Merge pull request #17246 from MicrosoftDocs/main

3/3/2025 PM Publish

Author: Taojunshen

azure-local/deploy/deployment-prep-active-directory.md

@@ -3,7 +3,7 @@ title: Prepare Active Directory for Azure Local, version 23H2 deployment
 description: Learn how to prepare Active Directory before you deploy Azure Local, version 23H2.
 author: alkohli
 ms.topic: how-to
-ms.date: 02/20/2025
+ms.date: 03/03/2025
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.service: azure-local
@@ -88,7 +88,7 @@ To create a dedicated OU, follow these steps:
 
 1. Verify that the OU is created. If using a Windows Server client, go to **Server Manager > Tools > Active Directory Users and Computers**.
 
-1. An OU with the specified name is created. This OU contains the new LCM deployment user account.
+1. An OU with the specified name is created. This OU contains the new Lifecycle Manager (LCM) deployment user account.
 
     :::image type="content" source="media/deployment-prep-active-directory/active-directory-11.png" alt-text="Screenshot of Active Directory Computers and Users window." lightbox="media/deployment-prep-active-directory/active-directory-11.png":::
 
@@ -97,18 +97,19 @@ To create a dedicated OU, follow these steps:
 
 ## Considerations for large scale deployments
 
-The Lifecycle Manager (LCM) user account is utilized during Azure Local instance deployments that use Active Directory (AD), or for any add-node/repair operations for existing instances. The LCM user account is responsible for performing domain join actions, which necessitates the LCM user identity having delegated permissions to add computer accounts to the target Organizational Unit (OU) in the on-premises domain. During the deployment of Azure Local, the LCM user account is added to the local administrators' group of the physical machines.
+The LCM user account is used during servicing operations, such as applying updates via PowerShell. This account is also used when performing domain join actions against your AD, such as [repairing a node](../manage/repair-server.md) or [adding a node](../manage/add-server.md). This requires the LCM user identity having delegated permissions to add computer accounts to the target OU in the on-premises domain.
 
-To mitigate the risk of a compromised LCM user account credential, we advise that for each Azure Local instance, you have a dedicated LCM user account with a unique password.
+During the cloud deployment of Azure Local, the LCM user account is added to the local administrators group of the physical nodes. To mitigate the risk of a compromised LCM user account, **we recommend having a dedicated LCM user account with a unique password for each Azure Local instance.** This recommendation limits the scope and impact of a compromised LCM account to a single instance.
 
-We recommend that you follow these best practices for OU creation:
+We recommend that you follow these best practices for OU creation. These recommendations are automated when you use the `New-HciAdObjectsPreCreation` cmdlet to [Prepare Active Directory](#active-directory-preparation-module).
 
 - For each Azure Local instance, create an individual OU within Active Directory. This approach helps manage computer account, CNO, LCM user account, and physical machine computer accounts within the scope of a single OU for each instance.
 - When deploying multiple instances at-scale, for easier management:
   - Create an OU under a single parent OU for each instance.
-  - Disable GPO inheritance at the parent OU level.
+  - Enable the **Block Inheritance** option at both the parent OU and sub OU levels.
+  - To apply a GPO to all Azure Local instances, such as for nesting a domain group in the local administrators group, link the GPO to the parent OU and enable the **Enforced** option. By doing this, you apply the configuration to all sub OUs, even with **Block Inheritance** enabled.
 
-The preceding recommendations are automated, when you use the `New-HciAdObjectsPreCreation` cmdlet to [Prepare Active Directory](#active-directory-preparation-module).
+If your organization's processes and procedures require deviations from these recommendations, they are allowed. However, it's important to consider the security and manageability implications of your design taking these factors into consideration.
 
 ## Next steps
 

azure-local/update/solution-builder-extension.md

@@ -75,31 +75,47 @@ The following table provides the hardware update method for different hardware v
 | Lenovo | Premier Solutions and specific Integrated Systems:</br><br> MX455 V3, MX450 | Solution Builder Extension | [Azure Local Solution Builder Extension Update - Lenovo](https://thinkagile.lenovo.com/MX/) |
 | Lenovo | Other Integrated Systems and Validated Nodes (not previously listed)  | [Windows Admin Center Extension](https://dev.azure.com/WindowsAdminCenter/Windows%20Admin%20Center%20Feed/_artifacts/feed/WAC/NuGet/lnvgy_sw_xclarity_integrator_for_wac/overview/4.5.1) | [Lenovo XClarity Integrator for Microsoft Windows Admin Center](https://dev.azure.com/WindowsAdminCenter/Windows%20Admin%20Center%20Feed/_artifacts/feed/WAC/NuGet/lnvgy_sw_xclarity_integrator_for_wac/overview/4.5.1) |
 
-## Discover Solution Builder Extension Updates
-
-The Azure Local Lifecycle Management orchestration integrates Solution Builder Extension updates, which include both Solution Builder Extension (hardware-only) updates and full solution updates for Azure Local and Solution Builder Extension. These updates can be managed using the same update management tools for the Azure portal and PowerShell. This means that you can install an urgent Solution Builder Extension update by itself or a combined "Solution" update using the same process.
+## Check for SBE installation
 
-Check to see if you have SBE installed on your registered Azure Local system by running the following command:
+To see if you have SBE installed on your registered Azure Local system, run the following command:
 
 ```powershell
 $Update = Get-SolutionUpdateEnvironment
-$Update | ft SbeFamily, HardwareModel, CurrentSbeVersion
+$Update | ft SbeFamily, HardwareModel, CurrentSbeVersion, State
 ```
 
 Here's a sample output
 
 ```console
 PS C:\Users\lcmuser> $Update = Get-SolutionUpdateEnvironment
-PS C:\Users\lcmuser> $Update | ft SbeFamily, HardwareModel, CurrentSbeVersion
+PS C:\Users\lcmuser> $Update | ft SbeFamily, HardwareModel, CurrentSbeVersion, State
 
-SbeFamily             HardwareModel       CurrentSbeVersion
----------             -------------       -----------------
-Gen A                 Contoso680          4.0.0.0
+SbeFamily             HardwareModel       CurrentSbeVersion        State
+---------             -------------       -----------------        -----
+Gen A                 Contoso680          4.0.0.0                  UpdateAvailable
 ```
 
 > [!NOTE]
 > If you don't have an SBE installed the CurrentSbeVersion default is shown as 2.1.0.0.
 
+The following table describes the possible states of the SBE on your Azure Local system. For states requiring action, follow the provided guidance.
+
+| State    | Description     | Action    |
+|-----------|----------------|-----------|
+| AppliedSuccessfully | The SBE is installed and up to date.| No action required.|
+| NeedsAttention | The SBE or Azure Local update requires attention.| [Troubleshoot solution updates for Azure Local](update-troubleshooting-23h2.md).|
+| PreparationFailed | The system failed to prepare for the SBE or Azure Local update.| [Troubleshoot solution updates for Azure Local](update-troubleshooting-23h2.md).|
+| PreparationInProgress | The system is preparing for an SBE or Azure Local update.| [Track system update progress and history](azure-update-manager-23h2.md#track-system-update-progress-and-history).|
+| UpdateAvailable | A new SBE or Azure Local update is available.| [Discover Solution Builder Extension updates](#discover-solution-builder-extension-updates).|
+| UpdateFailed | The SBE or Azure Local update failed.| [Troubleshoot solution updates for Azure Local](update-troubleshooting-23h2.md).|
+| UpdateInProgress | An SBE or Azure Local update is in progress.| [Track system update progress and history](azure-update-manager-23h2.md#track-system-update-progress-and-history).|
+
+## Discover Solution Builder Extension Updates
+
+The Azure Local Lifecycle Management orchestration queries an established online SBE manifest endpoint for each hardware vendor to determine if there are any new SBE updates for your Azure Local instance. The process of checking for new updates and determining if they're applicable to your Azure Local instance is called **discovering** updates.
+
+Microsoft and your hardware vendor work together to ensure only valid and supported update options are discovered. To determine if the extension updates match, the discovery process checks the current versions of your Azure Local instance against the validated versions recorded in the SBE manifest. If you see an SBE discovered as an option to install, it means your hardware vendor has validated and supports the new combination of SBE and Azure Local versions.
+
 To discover and install SBE or your SBE updates, use one of the methods in the next sections.
 
 ### Discover Solution Builder Extension updates via the Azure portal
@@ -132,7 +148,7 @@ Azure Local 2311 bundle      Solution    10.2311.0.26 4.1.2312.5     Ready
 In the sample output, you can see that two updates are ready to be installed: the standalone **SBE_Contoso_Gen3_4.1.2312.5** update and the combined **Azure Local 2311 bundle** update, which includes the same Solution Builder Extension as identified by the SbeVersion number 4.1.2312.5.
 
 > [!NOTE]
-> Microsoft recommends installing the combined “Solution” update in most cases, to reduce the number of update operations needed to keep your system up to date. You can refer to the `SBEReleaseLink` and `SBENotifyMessage` properties, provided by your hardware vendor in the `AdditionalProperties` of the update, to determine if there's an urgent reason to install a Solution Builder Extension update before the combined solution update.
+> Microsoft recommends installing the combined "Solution" update in most cases, to reduce the number of update operations needed to keep your system up to date. You can refer to the `SBEReleaseLink` and `SBENotifyMessage` properties, provided by your hardware vendor in the `AdditionalProperties` of the update, to determine if there's an urgent reason to install a Solution Builder Extension update before the combined solution update.
 
 To determine which update to install, use the **ComponentVersions** and **AdditionalProperties** values from `Get-SolutionUpdate`.