules, see:
 
@@ -134,7 +134,7 @@ In this release, the following capabilities are enabled:
 - The ability to monitor and alert whether certificates are still valid.
 
 > [!NOTE]
-> Secret creation and rotation operations take about ten minutes to complete, depending on the size of the system.
+> Secret creation and rotation operations take about 10 minutes to complete, depending on the size of the system.
 
 For more information, see [Manage secrets rotation](../manage/manage-secrets-rotation.md).
 
@@ -154,6 +154,17 @@ The syslog forwarder in Azure Local supports various configurations based on whe
 
 For more information, see [Manage syslog forwarding](../manage/manage-syslog-forwarding.md).
 
+## Microsoft Defender Antivirus
+
+Azure Local comes with Microsoft Defender Antivirus enabled and configured by default. We strongly recommend that you use Microsoft Defender Antivirus with your Azure Local instances. Microsoft Defender Antivirus provides real-time protection, cloud-delivered protection, and automatic sample submission.
+
+Although we recommend using Microsoft Defender Antivirus for Azure Local, if you prefer third-party antivirus and security software, we advise selecting one that your Independent Software Vendor (ISV) has validated for Azure Local to minimize potential functionality issues.
+
+For more information, see [Microsoft Defender Antivirus compatibility with other security products](/defender-endpoint/microsoft-defender-antivirus-compatibility).
+
+> [!NOTE]
+> If you remove the Microsoft Defender Antivirus feature, leave the settings associated with the feature from the security baseline as-is. You don't need to remove these settings.
+
 ## Microsoft Defender for Cloud (preview)
 
 Microsoft Defender for Cloud is a security posture management solution with advanced threat protection capabilities. It provides you with tools to assess the security status of your infrastructure, protect workloads, raise security alerts, and follow specific recommendations to remediate attacks and address future threats. It performs all these services at high speed in the cloud through autoprovisioning and protection with Azure services, with no deployment overhead.

azure-local/manage/virtual-machine-image-linux-sysprep.md

@@ -6,7 +6,7 @@ ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
 ms.custom: devx-track-azurecli, linux-related-content
-ms.date: 11/25/2024
+ms.date: 01/23/2025
 ---
 
 # Prepare an Ubuntu image for Azure Local virtual machines
@@ -20,7 +20,7 @@ This article describes how to prepare an Ubuntu image to create a virtual machin
 Before you begin, meet the following prerequisites:
 
 - Have access to an Azure Local instance. This system is deployed, registered, and connected to Azure Arc. Go to the **Overview** page in the Azure Local resource. On the **Server** tab on the right pane, **Azure Arc** should appear as **Connected**.
-- [Download the latest supported Ubuntu server image](https://ubuntu.com/download/server) on your Azure Local system. The supported OS versions are *Ubuntu 18.04*, *20.04*, and *22.04 LTS*. You prepare this image to create a VM image.
+- [Download the latest supported Ubuntu server image](https://ubuntu.com/download/server) on your Azure Local system. The supported OS versions are *20.04*, *22.04*, *24.04 LTS*. You prepare this image to create an Azure Local VM image.
 
 ## Workflow