Merge branch 'main' into defender-exclusions

Author: v-sissondan

AKS-Arc/aks-hci-network-system-requirements.md

@@ -2,7 +2,7 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 11/19/2024
+ms.date: 04/23/2025
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: abha
@@ -64,6 +64,9 @@ Regardless of the option you choose, you must ensure that the IP addresses alloc
 
 Proxy settings in AKS are inherited from the underlying infrastructure system. The functionality to set individual proxy settings for Kubernetes clusters and change proxy settings isn't supported yet. For more information on how to set proxy correctly, see [proxy requirements for Azure Local](/azure/azure-local/manage/configure-proxy-settings-23h2).
 
+> [!WARNING]
+> You cannot update incorrect proxy settings after you deploy Azure Local. If the proxy is misconfigured, you must redeploy Azure Local.
+
 ## Firewall URL exceptions
 
 Firewall requirements for AKS have been consolidated with Azure Local firewall requirements. See [Azure Local firewall requirements](/azure/azure-local/concepts/firewall-requirements) for list of URLs that need to be allowed to successfully deploy AKS.

azure-local/concepts/compare-windows-server.md

@@ -5,7 +5,7 @@ ms.topic: conceptual
 author: alkohli
 ms.author: alkohli
 ms.service: azure-local
-ms.date: 03/28/2025
+ms.date: 04/08/2025
 ---
 
 # Compare Azure Local to Windows Server
@@ -18,7 +18,7 @@ When replacing a datacenter primarily running VMware, Azure Local is typically n
 
 ## When to use Azure Local
 
-Azure Local is Microsoft's premier hyperconverged infrastructure platform for running VMs or virtual desktops on-premises with connections to Azure hybrid services. Azure Local can help to modernize and secure your datacenters and branch offices, and achieve industry-best performance with low latency and data sovereignty.
+Azure Local is Microsoft's premier hyperconverged infrastructure platform for running virtual machines (VMs) or virtual desktops on-premises with connections to Azure hybrid services. Azure Local can help to modernize and secure your datacenters and branch offices, and achieve industry-best performance with low latency and data sovereignty.
 
 :::image type="content" source="media/compare-windows-server/hci-scenarios.png" alt-text="When to use Azure Local over Windows Server 2019" border="false" lightbox="media/compare-windows-server/hci-scenarios.png":::
 
@@ -41,7 +41,7 @@ Windows Server is a highly versatile, multi-purpose operating system with dozens
 
 Use Windows Server for:
 
-- A guest operating system inside of virtual machines (VMs) or containers
+- A guest operating system inside of VMs or containers
 - As the runtime server for a Windows application
 - To use one or more of the built-in server roles such as Active Directory, file services, DNS, DHCP, or Internet Information Services (IIS)
 - As a traditional server, such as a bare-metal domain controller or SQL Server installation
@@ -119,7 +119,7 @@ The following table compares the management options for Azure Local and Windows
 | Azure portal > Windows Admin Center integration (preview) | Yes | Azure VMs only <sup>1</sup>|
 | Azure portal > Multi-cluster monitoring for Azure Local | Yes | No |
 | Azure portal > Azure Resource Manager integration for clusters | Yes | No |
-| Azure portal > Arc VM management | Yes | No |
+| Azure portal > Management of Azure Local VMs enabled by Arc | Yes | No |
 | Desktop experience | No | Yes |
 
 <sup>1</sup> Requires manually installing the Arc-git statusConnected Machine agent on every machine.

azure-local/concepts/firewall-requirements.md

@@ -65,6 +65,25 @@ For a consolidated list of endpoints for Japan East that includes Azure Local, A
 For a consolidated list of endpoints for South Central US that includes Azure Local, Arc-enabled servers, ARB, and AKS, use:
 - [Required endpoints in South Central US for Azure Local](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/SouthCentralUSEndpoints/southcentralus-hci-endpoints.md)
 
+## Firewall requirements for OEMs
+
+Depending on the OEM you are using for Azure Local you may need to open additional endpoints in your firewall.
+
+DataON required endpoints for Azure Local deployments
+- [DataOn required endpoints](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/OEMEndpoints/DataOn/DataOnAzureLocalEndpoints.md)
+
+Dell required endpoints for Azure Local deployments
+- [Dell required endpoints](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/OEMEndpoints/Dell/DellAzureLocalEndpoints.md)
+
+HPE required endpoints for Azure Local deployments
+- [HPE required endpoints](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/OEMEndpoints/HPE/HPEAzureLocalEndpoints.md)
+
+Hitachi required endpoints for Azure Local deployments
+- [Hitachi required endpoints](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/OEMEndpoints/Hitachi/HitachiAzureLocalEndpoints.md)
+
+Lenovo required endpoints for Azure Local deployments
+- [Lenovo required endpoints](https://github.com/Azure/AzureStack-Tools/blob/master/HCI/OEMEndpoints/Lenovo/LenovoAzureLocalEndpoints.md)
+
 ## Firewall requirements for additional Azure services
 
 Depending on additional Azure services you enable for Azure Local, you may need to make additional firewall configuration changes. Refer to the following links for information on firewall requirements for each Azure service:

azure-local/deploy/deployment-azure-arc-gateway-overview.md

@@ -3,7 +3,7 @@ title: Overview of Azure Arc gateway for Azure Local, version 23H2 (preview)
 description: Learn what is Azure Arc gateway for Azure Local, version 23H2 (preview). 
 author: alkohli
 ms.topic: how-to
-ms.date: 04/10/2025
+ms.date: 04/23/2025
 ms.author: alkohli
 ms.service: azure-local
 ---
@@ -89,37 +89,36 @@ Unsupported scenarios for Azure Local include:
 
 ## Azure Local endpoints not redirected
 
-As part of the Azure Local version 2411.1 preview update, the endpoints from the table are required and must be allowlisted in your proxy or firewall to deploy the Azure Local instance. These version 2408 and 2411 endpoints are not redirected via the Arc gateway:
+The endpoints from the table are required and must be allowlisted in your proxy or firewall to deploy the Azure Local instance:
 
 | Endpoint # | Required endpoint | Component  |
 | -- | -- | -- |
-| 1 | `http://go.microsoft.com:443` | Arc registration |
-| 2 | `http://login.microsoftonline.com:443` | Arc registration |
-| 3 | `http://<region>.login.microsoft.com:443` | Arc registration |
-| 4 | `http://download.microsoft.com:443` | Arc registration |
-| 5 | `http://management.azure.com:443` | Arc registration |
-| 6 | `http://gbl.his.arc.azure.com:443` | Arc registration |  
-| 7 | `http://<region>.his.arc.azure.com:443` | Arc registration |
-| 8 | `http://dc.services.visualstudio.com:443` | Arc registration |
-| 9 | `https://<region>.obo.arc.azure.com:8084` | AKS extensions |
-| 10 | `http://<yourarcgatewayId>.gw.arc.azure.com:443` | Arc gateway |
-| 11 | `http://<yourkeyvaultname>.vault.azure.net:443` | Azure Key Vault |
-| 12 | `http://<yourblobstorageforcloudwitnessname>.blob.core.windows.net:443` | Cloud Witness Storage Account |
-| 13 | `http://files.pythonhosted.org:443` | Microsoft On-premises Cloud/ARB/AKS |
-| 14 | `http://pypi.org:443` | Microsoft On-premises Cloud/ARB/AKS |
-| 15 | `http://raw.githubusercontent.com:443` | Microsoft On-premises Cloud/ARB/AKS |
-| 16 | `http://pythonhosted.org:443` | Microsoft On-premises Cloud/ARB/AKS |
-| 17 | `http://ocsp.digicert.com`  | Certificate Revocation List for Arc extensions |
-| 18 | `http://s.symcd.com` | Certificate Revocation List for Arc extensions |
-| 19 | `http://ts-ocsp.ws.symantec.com` | Certificate Revocation List for Arc extensions |
-| 20 | `http://ocsp.globalsign.com` | Certificate Revocation List for Arc extensions |
-| 21 | `http://ocsp2.globalsign.com` | Certificate Revocation List for Arc extensions |
-| 22 | `http://oneocsp.microsoft.com` | Certificate Revocation List for Arc extensions |
-| 23 | `http://dl.delivery.mp.microsoft.com` | Windows Update |
-| 24 | `http://*.tlu.dl.delivery.mp.microsoft.com` | Windows Update |
-| 25 | `http://*.windowsupdate.com` | Windows Update |
-| 26 | `http://*.windowsupdate.microsoft.com` | Windows Update |
-| 27 | `http://*.update.microsoft.com` | Windows Update |
+| 1 | `http://login.microsoftonline.com:443` | Arc registration |
+| 2 | `http://<region>.login.microsoft.com:443` | Arc registration |
+| 3 | `http://management.azure.com:443` | Arc registration |
+| 4 | `http://gbl.his.arc.azure.com:443` | Arc registration |  
+| 5 | `http://<region>.his.arc.azure.com:443` | Arc registration |
+| 6 | `http://dc.services.visualstudio.com:443` | Arc registration |
+| 7 | `https://<region>.obo.arc.azure.com:8084` | AKS extensions |
+| 8 | `http://<yourarcgatewayId>.gw.arc.azure.com:443` | Arc gateway |
+| 9 | `http://<yourkeyvaultname>.vault.azure.net:443` | Azure Key Vault |
+| 10 | `http://<yourblobstorageforcloudwitnessname>.blob.core.windows.net:443` | Cloud Witness Storage Account |
+| 11 | `http://files.pythonhosted.org:443` | Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
+| 12 | `http://pypi.org:443` | Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
+| 13 | `http://raw.githubusercontent.com:443` | Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
+| 14 | `http://pythonhosted.org:443` | Not required starting with 2504 new deployments. Microsoft On-premises Cloud/ARB/AKS |
+| 15 | `http://ocsp.digicert.com`  | Certificate Revocation List for Arc extensions |
+| 16 | `http://s.symcd.com` | Certificate Revocation List for Arc extensions |
+| 17 | `http://ts-ocsp.ws.symantec.com` | Certificate Revocation List for Arc extensions |
+| 18 | `http://ocsp.globalsign.com` | Certificate Revocation List for Arc extensions |
+| 19 | `http://ocsp2.globalsign.com` | Certificate Revocation List for Arc extensions |
+| 20 | `http://oneocsp.microsoft.com` | Certificate Revocation List for Arc extensions |
+| 21 | `http://crl.microsoft.com/pkiinfra` | Certificate Revocation List for Arc extensions |
+| 22 | `http://dl.delivery.mp.microsoft.com` | Windows Update |
+| 23 | `http://*.tlu.dl.delivery.mp.microsoft.com` | Windows Update |
+| 24 | `http://*.windowsupdate.com` | Windows Update |
+| 25 | `http://*.windowsupdate.microsoft.com` | Windows Update |
+| 26 | `http://*.update.microsoft.com` | Windows Update |
 
 ## Restrictions and limitations
 

azure-local/deploy/download-23h2-software.md

@@ -5,10 +5,10 @@ author: alkohli
 ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
-ms.date: 04/21/2025
+ms.date: 04/23/2025
 ---
 
-# Download version 23H2 operating system for Azure Local deployment
+# Download operating system for Azure Local deployment
 
 [!INCLUDE [hci-applies-to-23h2](../includes/hci-applies-to-23h2.md)]
 
@@ -27,6 +27,7 @@ Before you begin the download of the software from Azure portal, ensure that you
    - [Pay-as-you-go](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) subscription with credit card.
    - Subscription obtained through an Enterprise Agreement (EA).
    - Subscription obtained through the Cloud Solution Provider (CSP) program.
+   - At a minimum, you'll need **Reader** access at the subscription level.
 
 - Register the Microsoft Azure Stack HCI resource provider. For more information, see [Register your machines and assign permissions for Azure Local deployment](deployment-arc-register-server-permissions.md).
 

azure-local/faq.yml

@@ -6,7 +6,7 @@ metadata:
   author: cosmosdarwin
   ms.author: cosdar
   ms.service: azure-local
-  ms.date: 02/03/2025
+  ms.date: 04/08/2025
 title: Azure Local FAQ
 summary: The Azure Local FAQ provides information about Azure Local connectivity with the cloud, and how Azure Local relates to Windows Server.
 
@@ -54,7 +54,7 @@ sections:
         answer: |
           While your connection is down, all host infrastructure and VMs continue to run normally, and you can use edge-local tools for management. However, you wouldn't be able to use features that directly rely on cloud services. Information in the Azure portal may also become out-of-date until Azure Local is able to sync again.
           
-          Configuration changes made to Arc VMs using edge-local tools won't automatically sync with Azure.
+          Configuration changes made to Azure Local VMs enabled by Arc using edge-local tools won't automatically sync with Azure.
 
       - question: How long can Azure Local run with the connection down?
         answer: |

azure-local/includes/hci-download-vhdx.md

@@ -3,7 +3,7 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 10/11/2024
+ms.date: 04/22/2025
 ---
 
 
@@ -12,9 +12,9 @@ SDN uses a VHDX file containing either the Azure Stack HCI or Windows Server ope
 > [!NOTE]
 > The version of the OS in your VHDX must match the version used by the Azure Local Hyper-V machines. This VHDX file is used by all SDN infrastructure components.
 
-To download an English-language version of the VHDX file, see [Download the operating system from the Azure portal](../deploy/download-23h2-software.md). Make sure to select **English VHDX** from the **Choose language** dropdown list.
+[Download an English-language version of the VHDX file](https://aka.ms/PVvxVBVCVVC).
 
-Currently, a non-English VHDX file isn't available for download. If you require a non-English version, download the corresponding ISO file and convert it to VHDX using the `Convert-WindowsImage` cmdlet. You must run this script from a Windows client computer. You'll probably need to run this script as Administrator and modify the execution policy for scripts using the `Set-ExecutionPolicy` command.
+Currently, a non-English VHDX file isn't available for download. If you require a non-English version, [download the corresponding ISO file](../deploy/download-23h2-software.md) and convert it to VHDX using the `Convert-WindowsImage` cmdlet. You must run this script from a Windows client computer. You'll probably need to run this script as Administrator and modify the execution policy for scripts using the `Set-ExecutionPolicy` command.
 
 The following syntax shows an example of using `Convert-WindowsImage`: