Merge pull request #17060 from MicrosoftDocs/main

Taojunshen · web-flow · commit 9f4d37cc6cdc · 2025-02-13T07:00:14.000+08:00
2/12/2025 PM Publish
diff --git a/AKS-Arc/delete-cluster-pdb.md b/AKS-Arc/delete-cluster-pdb.md
@@ -19,39 +19,47 @@ When you delete an AKS Arc cluster that has [PodDisruptionBudget](https://kubern
 
 Before you delete the AKS Arc cluster, access the AKS Arc cluster's **kubeconfig** and delete all PDBs:
 
-1. Access the AKS Arc cluster:
+1. Access the AKS Arc cluster according to its connectivity state:
 
-   ```azurecli
-   az connectedk8s proxy -n $aks_cluster_name -g $resource_group_name 
-   ```
+   - When the AKS Arc cluster is in a **Connected** state, run the [`az connectedk8s proxy`](/cli/azure/connectedk8s#az-connectedk8s-proxy) command
+
+     ```azurecli
+     az connectedk8s proxy -n $aks_cluster_name -g $resource_group_name 
+     ```
+   
+   - When the AKS Arc cluster is in a **disconnected** state, run the [`az aksarc get-credentials`](/cli/azure/aksarc#az-aksarc-get-credentials) command with permission to perform the **Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action** action, which is included in the **Azure Kubernetes Service Arc Cluster Admin** role permission. For more information, see [Retrieve certificate-based admin kubeconfig in AKS Arc](retrieve-admin-kubeconfig.md#retrieve-the-certificate-based-admin-kubeconfig-using-az-cli).
+
+     ```azurecli
+     az aksarc get-credentials -n $aks_cluster_name -g $resource_group_name --admin
+     ```
 
 1. Verify PDB:
 
    ```bash
    kubectl get pdb -A 
    ```
 
-1. Delete all PDBs. Here's an example of deleting a PDB generated from workload identity enablement:
+1. Delete all PDBs. The following command is an example of deleting a PDB generated from workload identity enablement:
 
-    ```bash
-    kubectl delete pdb azure-wi-webhook-controller-manager -n arc-workload-identity 
-    ```
+   ```bash
+   kubectl delete pdb azure-wi-webhook-controller-manager -n arc-workload-identity 
+   ```
 
 ### [AKS on Azure Local](#tab/aks-on-azure-local)
 
 4. Delete the AKS Arc cluster:
 
-    ```azurecli
-    az aksarc delete -n $aks_cluster_name -g $resource_group_name
-    ```
+   ```azurecli
+   az aksarc delete -n $aks_cluster_name -g $resource_group_name
+   ```
 
 ### [AKS Edge Essentials](#tab/aks-edge-essentials)
 
 4. Delete the AKS Arc cluster:
 
-    ```azurecli
-    az connectedk8s delete -n <cluster_name> -g <resource_group>
-    ```
+   ```azurecli
+   az connectedk8s delete -n <cluster_name> -g <resource_group>
+   ```
 
 ---
 
diff --git a/azure-local/manage/manage-secrets-rotation.md b/azure-local/manage/manage-secrets-rotation.md
@@ -4,7 +4,7 @@ description: This article describes how to manage internal secret rotation on Az
 author:  alkohli
 ms.author:  alkohli
 ms.topic: how-to
-ms.date: 02/03/2025
+ms.date: 02/11/2025
 ms.service: azure-local
 ---
 
@@ -59,6 +59,49 @@ WARNING: Please close this session and log in again.
 PS C:\Users\MGMT> 
 ```
 
+## Change cluster witness storage account key
+
+This section describes how you can change the storage account key for the cluster witness storage account.
+
+1. Sign in to one of the Azure Local nodes using deployment user credentials.
+
+1. Configure the witness quorum using the secondary storage account key:
+
+    ```powershell
+    Set-ClusterQuorum -CloudWitness -AccountName <storage account name> -AccessKey <storage account secondary key>
+    ```
+
+1. Rotate the storage account primary key.
+
+1. Configure the witness quorum using the rotated storage account key:
+
+    ```powershell
+    Set-ClusterQuorum -CloudWitness -AccountName <storage account name> -AccessKey <storage account primary key>
+    ```
+
+1. Rotate the storage account secondary key.
+
+1. Update the storage account primary key in the ECE store:
+
+    ```powershell
+    $SecureSecretText = ConvertTo-SecureString -String "<Replace Storage account key>" -AsPlainText -Force
+    $WitnessCred = New-Object -Type PSCredential -ArgumentList "WitnessCredential,$SecureSecretText"
+    Set-ECEServiceSecret -ContainerName WitnessCredential -Credential $WitnessCred
+    ```
+
+## Revoke SAS token for storage account used for Arc VM images
+
+This section describes how you can revoke the Shared Access Signature (SAS) token for the storage account used for Arc VM images.
+
+| SAS policy   | SAS expired?    | Steps to revoke   |
+|---------|---------|---------|
+| Any SAS     | Yes      | No action is required as the SAS is no longer valid.        |
+| Ad hoc SAS signed with an account key      | No      | [Manually rotate or regenerate Storage account key](/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#manually-rotate-access-keys) used to create SAS.         |
+| Ad hoc SAS signed with a user delegation key      | No       | To revoke user delegation key or change role assignments, see [Revoke a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas#revoke-a-user-delegation-sas).         |
+| SAS with stored access policy      | No       | To update the expiration time to a past date or time, or delete the stored access policy, see [Modify or revoke a stored access policy](/rest/api/storageservices/define-stored-access-policy#modify-or-revoke-a-stored-access-policy).           |
+
+For more information, see [Revoke a SAS](/rest/api/storageservices/create-service-sas#revoke-a-sas).
+
 ## Change deployment service principal
 
 This section describes how you can change the service principal used for deployment. 
diff --git a/azure-local/plan/cloud-deployment-network-considerations.md b/azure-local/plan/cloud-deployment-network-considerations.md
@@ -3,7 +3,7 @@ title: Network considerations for cloud deployment for Azure Local, version 23H2
 description: This article introduces network considerations for cloud deployments of Azure Local, version 23H2.
 author: alkohli
 ms.topic: conceptual
-ms.date: 02/11/2025
+ms.date: 02/12/2025
 ms.author: alkohli 
 ms.reviewer: alkohli
 ---
@@ -210,7 +210,7 @@ New-VMSwitch -Name "ConvergedSwitch($IntentName)" -NetAdapterName "NIC1","NIC2"
 ```
 
 > [!NOTE]
->Once Azure Local instance is deployed, it is not supported to change the Management intent name or the virtual switch name. It is required to use the same intent name and virtual switch name if you require to update or recreate the intent after deployment.
+> Once an Azure Local instance is deployed, changing the management intent name or the virtual switch name isn't supported. You must use the same intent name and virtual switch name if you need to update or recreate the intent after deployment.
 
 #### 2. Configure management virtual network adapter using required Network ATC naming convention for all nodes
 
diff --git a/azure-stack/operator/TOC.yml b/azure-stack/operator/TOC.yml
@@ -32,20 +32,10 @@
             href: hotfix-1-2406-1-15.md      
           - name: Hotfix 1.2406.1.14
             href: hotfix-1-2406-1-14.md      
-        - name: 2311
-          items:
-          - name: Hotfix 1.2311.3.62
-            href: hotfix-1-2311-3-62.md
-          - name: Hotfix 1.2311.3.61
-            href: hotfix-1-2311-3-61.md
-          - name: Hotfix 1.2311.3.50
-            href: hotfix-1-2311-3-50.md
-          - name: Hotfix 1.2311.3.44
-            href: hotfix-1-2311-3-44.md
-          - name: Hotfix 1.2311.2.23
-            href: hotfix-1-2311-2-23.md
       - name: Archive
         items:
+        - name: Hotfix 1.2311.3.62
+          href: hotfix-1-2311-3-62.md
         - name: Hotfix 1.2306.4.102
           href: hotfix-1-2306-4-102.md      
         - name: Hotfix 1.2301.3.97
diff --git a/azure-stack/operator/azure-stack-servicing-policy.md b/azure-stack/operator/azure-stack-servicing-policy.md
@@ -4,7 +4,7 @@ titleSuffix: Azure Stack Hub
 description: Learn about the Azure Stack Hub servicing policy and how to keep an integrated system in a supported state.
 author: sethmanheim
 ms.topic: article
-ms.date: 10/24/2024
+ms.date: 02/11/2025
 ms.author: sethm
 ms.lastreviewed: 03/18/2020
 
@@ -46,9 +46,9 @@ Find documentation on how to plan for and manage updates, and how to determine y
 
 For information about a specific update, including how to download it, see the release notes for that update:
 
+- [Azure Stack Hub 2501 update](./release-notes.md?view=azs-2501&preserve-view=true)
 - [Azure Stack Hub 2408 update](./release-notes.md?view=azs-2408&preserve-view=true)
 - [Azure Stack Hub 2406 update](./release-notes.md?view=azs-2406&preserve-view=true)
-- [Azure Stack Hub 2311 update](./release-notes.md?view=azs-2311&preserve-view=true)
 
 ## Hotfixes
 
@@ -78,11 +78,11 @@ You must also have an active support agreement with the hardware partner that ma
 
 Hotfixes aren't considered major update versions. If your Azure Stack Hub instance is behind by more than two updates, it's considered out of compliance. You must update to at least the minimum supported version (N-2) to receive support.
 
-For example, if the most recent update version available is 2408 (N), the two previous update versions were 2406 and 2311, which means both 2406 (N-1) and 2311 (N-2) remain in support. However, the 2306 (and earlier) version is out of support, as 2306 was N-3 when the 2408 update was released. For the current release of Azure Stack Hub, the following versions are considered in support:
+For example, if the most recent update version available is 2501 (N), the two previous update versions were 2408 and 2406, which means both 2408 (N-1) and 2406 (N-2) remain in support. However, the 2311 (and earlier) version is out of support, as 2311 was N-3 when the 2501 update was released. For the current release of Azure Stack Hub, the following versions are considered in support:
 
+- [Azure Stack Hub 2501](./release-notes.md?view=azs-2501&preserve-view=true)
 - [Azure Stack Hub 2408](./release-notes.md?view=azs-2408&preserve-view=true)
 - [Azure Stack Hub 2406](./release-notes.md?view=azs-2406&preserve-view=true)
-- [Azure Stack Hub 2311](./release-notes.md?view=azs-2311&preserve-view=true)
 
 Microsoft software update packages are non-cumulative and require the previous update package and latest hotfix to be installed as a prerequisite. If you decide to defer one or more updates, consider the overall runtime required to update to the latest version.
 
diff --git a/azure-stack/operator/hotfix-1-2311-3-62.md b/azure-stack/operator/hotfix-1-2311-3-62.md
@@ -3,19 +3,16 @@ title: Azure Stack Hub hotfix 1.2311.3.62
 description: Summary of Azure Stack Hub hotfix 1.2311.3.62
 author: sethmanheim
 ms.topic: article
-ms.date: 01/08/2025
+ms.date: 02/12/2025
 ms.author: sethm
 ms.lastreviewed: 09/24/2024
 ---
 
 # Azure Stack Hub hotfix 1.2311.3.62
 
-## Summary
+## Summary of fixes
 
 - Fixed an issue with DNS zone creation in SQL and MySQL resource providers.
-
-## Fixes rolled up from previous hotfix releases
-
 - Fixed bugs causing infrastructure faults.
 - Fixed an issue in which users were able to create duplicate and external infrastructure DNS zones.
 - Fixed the **CloudManifest** feature to avoid adding non-self-signed certificates to the root store.
diff --git a/azure-stack/operator/known-issues.md b/azure-stack/operator/known-issues.md
diff --git a/azure-stack/operator/release-notes.md b/azure-stack/operator/release-notes.md
diff --git a/azure-stack/operator/relnotearchive/known-issues.md b/azure-stack/operator/relnotearchive/known-issues.md
