Sync release-hotfixes with main

sethmanheim · web-flow · commit dfc508a9e0a7 · 2025-04-29T11:19:25.000-07:00
diff --git a/AKS-Arc/TOC.yml b/AKS-Arc/TOC.yml
@@ -181,11 +181,12 @@
       href: check-vm-sku.md
     - name: Connectivity issues with MetalLB
       href: load-balancer-issues.md 
-
   - name: Reference
     items:
     - name: Azure CLI
       href: /cli/azure/aksarc
+    - name: Azure PowerShell
+      href: /powershell/module/az.aksarc/
     - name: REST API reference
       href: /rest/api/hybridcontainer/operation-groups
   - name: Resources
diff --git a/azure-local/concepts/system-requirements-23h2.md b/azure-local/concepts/system-requirements-23h2.md
@@ -6,7 +6,7 @@ ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
 ms.custom: references_regions
-ms.date: 04/03/2025
+ms.date: 04/25/2025
 ---
 
 # System requirements for Azure Local
@@ -32,6 +32,10 @@ Here are the Azure requirements for your Azure Local instance:
 
 - **Azure regions**: Azure Local is supported for the following regions:
 
+   # [Azure public](#tab/azure-public)
+
+   These public regions support geographic locations worldwide, for clusters deployed anywhere in the world:
+
    - East US
    - West Europe
    - Australia East
@@ -41,6 +45,15 @@ Here are the Azure requirements for your Azure Local instance:
    - Japan East
    - South Central US
 
+
+   # [Azure Government (Preview)](#tab/azure-government)
+
+   Regions supported in the Azure Government cloud:
+
+   - US Gov Virginia
+
+   ---
+
 - **Azure Key Vault**: Make sure to enable public network access when you set up a key vault. This setting allows Azure Local instances to connect to the key vault without any access issues.
 
 ## Machine and storage requirements
diff --git a/azure-local/deploy/download-23h2-software.md b/azure-local/deploy/download-23h2-software.md
@@ -5,7 +5,7 @@ author: alkohli
 ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
-ms.date: 04/23/2025
+ms.date: 04/28/2025
 ---
 
 # Download operating system for Azure Local deployment
@@ -34,7 +34,8 @@ Before you begin the download of the software from Azure portal, ensure that you
 ## Download the software from the Azure portal
 
 > [!IMPORTANT]
-> English is the only supported language for the deployment.
+> - English is the only supported language for the deployment.
+> - For deployments in Azure Government only, download the OS image from the following location: [OS image](https://aka.ms/hcireleaseimage).
 
 Follow these steps to download the software:
 
diff --git a/azure-local/known-issues.md b/azure-local/known-issues.md
@@ -3,7 +3,7 @@ title: Release notes with fixed and known issues in Azure Local
 description: Read about the known issues and fixed issues in Azure Local.
 author: alkohli
 ms.topic: conceptual
-ms.date: 04/24/2025
+ms.date: 04/28/2025
 ms.author: alkohli
 ms.reviewer: alkohli
 ---
@@ -58,6 +58,7 @@ The following table lists the known issues in this release:
 |---------|---------|---------|
 | Add server <br> Repair server <!--32447442--> | The `Add-server` and `Repair-server` cmdlets fail with the error: <br> `Cluster Build ID matches node to add's Build ID`. | Use the OS image of the same solution version as that running on the existing cluster. To get the OS image, contact Microsoft Support or OEM Support. |
 
+
 ## Known issues from previous releases
 
 The following table lists the known issues from previous releases:
@@ -146,6 +147,8 @@ The following table lists the known issues in this release:
 | Updates <!--32073115--> | Updating to 2503.0.13 failed `Update PreRequisites` for Role 'MocArb' with exception: `SyntaxWarning: invalid escape sequence '\W' at CheckAndInstall-CliExtensions`. | For detailed steps on how to resolve this issue, see the [Troubleshooting guide](https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Update/).  |
 | Security vulnerability <!--32074481--> | There is a known security vulnerability in this release that may affect security scans for the updates. For more information, see [Azure Arc Installer vulnerability CVE-2025-26627 - Host](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26627) |  |
 | Azure Local VMs <!--32074457O--> | There is a known security vulnerability in this release that may affect security scans for the updates. For more information, see [Azure Arc Installer vulnerability CVE-2025-26627 - Guest](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26627)  |  |
+| Microsoft Defender for Cloud <br><br> Azure Government <!--32555179-->| In the Azure Government cloud, Microsoft Defender for Cloud recommendations for Azure Local do not show up in the Microsoft Defender for Cloud portal.|  |
+| Metrics <br><br> Azure Government <!--IcM-620345316-->| Metrics from Azure Local clusters in the Azure Government cloud fail to reach Azure. As a result, metrics don't show up in the Monitoring, Metrics, or workbook graphs. Metrics based alerts aren't triggered and new alerts can't be set up.|  |
 
 
 ## Known issues from previous releases
diff --git a/azure-local/manage/manage-security-with-defender-for-cloud.md b/azure-local/manage/manage-security-with-defender-for-cloud.md
@@ -4,7 +4,8 @@ description: This article describes how to use Microsoft Defender for Cloud to s
 author: alkohli
 ms.author: alkohli
 ms.topic: how-to
-ms.date: 04/09/2025
+ms.date: 04/23/2025
+
 ms.service: azure-local
 ---
 
@@ -32,15 +33,16 @@ Before you begin, make sure that the following prerequisites are completed:
 Follow these steps to enable Defender for Cloud for Azure Local.
 
 - Step 1: Turn on Foundational CSPM.
-- Step 2: Turn on Defender for Servers for individual machines and Azure Local VMs enabled by Arc.
+- Step 2: Turn on Defender for Servers for individual machines and Azure Local virtual machines (VMs) enabled by Azure Arc.
+
 
 ### Step 1: Turn on Foundational CSPM
 
 This step turns on the basic Defender for Cloud plan—at no extra cost. This plan lets you monitor and identify the steps that you can take to secure Azure Local, along with other Azure and Arc resources. For instructions, see [Enable Defender for Cloud on your Azure subscription](/azure/defender-for-cloud/connect-azure-subscription#enable-defender-for-cloud-on-your-azure-subscription).
 
 ### Step 2: Turn on Defender for Servers for individual machines and Azure Local VMs
 
-This step gets you enhanced security features including security alerts for individual machines and VMs.
+This step gets you enhanced security features including security alerts for individual machines and Azure Local VMs.
 
 To do so, follow all the instructions in the [Enable the Defender for Servers plan](/azure/defender-for-cloud/tutorial-enable-servers-plan#enable-the-defender-for-servers-plan) section, which includes:
 
@@ -100,11 +102,27 @@ After you've [enabled Defender for Cloud for Azure Local](#enable-defender-for-c
 
    To learn more about the security recommendations specific to Azure Local, refer to the [Azure compute recommendations](/azure/defender-for-cloud/recommendations-reference-compute#azure-compute-recommendations) section in the [Compute security recommendations](/azure/defender-for-cloud/recommendations-reference-compute) article.
 
-## Monitor servers and Azure Local VMs
+### Security recommendation exclusions
+
+You can ignore the Windows Defender for Cloud recommendations below for storage accounts and Azure Key Vaults that are associated with Azure Local instances. However, don't ignore these recommendations for other storage accounts and Azure Key Vaults you may have.
+
+| Affected resource | Recommendation | Exclusion reason |
+| --- | --- | --- |
+| Storage account | Storage accounts should have infrastructure encryption. | Storage account encryption isn't supported for Azure Local instances because it doesn't allow passing in an encryption key. |
+| Storage account | Storage accounts should prevent shared key access. | Azure Local supports accessing storage accounts exclusively through shared keys. |
+| Storage account | Storage account should use a private link connection. | Azure Local doesn't currently support private link connections. |
+| Azure Key Vault | Azure Key Vaults should use a private link. | Azure Local doesn't currently support private link connections. |
+| Machine – Azure Arc | Windows Defender Exploit Guard should be enabled on Azure Local machines. | Windows Defender Exploit Guard isn't applicable to server-core SKUs without a GUI such as the Azure Local OS. |
+| Machine – Azure Arc | Azure Local machines should be configured to periodically check for missing system updates. | Azure Local machines shouldn't be updated individually. Use the Azure Local section in Azure Update Manager to update multiple systems or the Updates page on the Azure Local resource view whenever an update is available for the Azure Local instance. Updating individual machines could result in a mixed-mode state, which isn't supported. |
+| Machine – Azure Arc | System updates should be installed on your Azure Local machines using Azure Update Manager. | Azure Local machines shouldn't be updated individually. Utilize the Azure Local section in Azure Update Manager to update multiple systems or the Updates page on the Azure Local resource view whenever an update is available for the Azure Local instance. Updating individual machines could result in a mixed-mode state, which isn't supported. |
+| Machine – Azure Arc | Azure Local machines should have a vulnerability assessment solution. | Microsoft Defender Vulnerability Management doesn't currently support Azure Local. |
 
-Go to the Microsoft Defender for Cloud portal to monitor alerts for individual servers and VMs running on Azure Local. You can utilize the regulatory compliance and attack path analysis features, among other enhanced security features.
+## Monitor Azure Local machines and Azure Local VMs
+
+Go to the Microsoft Defender for Cloud portal to monitor alerts for individual Azure Local machines and Azure Local VMs.
+
+Follow these steps to access the Microsoft Defender for Cloud portal's pages to monitor individual servers and Azure Local VMs:
 
-Follow these steps to access the Microsoft Defender for Cloud portal's pages to monitor individual servers and VMs:
 
 1. Sign into the Azure portal, and search for and select **Microsoft Defender for Cloud**.
 
@@ -114,6 +132,7 @@ Follow these steps to access the Microsoft Defender for Cloud portal's pages to
 
    :::image type="content" source="./media/manage-security-with-defender-for-cloud/defender-for-cloud-overview.png" alt-text="Screenshot of the Defender for Cloud Overview page." lightbox="./media/manage-security-with-defender-for-cloud/defender-for-cloud-overview.png" :::
 
+
 ## Next steps
 
 - [Review the deployment checklist and install Azure Local](../deploy/deployment-checklist.md).
diff --git a/azure-local/whats-new.md b/azure-local/whats-new.md
@@ -5,7 +5,7 @@ ms.topic: overview
 author: alkohli
 ms.author: alkohli
 ms.service: azure-local
-ms.date: 04/24/2025
+ms.date: 04/28/2025
 ---
 
 # What's new in Azure Local?
@@ -69,6 +69,16 @@ This release has the following features and improvements:
 
 This is a baseline release with the following features and improvements:
 
+- **Preview availability of Azure Government cloud** - Azure Local is now available in the US Government regions in preview. Download the latest Azure Stack HCI OS image for Azure Government from [OS image](https://aka.ms/hcireleaseimage). For more information on where Azure Government is supported, see [Azure Local supported regions](./concepts/system-requirements-23h2.md#azure-requirements).
+
+    The following preview features are not supported for Azure Local in Azure Government cloud:
+
+    - [Azure Arc Gateway](./deploy/deployment-azure-arc-gateway-overview.md).
+    - [Deploy using local identity with Key Vault](./deploy/deployment-local-identity-with-key-vault.md).
+    - [Azure Site Recovery](./manage/azure-site-recovery.md).
+    - [Windows Admin Center in Azure portal](/windows-server/manage/windows-admin-center/azure/manage-vm).
+<!--- [Azure Backup](/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines).-->
+
 - **Registration and deployment changes**
   - **Extension installation**: Extensions are no longer installed during the registration of Azure Local machines. Instead, the extensions are installed in the machine validation step during the Azure Local instance deployment. For more information, see [Register with Azure Arc via console](./deploy/deployment-arc-register-server-permissions.md) and [Deploy via Azure portal](./deploy/deploy-via-portal.md).
   - **Register via app**: You can bootstrap your Azure Local machines using the Configurator app. The local UI is now deprecated. For more information, see [Register Azure Local machines using Configurator app](./deploy/deployment-arc-register-configurator-app.md).
diff --git a/azure-stack/user/kubernetes-aks-engine-release-notes.md b/azure-stack/user/kubernetes-aks-engine-release-notes.md
@@ -127,7 +127,7 @@ You can find the supported Kubernetes versions for AKS Engine on Azure Stack Hub
 | [v0.80.2](https://github.com/Azure/aks-engine-azurestack/releases/tag/v0.80.2)   | [AKS Base Ubuntu 20.04-LTS Image Distro (2024.032.1)](https://github.com/Azure/aks-engine-azurestack/blob/v0.80.2/vhd/release-notes/aks-engine-ubuntu-2004/aks-engine-azurestack-ubuntu-2004_2024.032.1.txt), [AKS Base Windows Server 2019 Image Containerd (17763.5329.20240321)](https://github.com/Azure/aks-engine-azurestack/blob/v0.80.2/vhd/release-notes/aks-windows-2019-containerd/2019-datacenter-core-azurestack-ctrd-17763.5329.20240321.txt) | 1.27.10**, 1.28.6** | API Model Samples ([Linux](https://github.com/Azure/aks-engine-azurestack/blob/96b45e116aef6ae2e5031561b0e10621ae86a068/examples/azure-stack/kubernetes-azurestack.json), [Windows](https://github.com/Azure/aks-engine-azurestack/blob/96b45e116aef6ae2e5031561b0e10621ae86a068/examples/azure-stack/kubernetes-windows.json)) |
 | [v0.80.3](https://github.com/Azure/aks-engine-azurestack/releases/tag/v0.80.3)   | [AKS Base Ubuntu 20.04-LTS Image Distro (2024.032.1)](https://github.com/Azure/aks-engine-azurestack/blob/v0.80.2/vhd/release-notes/aks-engine-ubuntu-2004/aks-engine-azurestack-ubuntu-2004_2024.032.1.txt), [AKS Base Windows Server 2019 Image Containerd (17763.5329.20240321)](https://github.com/Azure/aks-engine-azurestack/blob/v0.80.2/vhd/release-notes/aks-windows-2019-containerd/2019-datacenter-core-azurestack-ctrd-17763.5329.20240321.txt) | 1.27.10**, 1.28.6** | API Model Samples ([Linux](https://github.com/Azure/aks-engine-azurestack/blob/96b45e116aef6ae2e5031561b0e10621ae86a068/examples/azure-stack/kubernetes-azurestack.json), [Windows](https://github.com/Azure/aks-engine-azurestack/blob/96b45e116aef6ae2e5031561b0e10621ae86a068/examples/azure-stack/kubernetes-windows.json)) |
 | [v0.81.1](https://github.com/Azure/aks-engine-azurestack/releases/tag/v0.81.1)   | [AKS Base Ubuntu 20.04-LTS Image Distro (2024.311.1)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-engine-ubuntu-2004/aks-engine-azurestack-ubuntu-2004_2024.311.1.txt), [AKS Base Windows Server 2019 Image Containerd (17763.6414.20243111)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-windows-2019-containerd/2019-datacenter-core-azurestack-ctrd-17763.6414.20243111.txt) | 1.28.15**, 1.29.10** | API Model Samples ([Linux](https://github.com/Azure/aks-engine-azurestack/blob/0ea7973bb1826b7607086d4741b73313d72ce256/examples/azure-stack/kubernetes-azurestack.json), [Windows](https://github.com/Azure/aks-engine-azurestack/blob/0ea7973bb1826b7607086d4741b73313d72ce256/examples/azure-stack/kubernetes-windows.json)) |
-| [v0.82.1](https://github.com/Azure/aks-engine-azurestack/releases/tag/v0.82.1)   | [AKS Base Ubuntu 20.04-LTS Image Distro (2025.079.2)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-engine-ubuntu-2204/aks-engine-azurestack-ubuntu-2204_2025.079.2.txt), [AKS Base Windows Server 2019 Image Containerd (17763.7009.20250792)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-windows-2019-containerd/2019-datacenter-core-azurestack-ctrd-17763.7009.20250792.txt) | 1.29.15**, 1.30.10** | API Model Samples ([Linux](https://github.com/Azure/aks-engine-azurestack/blob/master/examples/azure-stack/kubernetes-azurestack.json), [Windows](https://github.com/Azure/aks-engine-azurestack/blob/master/examples/azure-stack/kubernetes-windows.json)) |
+| [v0.82.1](https://github.com/Azure/aks-engine-azurestack/releases/tag/v0.82.1)   | [AKS Base Ubuntu 22.04-LTS Image Distro (2025.079.2)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-engine-ubuntu-2204/aks-engine-azurestack-ubuntu-2204_2025.079.2.txt), [AKS Base Windows Server 2019 Image Containerd (17763.7009.20250792)](https://github.com/Azure/aks-engine-azurestack/blob/master/vhd/release-notes/aks-windows-2019-containerd/2019-datacenter-core-azurestack-ctrd-17763.7009.20250792.txt) | 1.29.15**, 1.30.10** | API Model Samples ([Linux](https://github.com/Azure/aks-engine-azurestack/blob/master/examples/azure-stack/kubernetes-azurestack.json), [Windows](https://github.com/Azure/aks-engine-azurestack/blob/master/examples/azure-stack/kubernetes-windows.json)) |
 
 > [!NOTE]  
 > *Starting from Kubernetes v1.21, only the [Cloud Provider for Azure](https://github.com/Azure/aks-engine-azurestack/blob/master/docs/topics/azure-stack.md#cloud-provider-for-azure) is supported on Azure Stack Hub.
