review-2

Author: v-thpra

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/6-best-practices-server-management.yml

@@ -1,15 +1,15 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.plan-deploy-azure-arc-enabled-servers.best-practices-server-management
-title: Best practices for Azure Arc-enabled servers management and services in Azure
-metadata:
-  title: Best practices for Azure Arc-enabled servers management and services in Azure
-  description: Overview of how to best leverage Azure services for security, governance, and observability of Azure Arc-enabled servers.
-  ms.date: 03/22/2023
-  author: aurnovcy
-  ms.author: aurnovc
-  ms.topic: unit
-azureSandbox: false
-durationInMinutes: 5
-content: |
-  [!include[](includes/6-best-practices-server-management.md)]
-
+### YamlMime:ModuleUnit
+uid: learn.azure.plan-deploy-azure-arc-enabled-servers.best-practices-server-management
+title: Best practices for Azure Arc-enabled servers management and services in Azure
+metadata:
+  title: Best practices for Azure Arc-enabled servers management and services in Azure
+  description: Overview of how to best use Azure services for security, governance, and observability of Azure Arc-enabled servers.
+  ms.date: 03/22/2023
+  author: aurnovcy
+  ms.author: aurnovc
+  ms.topic: unit
+azureSandbox: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/6-best-practices-server-management.md)]
+

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/7-knowledge-check.yml

@@ -1,60 +1,60 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.plan-deploy-azure-arc-enabled-servers.knowledge-check
-title: Module assessment
-metadata:
-  title: Module assessment
-  description: Knowledge Check
-  ms.date: 03/22/2023
-  author: aurnovcy
-  ms.author: aurnovc
-  ms.topic: unit
-azureSandbox: false
-durationInMinutes: 4
-content: |
-  [!include[](includes/7-knowledge-check.md)]
-quiz:
-  title: "Check your knowledge"
-  questions:
-  - content: "Which of the following services can you not use with Azure Arc-enabled servers?"
-    choices:
-    - content: "Governance through Azure Policy and Guest Configuration"
-      isCorrect: false
-      explanation: "Azure Policy and Guest Configuration can be used for governance of Azure Arc-enabled servers."
-    - content: "Security through Microsoft Defender for Cloud and Microsoft Sentinel"
-      isCorrect: false
-      explanation: "Microsoft Defender for Cloud and Microsoft Sentinel can be used for improved security posture of Azure Arc-enabled servers."
-    - content: "Observability through Azure Monitor and Log Analytics"
-      isCorrect: false
-      explanation: "Azure Monitor and Log Analytics can be used for observability into Azure Arc-enabled servers."
-    - content: "Deploying configurations using GitOps"
-      isCorrect: true
-      explanation: "Correct. Azure Arc-enabled Kubernetes supports deploying configurations using GitOps, however Azure Arc-enabled servers does not."
-  - content: "Which of the following actions does the Azure Connected Machine Onboarding identity have permission to perform?"
-    choices:
-    - content: "Delete servers that are already registered"
-      isCorrect: false
-      explanation: "This is outside the scope of the Azure Connected Machine Onboarding identity."
-    - content: "Create new Azure Arc-enabled servers in Azure"
-      isCorrect: true
-      explanation: "Correct. This is within the scope of the Azure Connected Machine Onboarding identity."
-    - content: "Manage VM extensions for Azure Arc-enabled servers"
-      isCorrect: false
-      explanation: "This is outside the scope of the Azure Connected Machine Onboarding identity."
-    - content: "Read servers outside of Azure Arc-enabled servers within the resource group"
-      isCorrect: false
-      explanation: "This is outside the scope of the Azure Connected Machine Onboarding identity."
-  - content: "Which of the following cannot be used to automate deployment of the Connected Machine Agent to multiple machines?"
-    choices:
-    - content: "Azure Policy"
-      isCorrect: true
-      explanation: "Non Azure machines are outside of the reach of Azure Policy until they have been onboarded to Azure Arc-enabled servers."
-    - content: "Group Policy"
-      isCorrect: false
-      explanation: "Group Policy can be used with a scheduled task that runs the onboarding script for at scale deployment."
-    - content: "Systems Center Configuration Manager"
-      isCorrect: false
-      explanation: "Configuration Manager can be used to deploy the onboarding script to a collection of devices."
-    - content: "Service Principal"
-      isCorrect: false
-      explanation: "The Service Principal identity can be used instead of using your privileged identity to interactively connect to machines at scale."
-
+### YamlMime:ModuleUnit
+uid: learn.azure.plan-deploy-azure-arc-enabled-servers.knowledge-check
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: Knowledge Check
+  ms.date: 03/22/2023
+  author: aurnovcy
+  ms.author: aurnovc
+  ms.topic: unit
+azureSandbox: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/7-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Which of the following services can you not use with Azure Arc-enabled servers?"
+    choices:
+    - content: "Governance through Azure Policy and Guest Configuration."
+      isCorrect: false
+      explanation: "Azure Policy and Guest Configuration can be used for governance of Azure Arc-enabled servers."
+    - content: "Security through Microsoft Defender for Cloud and Microsoft Sentinel."
+      isCorrect: false
+      explanation: "Microsoft Defender for Cloud and Microsoft Sentinel can be used for improved security posture of Azure Arc-enabled servers."
+    - content: "Observability through Azure Monitor and Log Analytics."
+      isCorrect: false
+      explanation: "Azure Monitor and Log Analytics can be used for observability into Azure Arc-enabled servers."
+    - content: "Deploying configurations using GitOps."
+      isCorrect: true
+      explanation: "Correct. Azure Arc-enabled Kubernetes supports deploying configurations using GitOps however Azure Arc-enabled servers don't."
+  - content: "Which of the following actions does the Azure Connected Machine Onboarding identity have permission to perform?"
+    choices:
+    - content: "Delete servers that are already registered."
+      isCorrect: false
+      explanation: "This action is outside the scope of the Azure Connected Machine Onboarding identity."
+    - content: "Create new Azure Arc-enabled servers in Azure."
+      isCorrect: true
+      explanation: "Correct. This action is within the scope of the Azure Connected Machine Onboarding identity."
+    - content: "Manage virtual machine extensions for Azure Arc-enabled servers."
+      isCorrect: false
+      explanation: "This action is outside the scope of the Azure Connected Machine Onboarding identity."
+    - content: "Read servers outside of Azure Arc-enabled servers within the resource group."
+      isCorrect: false
+      explanation: "This action is outside the scope of the Azure Connected Machine Onboarding identity."
+  - content: "Which of the following methods can't be used to automate deployment of the Connected Machine Agent to multiple machines?"
+    choices:
+    - content: "Azure Policy"
+      isCorrect: true
+      explanation: "Non Azure machines are outside of the reach of Azure Policy until they're onboarded to Azure Arc-enabled servers."
+    - content: "Group Policy"
+      isCorrect: false
+      explanation: "Group Policy can be used with a scheduled task that runs the onboarding script for at scale deployment."
+    - content: "Systems Center Configuration Manager"
+      isCorrect: false
+      explanation: "Configuration Manager can be used to deploy the onboarding script to a collection of devices."
+    - content: "Service Principal"
+      isCorrect: false
+      explanation: "The Service Principal identity can be used instead of using your privileged identity to interactively connect to machines at scale."
+

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/3-test-azure-arc-enabled-server-capabilities.md

@@ -91,4 +91,4 @@ To install with the script, you must run the downloaded script from PowerShell i
 
 1. Change to the folder or share where you copied the script and execute it on the server by running the `./OnboardingScript.ps1` script.
 
-Now that you have an Azure Arc-enabled server, you can begin to test Microsoft Defender for Cloud, Azure Monitor, Azure Policies, VM Extensions, and the range of Azure Arc-enabled server capabilities.
+Now that you have an Azure Arc-enabled server, you can begin to test its functionality. Including, Microsoft Defender for Cloud, Azure Monitor, Azure Policies, VM Extensions, and the range of Azure Arc-enabled server capabilities.

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/4-plan-secure-configuration.md

@@ -16,7 +16,7 @@ The Azure Connected Machine Onboarding role is available for at-scale onboarding
 
 Users with the Azure Connected Machine Resource Administrator role can read, modify, reonboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.
 
-Additionally, the Azure Connected Machine agent uses public-key authentication to communicate with the Azure service. After you onboard a server to Azure Arc, a private key is saved to the disk and used whenever the agent communicates with Azure. If stolen, the private key can be used on another server to communicate with the service and act as if it were the original server. This includes getting access to the system-assigned identity and any resources to which that identity has access. The private key file is protected to only allow the HIMDS account access to read it. To prevent offline attacks, we strongly recommend the use of full disk encryption (for example, BitLocker, dm-crypt, etc.) on the operating system volume of your server.
+Additionally, the Azure Connected Machine agent uses public-key authentication to communicate with the Azure service. After you onboard a server to Azure Arc, a private key is saved to the disk and used whenever the agent communicates with Azure. If stolen, the private key can be used on another server to communicate with the service and act as if it were the original server. A stolen private key can also get access to the system-assigned identity and any resources to which that identity has access. The private key file is protected to only allow the HIMDS account access to read it. To prevent offline attacks, we strongly recommend the use of full disk encryption (for example, BitLocker, dm-crypt, etc.) on the operating system volume of your server.
 
 ## Azure Policy Governance
 
@@ -38,7 +38,7 @@ Regulatory Compliance in Azure Policy provides Microsoft created and managed ini
 - NIST SP 800-53 Rev. 5
 - UK OFFICIAL and UK NHS
 
-Before deploying Azure Arc-enabled servers to a resource group, you can systemically define and assign Azure Policies with their respective remediation tasks at the resource group, subscription, or management group level, to ensure that auditing and compliance guardrails are in place.  
+Before deploying Azure Arc-enabled servers to a resource group, you can systemically define and assign Azure Policies with their respective remediation tasks at the resource group, subscription, or management group level. By configuring your Azure Policies up front, you ensure that auditing and compliance guardrails are in place.
 
 ## Secure Networking with Private Link
 

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/5-explore-methods-onboard-servers.md

@@ -21,7 +21,7 @@ For at-scale deployment of Arc-enabled servers, you can use a privileged identit
 
 | Method | Description |
 |---|---|
-| **Connect Multiple Machines with Service Principal** | To securely connect machines to Azure Arc at scale, you can use a Microsoft Entra service principal instead of using your privileged identity to interactively connect the machine. A service principal is a special limited-management identity that's granted only the minimum permission necessary to connect machines to Azure using the `azcmagent` command. This approach is safer than using a higher privilege and follows our access control security best practices. The service principal is used only during onboarding. It isn't used for any other purpose. |
+| **Connect Multiple Machines with Service Principal** | To securely connect machines to Azure Arc at scale, you can use a Microsoft Entra service principal instead of using your privileged identity to interactively connect the machine. A special limited-management identity, a service principal is only granted the minimum permission necessary to connect machines to Azure using the `azcmagent` command. This approach is safer than using a higher privilege and follows our access control security best practices. The service principal is used only during onboarding. It isn't used for any other purpose. |
 | **Update Management (Azure portal)** | You can easily connect non-Azure servers managed by the Update Management service to Azure via Azure Arc. You can select these non-Azure servers directly in the Azure portal, and the deployment happens automatically. |
 
 You can use a range of existing software configuration products to deploy the Arc-enabled server agent to machines at scale. The script for deployment should rely on the Azure Service Principal method, because the single server script for deployment requires separate authentication for each server.

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/6-best-practices-server-management.md

@@ -10,7 +10,7 @@ Arc-enabled servers can be monitored through Azure Monitor or Log Analytics. Eva
 
 ## Ensure Arc-enabled Server Connectivity
 
-Create a Resource Health alert to alert when an Arc-enabled Server is no longer connected. If a server stops sending heartbeats to Azure for longer than 15 minutes, it can mean that it's offline, the network connection has been blocked, or the agent isn't running. Develop a plan for how you'll respond and investigate these incidents and use Resource Health alerts to get notified when they start. Specify the following settings when configuring the alert:
+Create a Resource Health alert to alert when an Arc-enabled Server is no longer connected. If a server stops sending heartbeats to Azure for longer than 15 minutes, it might be offline, the network connection could be blocked, or the agent isn't running. You should develop a plan for how to respond and investigate these incidents and use Resource Health alerts to be notified when they start. Specify the following settings when configuring the alert:
 
 - **Resource type = Azure Arc-enabled servers**
 
@@ -28,10 +28,10 @@ For the best experience and most recent security and bug fixes, we recommend kee
 
 ## Beginning using Azure services
 
-As a foundation for managing Azure Arc-enabled servers, we recommend organizing machines with tags, connecting to Log Analytics workspaces, and assigning Azure Policies. With the right observability and governance in place, you'll be able to more easily use other Azure services like Microsoft Defender for Cloud, Microsoft Sentinel, and Azure Automanage.
+As a foundation for managing Azure Arc-enabled servers, we recommend organizing machines with tags, connecting to Log Analytics workspaces, and assigning Azure Policies. With the right observability and governance in place, you're able to more easily use other Azure services like Microsoft Defender for Cloud, Microsoft Sentinel, and Azure Automanage.
 
 | Recommendation | Description |
 |---|---|
 | Apply tags to help organize machines | Evaluate and develop an IT-aligned tagging strategy that can help reduce the complexity of managing your Azure Arc-enabled servers and simplify making management decisions. |
 | Design and deploy Azure Monitor Logs | Evaluate design and deployment considerations to determine if your organization should use an existing or implement another Log Analytics workspace to store collected log data from hybrid servers and machines. |
-| Develop an Azure Policy governance plan | Determine how you'll implement governance of hybrid servers and machines at the subscription or resource group scope with Azure Policy. |
+| Develop an Azure Policy governance plan | Determine how you want to implement governance of hybrid servers and machines at the subscription or resource group scope with Azure Policy. |

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/7-knowledge-check.md

@@ -1 +1 @@
-Choose the best response for each of the questions below.
+Choose the best response for each of the following question.

learn-pr/azure/plan-deploy-azure-arc-enabled-servers/includes/8-summary.md

@@ -1,8 +1,8 @@
-Over the course of this module, you've explored the planning and deployment of Azure Arc-enabled servers at scale for customers like Wide World Importers. You understood how Azure Arc-enabled servers delivers Azure services such as Microsoft Defender for Cloud, Azure Policy, Azure Monitor, and VM extensions to servers across on-premises, multicloud, and edge environments through the Connected Machine Agent. 
+Over the course of this module, you explored the planning and deployment of Azure Arc-enabled servers at scale for customers like Wide World Importers. You understood how Azure Arc-enabled servers delivers Azure services. Such as, Microsoft Defender for Cloud, Azure Policy, Azure Monitor, and virtual machine (VM) extensions to servers across on-premises, multicloud, and edge environments through the Connected Machine Agent.
 
-First, you explored how to easily simulate an Azure Arc-enabled server using an Azure VM. Next, you learned about the built-in and added security considerations around planning a large deployment. You also learned about the range of different deployment methods that Azure Arc-enabled servers supports. Finally, you learned about best practices with deploying Azure Arc-enabled servers.
+First, you explored how to easily simulate an Azure Arc-enabled server using an Azure VM. Next, you learned about the built-in and added security considerations around planning a large deployment. You also learned about the range of different deployment methods supported by Azure Arc-enabled servers. Finally, you learned about best practices with deploying Azure Arc-enabled servers.
 
-Wide World Importers' compute infrastructure is complex, global, and hybrid. Azure Arc-enabled servers offers a powerful way to streamline security, governance, and visibility across your firm's entire digital estate. While deploying at-scale across your enterprise can be daunting, Azure Arc-enabled servers offers the testing, security, and support guidance to help you realize Azure capabilities more easily.
+The compute infrastructure of Wide World Importers is complex, global, and hybrid. Your testing and research found that using Azure Arc-enabled servers is a powerful way to streamline security, governance, and visibility across your firm's entire digital estate. While deploying at-scale across your enterprise can be daunting, Azure Arc-enabled servers offers the testing, security, and support guidance to help you realize Azure capabilities more easily.
 
 ## Learn more