Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into updps

Author: alkohli

AKS-Hybrid/aks-edge-troubleshoot-overview.md

@@ -4,7 +4,7 @@ description: Learn about common issues and workarounds in AKS Edge Essentials.
 author: sethmanheim
 ms.author: sethm
 ms.topic: conceptual
-ms.date: 07/22/2024
+ms.date: 12/12/2024
 ms.custom: template-concept
 ---
 
@@ -59,6 +59,10 @@ This script checks for the missing images and reimports them as needed.
 
    :::image type="content" source="media/aks-edge/aks-edge-azure-arc-proxy.png" alt-text="Screenshot showing internet options." lightbox="media/aks-edge/aks-edge-azure-arc-proxy.png":::
 
+## Can't fully delete AKS Arc cluster with PodDisruptionBudget (PDB) resources
+
+For information about this known issue, see [Can't fully delete AKS Arc cluster with PDB resources](delete-cluster-pdb.md) in the AKS Arc documentation.
+
 ## Offline deployments
 
 ### Failed to get nodeagent certificate: Not Found

AKS-Hybrid/delete-cluster-pdb.md

@@ -4,14 +4,14 @@ description: Learn how to troubleshoot when deleted workload cluster resources c
 ms.topic: troubleshooting
 author: sethmanheim
 ms.author: sethm
-ms.date: 11/18/2024
+ms.date: 12/12/2024
 ms.reviewer: leslielin
 
 ---
 
 # Can't fully delete AKS Arc cluster with PodDisruptionBudget (PDB) resources
 
-[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
+[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)], AKS Edge Essentials
 
 When you delete an AKS Arc cluster that has [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) (PDB) resources, the deletion might fail to remove the PDB resources. By default, PDB is installed in the workload identity-enabled AKS Arc cluster.
 
@@ -37,12 +37,24 @@ Before you delete the AKS Arc cluster, access the AKS Arc cluster's **kubeconfig
     kubectl delete pdb azure-wi-webhook-controller-manager -n arc-workload-identity 
     ```
 
-1. Delete the AKS Arc cluster:
+### [AKS on Azure Local](#tab/aks-on-azure-local)
+
+4. Delete the AKS Arc cluster:
 
     ```azurecli
     az aksarc delete -n $aks_cluster_name -g $resource_group_name
     ```
 
+### [AKS Edge Essentials](#tab/aks-edge-essentials)
+
+4. Delete the AKS Arc cluster:
+
+    ```azurecli
+    az connectedk8s delete -n <cluster_name> -g <resource_group>
+    ```
+
+---
+
 ## Next steps
 
 [Known issues in AKS enabled by Azure Arc](aks-known-issues.md)

azure-local/TOC.yml

@@ -382,7 +382,7 @@ items:
     items:
     - name: Manage security defaults
       href: manage/manage-secure-baseline.md
-    - name: Manage application control (WDAC)
+    - name: Manage Application Control
       href: manage/manage-wdac.md
     - name: Manage BitLocker encryption
       href: manage/manage-bitlocker.md

azure-local/assurance/azure-stack-hipaa-guidance.md

@@ -1,7 +1,7 @@
 ---
 title: HIPAA guidance for Azure Local
 description: Learn about HIPAA compliance using Azure Local.
-ms.date: 11/08/2024
+ms.date: 12/12/2024
 ms.topic: conceptual
 ms.service: azure-stack-hci
 ms.author: nguyenhung
@@ -66,7 +66,7 @@ On Azure Local instances, all data-at-rest can be encrypted via BitLocker XTS-AE
 
 #### Protecting external network traffic with TLS/DTLS
 
-By default, all host communications to local and remote endpoints are encrypted using TLS1.2, TLS1.3, and DTLS 1.2. The platform disables the use of older protocols/hashes such as TLS/DTLS 1.1 SMB1. Azure Stack HCI also supports strong cipher suites like [SDL-compliant](https://www.microsoft.com/securityengineering/sdl/) elliptic curves, limited to NIST curves P-256 and P-384 only.
+By default, all host communications to local and remote endpoints are encrypted using TLS1.2, TLS1.3, and DTLS 1.2. The platform disables the use of older protocols/hashes such as TLS/DTLS 1.1 SMB1. Azure Local also supports strong cipher suites like [SDL-compliant](https://www.microsoft.com/securityengineering/sdl/) elliptic curves, limited to NIST curves P-256 and P-384 only.
 
 #### Protecting internal network traffic with Server Message Block (SMB)
 
@@ -104,7 +104,7 @@ Metrics store numeric data from monitored resources into a time-series database.
 
 #### Log alerts
 
-To indicate problems in real time, you may set up alerts for Azure Stack HCI systems, using pre-existing sample log queries such as average server CPU, available memory, available volume capacity and more. Learn more at [Set up alerts for Azure Local systems](/azure-stack/hci/manage/setup-hci-system-alerts).
+To indicate problems in real time, you may set up alerts for Azure Local systems, using pre-existing sample log queries such as average server CPU, available memory, available volume capacity and more. Learn more at [Set up alerts for Azure Local systems](/azure-stack/hci/manage/setup-hci-system-alerts).
 
 #### Metric alerts
 
@@ -120,9 +120,9 @@ Azure Local provides service-based alerts for connectivity, OS updates, Azure co
 
 Windows Defender Antivirus is a utility application that enables enforcement of real-time system scanning and periodic scanning to protect platform and workloads against viruses, malware, spyware, and other threats. By default, Microsoft Defender Antivirus is enabled on Azure Local. Microsoft recommends using Microsoft Defender Antivirus with Azure Local rather than third-party antivirus and malware detection software and services as they may impact the operating system's ability to receive updates. Learn more at [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server).
 
-#### Windows Defender Application Control
+#### Application Control
 
-Windows Defender Application Control (WDAC) is enabled by default on Azure Local to control which drivers and applications are allowed to run directly on each server, helping prevent malware from accessing the system. Learn more about base policies included in Azure Local and how to create supplemental policies at [Manage Windows Defender Application Control for Azure Local](/azure-stack/hci/concepts/security-windows-defender-application-control).
+Application Control is enabled by default on Azure Local to control which drivers and applications are allowed to run directly on each server, helping prevent malware from accessing the system. Learn more about base policies included in Azure Local and how to create supplemental policies at [Manage Application Control for Azure Local](/azure-stack/hci/concepts/security-windows-defender-application-control).
 
 #### Microsoft Defender for Cloud
 

azure-local/concepts/azure-hybrid-benefit.md

@@ -6,7 +6,7 @@ ms.author: sethm
 ms.topic: conceptual
 ms.service: azure-stack-hci
 ms.custom: devx-track-azurepowershell
-ms.date: 11/08/2024
+ms.date: 12/09/2024
 ---
 
 # Azure Hybrid Benefit for Azure Local

azure-local/concepts/media/azure-hybrid-benefit/activate-azure-hybrid-benefit.png

@@ -5,7 +5,7 @@ author: alkohli
 ms.author: alkohli
 ms.topic: conceptual
 ms.service: azure-stack-hci
-ms.date: 11/15/2024
+ms.date: 12/11/2024
 ---
 
 # Security features for Azure Local, version 23H2
@@ -16,7 +16,7 @@ ms.date: 11/15/2024
 
 Azure Local is a secure-by-default product that has more than 300 security settings enabled right from the start. Default security settings provide a consistent security baseline to ensure that devices start in a known good state.
 
-This article provides a brief conceptual overview of the various security features associated with your Azure Local instance. Features include security defaults, Windows Defender for Application Control (WDAC), volume encryption via BitLocker, secret rotation, local built-in user accounts, Microsoft Defender for Cloud, and more.
+This article provides a brief conceptual overview of the various security features associated with your Azure Local instance. Features include security defaults, Application Control, volume encryption via BitLocker, secret rotation, local built-in user accounts, Microsoft Defender for Cloud, and more.
 
 ## Security defaults
 
@@ -34,16 +34,16 @@ Secure baseline on Azure Local:
 
 For more information, see [Manage security defaults on Azure Local](../manage/manage-secure-baseline.md).
 
-## Windows Defender Application Control
+## Application Control
 
-WDAC is a software-based security layer that reduces attack surface by enforcing an explicit list of software that is allowed to run. WDAC is enabled by default and limits the applications and code that you can run on the core platform. For more information, see [Manage Windows Defender Application Control for Azure Local, version 23H2](../manage/manage-wdac.md#manage-wdac-settings-with-powershell).
+Application Control is a software-based security layer that reduces attack surface by enforcing an explicit list of software that is allowed to run. Application Control is enabled by default and limits the applications and code that you can run on the core platform. For more information, see [Manage Application Control for Azure Local, version 23H2](../manage/manage-wdac.md#manage-application-control-settings-with-powershell).
 
-WDAC provides two main operation modes, Enforcement mode and Audit mode. In Enforcement mode, untrusted code is blocked and events are recorded. In Audit mode, untrusted code is allowed to run and events are recorded. To learn more about WDAC-related events, see [List of Events](/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations).
+Application Control provides two main operation modes, Enforcement mode and Audit mode. In Enforcement mode, untrusted code is blocked and events are recorded. In Audit mode, untrusted code is allowed to run and events are recorded. To learn more about Application Control-related events, see [List of Events](/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations).
 
 > [!IMPORTANT]
-> To minimize security risk, always run WDAC in Enforcement mode.
+> To minimize security risk, always run Application Control in Enforcement mode.
 
-### About WDAC policy design
+### About Application Control policy design
 
 Microsoft provides base signed policies on Azure Local for both Enforcement mode and Audit mode. Additionally, policies include a predefined set of platform behavior rules and block rules to apply to the application control layer.
 
@@ -57,7 +57,7 @@ Azure Local base policies include the following sections:
 
 #### Option rules
 
-This section discussed the option rules enabled by the base policy. 
+This section discussed the option rules enabled by the base policy.
 
 For the enforced policy, the following option rules are enabled by default:
 

azure-local/concepts/media/azure-hybrid-benefit/activate-windows-server-subscription.png

@@ -31,7 +31,7 @@ Azure verification for VM enables you to use these benefits available only on Az
 | Extended Security Update (ESUs)          | Get security updates at no extra cost for end-of-support SQL and Windows Server VMs on Azure Local. <br/> For more information, see [Free Extended Security Updates (ESU) on Azure Local](../manage/azure-benefits-esu.md). | You must enable [Legacy OS support](#legacy-os-support) for older VMs running version Windows Server 2012 or earlier with [Latest Servicing Stack Updates](https://msrc.microsoft.com/update-guide/advisory/ADV990001).|
 | Azure Virtual Desktop (AVD)                    | AVD session hosts can run only on Azure infrastructure. Activate your Windows multi-session VMs on Azure Local using Azure VM verification. <br/> Licensing requirements for AVD still apply. See [Azure Virtual Desktop pricing](/azure/virtual-desktop/azure-stack-hci-overview#pricing). | Activated automatically for VMs running version Windows 11 multi-session with 4B update released on April 9, 2024 (22H2: [KB5036893](https://support.microsoft.com/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb), 21H2: [KB5036894](https://support.microsoft.com/topic/april-9-2024-kb5036894-os-build-22000-2899-165dd6e1-74be-45b7-84e3-0f2a25d375f3)) or later. You must enable [legacy OS support](#legacy-os-support) for VMs running version Windows 10 multi-session with 4B update released on April 9, 2024  [KB5036892](https://support.microsoft.com/topic/april-9-2024-kb5036892-os-builds-19044-4291-and-19045-4291-cb5d2d42-6b10-48f7-829a-be7d416a811b) or later. |
 | Windows Server Datacenter: Azure Edition | Azure Edition VMs can run only on Azure infrastructure. Activate your [Windows Server Azure Edition](/windows-server/get-started/azure-edition) VMs and use the latest Windows Server innovations and other exclusive features. <br/> Licensing requirements still apply. See ways to [license Windows Server VMs on Azure Local](../manage/vm-activate.md?tabs=azure-portal).         | Activated automatically for VMs running Windows Server Azure Edition 2022 with 4B update released on April 9, 2024 ([KB5036909](https://support.microsoft.com/topic/april-9-2024-kb5036909-os-build-20348-2402-36062ce9-f426-40c6-9fb9-ee5ab428da8c)) or later. |
-| Azure Update Manager | Get [Azure Update Manager](/azure/update-manager/overview?branch=main&tabs=azure-arc-vms) at no cost. This service provides a SaaS solution to manage and govern software updates to VMs on Azure Local. | Available automatically for Arc VMs. You must enable Azure verification for non Arc VMs. For more information, see [Azure Update Manager frequently asked questions](/azure/update-manager/update-manager-faq#what-is-the-pricing-for-azure-update-manager). |
+| Azure Update Manager | Get [Azure Update Manager](/azure/update-manager/overview?branch=main&tabs=azure-arc-vms) at no cost. This service provides a SaaS solution to manage and govern software updates to VMs on Azure Local. | Available automatically for Arc VMs. With Software Assurance, you can attest your machine using Arc's Windows Server Azure benefits and licenses, and get AUM for free. For more information, see [Azure Update Manager frequently asked questions](/azure/update-manager/update-manager-faq#what-is-the-pricing-for-azure-update-manager). |
 | Azure Policy guest configuration         | Get [Azure Policy guest configuration](/azure/governance/policy/concepts/guest-configuration) at no cost. This Arc extension enables the auditing and configuration of OS settings as code for machines and VMs. | Arc agent version 1.39 or later. See [Latest Arc agent release](/azure/azure-arc/servers/agent-release-notes). |
 
 > [!NOTE]

azure-local/concepts/security-features.md

@@ -0,0 +1,23 @@
+---
+author: ronmiab
+ms.author: robess
+ms.service: azure-local
+ms.topic: include
+ms.date: 12/05/2024
+ms.reviewer: alkohli
+ms.lastreviewed: 12/11/2024
+---
+
+Readiness checks are essential to ensure that you apply updates smoothly, keep your systems up-to-date, and maintain correct system functionality. Readiness checks are performed and reported separately in two scenarios:
+
+- System health checks that run once **every 24 hours**.
+
+- Update readiness checks that run after downloading the update content and before beginning the installation.
+
+It is common for the results of system health checks and update readiness checks to differ. This happens because update readiness checks use the latest validation logic from the solution update to be installed, while system health checks always use validation logic from the installed version.
+
+Both system and pre-update readiness checks perform similar validations and categorize three types of readiness checks: Critical, Warning, and Informational.
+
+- **Critical**: Readiness checks that prevent you from applying the update. This status indicates issues that you must resolve before proceeding with the update.
+- **Warning**: Readiness checks that also prevent you from applying the update, but you can bypass these using [PowerShell](../update/update-via-powershell-23h2.md#troubleshoot-updates). This status indicates potential issues that might not be severe enough to stop the update but should be addressed to ensure a smooth update process.
+- **Informational**: Readiness checks that don't block the update. This status provides information about the system's state and any potential issues that shouldn't affect the update process directly. These checks are for your awareness and might not require immediate action.