Sync release-hotfixes with main

Sync release-hotfixes with main

Author: sethmanheim

AKS-Hybrid/ad-sso.md

@@ -3,7 +3,7 @@ title: Use Active Directory single sign-on for secure connection to Kubernetes A
 description: Use Active Directory Authentication to securely connect to the API server with SSO credentials
 author: sethmanheim
 ms.topic: how-to
-ms.date: 06/24/2024
+ms.date: 08/07/2024
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: sulahiri
@@ -30,7 +30,10 @@ AD integration uses AD kubeconfig, which is distinct from the certificate-based
 Another security benefit with AD integration is that the users and groups are stored as [security identifiers (SIDs)](/troubleshoot/windows-server/identity/security-identifiers-in-windows). Unlike group names, SIDs are immutable and unique and therefore present no naming conflicts.
 
 > [!NOTE]
-> Currently, AD SSO connectivity is only supported for workload clusters.
+> AD SSO connectivity is only supported for workload clusters.
+
+> [!NOTE]
+> The use of nested AD groups (creating an AD group within another AD group) is unsupported.
 
 This article guides you through the steps to set up Active Directory as the identity provider and to enable SSO via `kubectl`:
 

AKS-Hybrid/deploy-load-balancer-cli.md

@@ -14,12 +14,12 @@ ms.lastreviewed: 04/02/2024
 
 [!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
 
-The main purpose of a load balancer is to distribute traffic across multiple nodes in a Kubernetes cluster. This can help prevent downtime and improve overall performance of applications. AKS enabled by Azure Arc supports creating [MetalLB](https://metallb.universe.tf/) load balancer instance on your Kubernetes cluster using the `Arc Networking` k8s-extension.
+The main purpose of a load balancer is to distribute traffic across multiple nodes in a Kubernetes cluster. This can help prevent downtime and improve overall performance of applications. AKS enabled by Azure Arc supports creating [MetalLB](https://metallb.universe.tf/) load balancer instance on your Kubernetes cluster using the `Arc Kubernetes Runtime` k8s-extension.
 
 ## Prerequisites
 
-- A Kubernetes cluster with at least one Linux node. You can create a Kubernetes cluster on Azure Stack HCI 23H2 using the [Azure CLI](aks-create-clusters-cli.md) or the [Azure portal](aks-create-clusters-portal.md).
-- Make sure you have enough IP addresses for the load balancer. Ensure that the IP addresses reserved for the load balancer do not conflict with the IP addresses in Arc VM logical networks and control plane IPs. For more information about IP address planning and networking in Kubernetes, see [Networking requirements for AKS on Azure Stack HCI 23H2](aks-hci-network-system-requirements.md).
+- An Azure Arc enabled Kubernetes cluster with at least one Linux node. You can create a Kubernetes cluster on Azure Stack HCI 23H2 using the [Azure CLI](aks-create-clusters-cli.md) or the [Azure portal](aks-create-clusters-portal.md). AKS on Azure Stack HCI 23H2 clusters are Arc enabled by default.
+- Make sure you have enough IP addresses for the load balancer. For AKS on Azure Stack HCI 23H2, ensure that the IP addresses reserved for the load balancer do not conflict with the IP addresses in Arc VM logical networks and control plane IPs. For more information about IP address planning and networking in Kubernetes, see [Networking requirements for AKS on Azure Stack HCI 23H2](aks-hci-network-system-requirements.md).
 - This how-to guide assumes you understand how Metal LB works. For more information, see the [overview for MetalLB in Arc Kubernetes clusters](load-balancer-overview.md).
 
 ## Install the Azure CLI extension
@@ -30,25 +30,71 @@ Run the following command to install the necessary Azure CLI extension:
 az extension add -n k8s-runtime --upgrade
 ```
 
-## Enable load balancer Arc extension
+## Enable MetalLB Arc extension
 
 Configure the following variables before proceeding:
 
 | Parameter                      | Description             | 
 | ----------------------------- | ------------------------ |
 | `$subId`    | Azure subscription ID of your Kubernetes cluster. |
-| `$rgName` | Azure resource group for your Kubernetes cluster. |
-| `$clusterName` | The name of your AKS Arc cluster. |
+| `$rgName` | Azure resource group of your Kubernetes cluster. |
+| `$clusterName` | The name of your Kubernetes cluster. |
 
-Use the [`az k8s-runtime load-balancer enable`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-enable) command to install the Arc extension and register the resource provider for your Kubernetes cluster. The `--resource-uri` parameter refers to the resource manager ID of your AKS Arc cluster.
+### Option 1: Enable MetalLB Arc extension using `az k8s-runtime load-balancer enable` command
+
+To enable the MetalLB Arc extension using the following command, you must have [Graph permission Application.Read.All](/graph/permissions-reference#applicationreadall). You can check if you have this permission by logging into your Azure subscription, and running the following command: 
+
+```azurecli
+`az ad sp list --filter "appId eq '087fca6e-4606-4d41-b3f6-5ebdf75b8b4c'" --output json`
+```
+If the command fails, contact your Azure tenant administrator to get `Application.Read.All` role.
+
+If you do have the permission, you can use the [`az k8s-runtime load-balancer enable`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-enable) command to install the Arc extension and register the resource provider for your Kubernetes cluster. The `--resource-uri` parameter refers to the resource manager ID of your Kubernetes cluster.
 
 ```azurecli
 az k8s-runtime load-balancer enable --resource-uri subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Kubernetes/connectedClusters/$clusterName
 ```
 
+### Option 2: Enable MetalLB Arc Kubernetes extension using `az k8s-extension add` command
+
+If you don't have [Graph permission Application.Read.All](/graph/permissions-reference#applicationreadall), you can follow these steps:
+
+1. Register the `Microsoft.KubernetesRuntime RP` if you haven't already done so. Note that you only need to register once per Azure subscription. You can also register resource providers using the Azure portal. For more information about how to register resource providers and required permissions, see [how to register a resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).
+
+```azurecli
+az provider register -n Microsoft.KubernetesRuntime
+```
+
+You can check if the resource provider has been registered successfully by running the following command.
+
+```azurecli
+az provider show -n Microsoft.KubernetesRuntime -o table
+```
+
+Expected output:
+```output
+Namespace                    RegistrationPolicy    RegistrationState
+---------------------------  --------------------  -------------------
+Microsoft.KubernetesRuntime  RegistrationRequired  Registered
+```
+
+2. To install the MetalLB Arc extension, obtain the AppID of the MetalLB extension resource provider, and then run the extension create command. You must run the following commands once per Arc Kubernetes cluster.
+
+Obtain the Application ID of the Arc extension by running [az ad sp list](/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-list). In order to run the following command, you must be a `user` member of your Azure tenant. For more information about user and guest membership, see [default user permissions in Microsoft Entra ID](/entra/fundamentals/users-default-permissions).
+
+```azurecli
+$objID = az ad sp list --filter "appId eq '087fca6e-4606-4d41-b3f6-5ebdf75b8b4c'" --query "[].id" --output tsv
+```
+
+Once you have the $objID, you can install the MetalLB Arc extension on your Kubernetes cluster. To run the below command, you need to have [**Kubernetes extension contributor**](/azure/role-based-access-control/built-in-roles/containers#kubernetes-extension-contributor) role.
+
+```azurecli
+az k8s-extension create --cluster-name $clusterName -g $rgName --cluster-type connectedClusters --extension-type microsoft.arcnetworking --config k8sRuntimeFpaObjectId=$objID -n arcnetworking
+```
+
 ## Deploy MetalLB load balancer on your Kubernetes cluster
 
-You can now create a load balancer for your Kubernetes cluster remotely by running the [`az k8s-runtime load-balancer create`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-create) command. This command creates a custom resource of kind `IPAddressPool` in namespace `kube-system`.
+You can now create a load balancer for your Kubernetes cluster remotely by running the [`az k8s-runtime load-balancer create`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-create) command. This command creates a custom resource of type `IPAddressPool` in the namespace `kube-system`. 
 
 Configure the following variables before proceeding:
 
@@ -83,4 +129,4 @@ az k8s-runtime bgp-peer create --bgp-peer-name $peerName --resource-uri subscrip
 
 ## Next steps
 
--[Use GitOps Flux v2 Arc extension to deploy applications on your Kubernetes cluster](/azure/azure-arc/kubernetes/monitor-gitops-flux-2)
+- [Use GitOps Flux v2 Arc extension to deploy applications on your Kubernetes cluster](/azure/azure-arc/kubernetes/monitor-gitops-flux-2)

AKS-Hybrid/kubernetes-rbac-entra-id.md

@@ -32,6 +32,8 @@ Before you set up Kubernetes RBAC using Microsoft Entra ID, you need the followi
   - **Azure CLI and the connectedk8s extension**. Azure CLI is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command line tool, and type: `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install Azure CLI](/cli/azure/install-azure-cli).
   - **Kubectl**. This Kubernetes command-line tool enables you to run commands targeting your Kubernetes clusters. To check whether you installed kubectl, open a command prompt and type: `kubectl version --client`. Make sure your kubectl client version is at least version v1.24.0. For installation instructions, see [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
   - **PowerShell and the AksHci PowerShell module**. PowerShell is a cross-platform task automation solution comprised of a command-line shell, a scripting language, and a configuration management framework. If you installed AKS Arc, you have access to the **AksHci** PowerShell module.
+  - To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in the **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).
+
 
 ## Optional first steps
 

azure-stack/hci/manage/windows-server-azure-edition-23h2.md

@@ -174,8 +174,6 @@ To obtain Azure verification for the Windows Server Azure Edition license, a mem
 Schtasks /change /TN "\Microsoft\Windows\Clip\LicenseImdsIntegration" /RU "NT Authority\System"
 ```
 
-For more information, see [flcip](https://github.com/urbans0ft/fclip) on GitHub.
-
 ## Next steps
 
 Learn more about [Azure Automanage for Windows Server](/azure/automanage/automanage-windows-server-services-overview).

azure-stack/hci/release-information-23h2.md

@@ -6,7 +6,7 @@ ms.author: alkohli
 ms.topic: conceptual
 ms.service: azure-stack
 ms.subservice: azure-stack-hci
-ms.date: 07/12/2024
+ms.date: 08/13/2024
 ---
 
 # Azure Stack HCI, version 23H2 release information

azure-stack/hci/release-information.md

@@ -6,7 +6,7 @@ ms.author: jgerend
 ms.topic: conceptual
 ms.service: azure-stack
 ms.subservice: azure-stack-hci
-ms.date: 07/08/2024
+ms.date: 08/12/2024
 ---
 
 # Azure Stack HCI, version 22H2 release information
@@ -25,6 +25,7 @@ All dates are listed in ISO 8601 format: *YYYY-MM-DD*
 
 | **OS build** | **Availability date** | **KB article** |
 |:-|:-|:-|
+| 20349.2655 | 2024-08-13 | [KB 5041160](https://support.microsoft.com/topic/3e8026f2-bb4c-4c1c-9855-d41e1b5b1bd9) |
 | 20349.2582 | 2024-07-09 | [KB 5040437](https://support.microsoft.com/topic/b23d6ba9-4659-4780-887f-530776c4e730) |
 | 20349.2529 | 2024-06-20 | [KB 5041054](https://support.microsoft.com/topic/0a1f8b2c-f195-4e3d-b95a-52a12b801658) |
 | 20349.2527 | 2024-06-11 | [KB 5039227](https://support.microsoft.com/topic/121b63dd-f970-45a3-8365-b5f4d2081999) |

azure-stack/hci/security-update/hci-security-update-aug-2024.md

@@ -0,0 +1,65 @@
+---
+title:  August 2024 security update (KB 5041573) for Azure Stack HCI, version 23H2
+description: Read about the August 2024 security update (KB 5041573) for Azure Stack HCI, version 23H2.
+author: alkohli
+ms.topic: conceptual
+ms.date: 08/13/2024
+ms.author: alkohli
+ms.reviewer: alkohli
+ms.subservice: azure-stack-hci
+---
+
+# August 2024 OS security update (KB 5041573) for Azure Stack HCI, version 23H2
+
+[!INCLUDE [applies-to](../../includes/hci-applies-to-23h2.md)]
+
+This article describes the OS security update for Azure Stack HCI, version 23H2 that was released on August 13, 2024 and applies to OS build 25398.1085.
+
+<!--For an overview of Azure Stack HCI, version 23H2 release notes, see the [update history](https://support.microsoft.com/topic/release-notes-for-azure-stack-hci-version-23h2-018b9b10-a75b-4ad7-b9d1-7755f81e5b0b).-->
+
+## Improvements
+
+This security update includes quality improvements. The following key issues and features are present in this update:
+
+- **Stability of clusters on Windows Server 2022**. Servers in the same cluster shutdown when you don't expect them to. This leads to high latency and network availability issues.  
+
+- **Bootloader**. A race condition might stop a computer from starting. This occurs when you configure the bootloader to start many operating systems.  
+
+- **Autopilot**. Using Autopilot to provision a Surface Laptop SE device fails.  
+
+- **Windows Defender Application Control (WDAC)**. A memory leak occurs that might exhaust system memory as time goes by. This issue occurs when you provision a device.  
+
+- **Protected Process Light (PPL) protections**. You can bypass them.  
+
+- **Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)**. This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.  
+
+- **NetJoinLegacyAccountReuse**. This update removes this registry key. For more information, see [KB 5020276 Net join: Domain join hardening changes](https://support.microsoft.com/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8).
+
+- **BitLocker (known issue)**. A [BitLocker recovery screen](/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview) shows when you start up your device. This occurs after you install the July 9, 2024, update. This issue is more likely to occur if [device encryption](https://support.microsoft.com/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) is on. Go to **Settings > Privacy & Security > Device encryption**. To unlock your drive, Windows might ask you to enter the recovery key from your Microsoft account.
+
+- **Lock screen**. This update addresses CVE-2024-38143. As a result, the **Use my windows user account** check box isn't available on the lock screen to connect to Wi-Fi.
+
+- **Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)**. This update applies SBAT to systems that run Windows and stops vulnerable Linux EFI (shim bootloaders) from running. This update doesn't apply to systems that dual-boot Windows and Linux. After the update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
+
+- **Domain Name System (DNS)**. This update hardens DNS server security to address CVE-2024-37968. If the configurations of your domains aren't up to date, you might get the SERVFAIL error or a time-out.
+
+For more information about security vulnerabilities, see the [Security Update Guide](https://msrc.microsoft.com/update-guide/) and the [August 2024 Security Updates](https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug).
+
+## Known issues
+
+Microsoft isn't currently aware of any issues with this update.
+
+## To install this update
+
+Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) and [Servicing Stack Updates (SSU): Frequently Asked Questions](https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe).
+
+To install the LCU on your Azure Stack HCI cluster, see [Update Azure Stack HCI clusters](../update/about-updates-23h2.md).
+
+## File list
+
+For a list of the files that are provided in this update, download the file information for [Cumulative update 5041573](https://go.microsoft.com/fwlink/?linkid=2282056).
+
+## Next steps
+
+- [Install updates via PowerShell](../update/update-via-powershell-23h2.md) for Azure Stack HCI, version 23H2.
+- [Install updates via Azure Update Manager in Azure portal](../update/azure-update-manager-23h2.md) for Azure Stack HCI, version 23H2.

azure-stack/hci/toc.yml

@@ -211,6 +211,30 @@ items:
   - name: Troubleshoot updates
     href: update/update-troubleshooting-23h2.md
 
+- name: Upgrade 
+  items:
+  - name: About Azure Stack HCI upgrades
+    href: upgrade/about-upgrades-23h2.md
+  - name: Upgrade to version 23H2 OS
+    items: 
+    - name: Via PowerShell
+      href: upgrade/upgrade-22h2-to-23h2-powershell.md
+    - name: Via Windows Admin Center
+      href: upgrade/upgrade-22h2-to-23h2-windows-admin-center.md
+    - name: Via other methods
+      href: upgrade/upgrade-22h2-to-23h2-other-methods.md
+  - name: Perform post-OS upgrade tasks
+    href: upgrade/post-upgrade-steps.md
+  - name: Install, enable Network ATC
+    href: upgrade/install-enable-network-atc.md
+  - name: Validate solution upgrade readiness
+    href: upgrade/validate-solution-upgrade-readiness.md
+  - name: Apply solution upgrade
+    href: upgrade/install-solution-upgrade.md
+  - name: Troubleshoot upgrades
+    href: upgrade/troubleshoot-upgrade-to-azure-stack-hci-23h2.md
+
+
 - name: Manage
   items:
 

azure-stack/hci/update/update-troubleshooting-23h2.md

@@ -36,7 +36,7 @@ To collect logs for the update failures using PowerShell, follow these steps on
 2. Get all the solutions updates and then filter the solution updates corresponding to a specific version. The version used corresponds to the version of solution update that failed to install.
 
     ```powershell
-    $Update = Get-SolutionUpdate | ? version -eq "<Version string>" -verbose
+    $Update = Get-SolutionUpdate | ? Version -eq "<Version string>" -verbose
     ```
 
 3. Identify the action plan for the failed solution update run.
@@ -54,7 +54,7 @@ To collect logs for the update failures using PowerShell, follow these steps on
     Here's a sample output:
 
     ```output
-    PS C:\Users\lcmuser> $Update = Get-SolutionUpdate| ? version -eq "10.2303.1.7" -verbose
+    PS C:\Users\lcmuser> $Update = Get-SolutionUpdate| ? Version -eq "10.2303.1.7" -verbose
     PS C:\Users\lcmuser> $Failure = $Update|Get-SolutionUpdateRun
     PS C:\Users\lcmuser> $Failure
     
@@ -98,13 +98,13 @@ We highly recommend using the Azure portal, to browse to your failed update and
 If you're using PowerShell and need to resume a previously failed update run, use the following command:
 
 ```powershell
-Get-SolutionUpdate | Start-SolutionUpdate
+Get-SolutionUpdate | ? Version -eq "10.2302.0.31" | Start-SolutionUpdate
 ```
 
 To resume a previously failed update due to update health checks in a **Warning** state, use the following command:
 
 ```powershell
-Get-SolutionUpdate | Start-SolutionUpdate -IgnoreWarnings
+Get-SolutionUpdate | ? Version -eq "10.2302.0.31" | Start-SolutionUpdate -IgnoreWarnings
 ```
 
 ## Next steps