 Thanks for joining today on our session focused on cloud operations for Windows Server enabled by Azure Arc. Today we're going to be providing a brief overview of Azure Arc. Next, we'll dive into security capabilities followed by monitoring and topping off with governance. Arc offers you a single control plane where you get visibility to your Windows Server instances on-prem alongside your Azure Virtual Machines. Here we're looking at Tailwind Server 4. That's an on-prem Windows Server instance that we've connected to Azure Arc. We see that alongside our Azure Virtual Machines. And then as an Azure native resource we're able to tag it, monitor it, govern it and include it in our Azure Resource Graph from a query perspective. Zooming out, this affords you a map view, visibility into your sprawling Windows Server state all from a single control plane. Offering you this unified inventory view regardless of where your asset sits. This is powered through the Connected Machine Agent, a lightweight agent deployed on your Windows Server instances. And the Connected Machine Agent has three core components. The Hybrid Instance Metadata Service, HIMDS, which establishes a connection to Azure and sends heartbeats to sync. Guest Configuration or Machine Configuration which powers robust governance capabilities. And finally, Extension Manager that allows you to manage and deploy Azure VM extensions like Custom Script Extension or Azure Monitor. And these extensions allow you to leverage the different security, patching, monitoring capabilities just like for your Azure native resources, for your Arc-enabled resources that continue to sit on-prem. Together, these three components constitute the Connected Machine Agent deployed on each of your Windows Server instances to establish a connection to Azure and enable the cloud operations capabilities we'll be drilling into today. So let's get after it and talk about securing your Windows Servers with Azure Arc. Top of mind for a lot of our customers is how you can extend the robust cloud security posture management and workload protection capabilities of Microsoft Defender for Cloud and specifically, it's specialized Defender for Servers capabilities for your on-prem or multi-cloud Windows Server instances. Through Azure Arc, you're able to get not just security logging and vulnerability assessment, but actual remediation with prioritized security recommendations for your on-prem or multi-cloud Windows Server instances. These prioritized recommendations are easily actionable with the cloud operations directly from Azure. Moreover, you're able to factor these into a secure score and get soft analytics, including regulatory compliance views, to match them against showcasing what cloud operations from a security perspective look like for Windows Server instances through Azure Arc. Now, we've logged in to Azure Portal, and what you're seeing here today is Microsoft Defender for Cloud. Microsoft Defender for Cloud is really with powers to unified cloud security posture management and workload protection capabilities for your Azure native resources, but also your on-prem and multi-cloud Azure resources as well, connected through Arc. Like I was showing earlier, your Azure Arc experience is actually going to connect and surface for you your recommendations. And so here we're able to see prioritized security recommendations. And these security recommendations are not specific to just your Azure environment, the extent to your AWS, GCP environments as well. So here we can zoom out and see all of our recommendations across our virtual environments, including those connected Arc-enabled servers. Moreover, we're able to really drill in from an inventory perspective. So whether it's an Azure VM with Windows Server or an Arc-enabled server that we've connected, we're able to get specific recommendations for it. So here I'm looking at a specific instance that's Tailwind Server 4, an on-prem Windows Server instance that I've connected. I can see some of its tagging, and I can actually drill into specific gaps or vulnerabilities it's recommending. For example here, it's telling me that the Windows Server instance should be configured to use secure protocols. What's really neat is it's not just providing me a description of the issue. It's actually providing me point-and-click remediation as well as the ability to accept. We have the ability to trigger a logic app, and in this case enable machine configuration to enable TLS on this machine. Or we can exempt this resource if we want. Additionally, we have the ability to prevent this for future resources as well. So when you think about your Arc-enabled servers connected to Defender for Cloud, it's not just prioritized security recommendations, but the remediation of that that's built into the Azure control plane. Zooming out from our more granular inventory view, we also have the ability to benchmark against a regulatory compliance perspective. And for example, we can do comparisons against things like the Microsoft Cloud Security Benchmark or NIST, and we can identify potential gaps and on-demand our SOC analysts could generate queries. And these queries and reporting are going to extend across not just our Windows Server on Azure, but also on-prem. What about security logging and monitoring? Well, we have an answer to that too with Microsoft Sentinel. But as we get more into that, I'll hand it over to Thomas who will speak to the monitor capabilities enabled by Azure Arc. Thank you, Arnolf. So my name is Thomas, and we are going to talk about how you can monitor your Windows Server from Azure using Azure management tools such as Azure Monitor directly from the cloud, even if it's running on-premises using Azure Arc. So there's obviously multiple things you can monitor, right? There's obviously the standard monitoring things, the performance monitoring and the insights you can get, also to set up alerts, if for example, a disk is running out of space. But there's also a little bit of security you can add with Microsoft Sentinel, our AI-powered SIEM solution, which can help you to detect attacks in your environment and also build these alerts and defense mechanisms as well. So we're going to have a look at all of that, but I really want to make it about how you manage your servers. And one of the great ways of showing you and talking about this, this is going to be showing you a demo. So let's switch to my demo environment here. And as you can see, we are here in the Azure portal. Now that said, something else which is very important when we talk about Azure Arc, most of the things you can actually do is not just in the portal, it's also in the APIs and Azure Resource Manager. So you can also automate all these kind of like processes using the CLIs or PowerShell APIs or even like infrastructure as code. So let's talk about monitoring for now. I have a couple of servers here in environment. Again, these are running on-premises in my little data center or in different locations all over the world or even at other cloud providers. And I have a Hyper-V server here. This is a server which is actually a physical machine and runs a couple of VMs. So let's see how we can manage that. And I've showed you already a couple of things and some basics around this. Let's talk about monitoring. So one thing you can do if you scroll down, you have this monitor setting here. Again, you notice probably from Azure Virtual Machines, if you have that. And if you look at insights, you get some basic information how to set this up. And if you go on performance, you get the performance monitoring you want from a monitoring tool such as Azure Monitor. So I can see here like the disk performance, how much they're utilized, how much space I have left. I can also see the CPU utilization here as well. I can also see memory, disk IOs, disk throughput, latency of the disk, which is very important for a lot of the applications. And then also obviously some networking stuff as well. And I can set up more and more of this data as much as I want. The way this data actually gets collected is the data, the Azure monitoring agent is sending that information to Azure. And so even if the server, for example, is at this moment not reachable, I can still go back in time and have a look at all these information as well. And I can also obviously look at this in Azure Monitor in a centralized view. You can also have a look at that. Another great feature I like very much is the dependency map. So what I can do here is I see the server here, for example, this is Hyper-V01. And I can see what clients are actually connecting to that specific server. So I get that information, what is coming in, who is actually connecting to that machine. But I also see where this server is connecting to. So you have here the different ports. So it's ordered by ports. So I can see here there's some outgoing traffic on port 443 or on port 80. But then also obviously some stuff on the local network, for example, for DNS and so on. So if I open this up, I can actually see what DNS connections that server makes. And if you look at port 443, I can open this up. And it says servers, to which servers are we actually connecting? But to be honest, in my opinion, I like the word endpoints a little bit more because again this can used to be a public endpoint as you can see here. So we have all these endpoints we are connecting to on port 443. Something interesting I want to show you. If you look at this, you can also see the ARC APIs here, which are basically reached over port 443 here as well. And that's why they also show up obviously in Azure Monitor. So I can see the dependencies here. And I can also see in red here if there are any failed connections. So if I see this server is connecting to some IP addresses which do not work in this case, I see these red connections. I can see the failed connection as well. So this is very helpful if you want to see what's going on or also what dependencies are there with this server. So this all gets delivered by actually sending locks to the Azure management plane. And if you want to have a little bit more on like, okay, I want to have a little bit of a deeper understanding, I can also click here on logs. Now this provides me with the keyword query language here. So for example, if your query is are c**という c** or Kql, you can basically use that to create your own queries to go through the different logs here. And you can see here, there are a bunch of things you can actually directly select like performance logs. You also have the security logs here. So that is what I'm actually interesting. So I'm building this query here. And this is like a super complex query here. whole security events for the last 24 hours on that server. And so I get the result for that in just a bit and get all these logs that I can actually browse through. However, I can also then create some more advanced queries here and say, hey, I wanna only show the security events for specific time or specific event ID, for example, and I get all these logs so I can browse through all that information. So pretty cool. Again, if you're managing your servers at scale, this is like something you definitely wanna use to actually monitor. And again, as I mentioned, you can obviously also set up alerting. So if you know you're running out of disk space and things like that, you can set up alerts and then get notified, build some automation that it sends either a notification, a text, an email, a direct Teams message or even open a direct ticket in your ticketing system, for example. So again, this is great, especially if you do monitoring at scale, but sometimes you need to troubleshoot something. And so what I wanna show you here very, very quickly is Windows Admin Center. So if I click on Windows Admin Center here, this is the Windows Admin Center you probably know from on-premise solution, but it's built into the Azure portal and it allows me to create a connection to that specific server. So now I create a interactive connection to that specific system. So you can see here, it looks like Windows Admin Center you use on-prem. So now I get live data from that system. So I can see here like CPU utilization, but this time I get actually some really nice graphs you can see here, they're automatically updating, same for memory and so on. So I get all that basic information. I also can directly browse the event log. So I showed you the events before, but this is now just directly accessing the event log, right? So everything which is actually stored in event logs, I can now browse directly in this. So if I wanna go to the system events, I can actually go through this or if I wanna do the security events, I can click on this and I can also open up the security events as well. And so this is similar as you would probably open the MMC on one of these servers to open up the event log. You can actually directly do that now from the Azure portal. And the great power here of this, again, shows like what Azure R can do. This server can be basically running anywhere in the world and I can now securely access that system directly from the Azure portal. So I need to use, for example, multi-factor authentication or a managed device to actually log in to the Azure portal. But now from here, I can actually do that all securely. Another big part, especially when it comes to troubleshooting, I think many of your Windows Server admins out there have probably used that before and that's performance monitor. So you're probably familiar with this old Perfmon tool you have on your Windows Server or your Windows machine. We built a new one directly within the Windows Admin Center which is a web-based solution which you can also use in Windows Admin Center in the Azure portal. So if I click on performance monitor here, I can basically create a new workspace here. And then similar as you probably know before, I would add different counters here what I want to actually monitor. Now in my case, let's make a simple example and just do processor and then select the specific instances here. So I have like all my cores here from one to seven basically my eight core machine here. And then I can also say what counter. So in this case, let's just look at processor time. And now I basically get a line chart as a basic here. Now if I zoom in here, you can see here now what is actually going on and I have some live data which I can browse through and look at this as well. So this is pretty powerful. Again, I'm making very simple example here but whatever you have done before with Perfmon, you can also do that now in Windows Admin Center. And also if you use Azure Arc directly in the Azure portal which is pretty exciting. The last but not least feature I want to show you is actually Microsoft Sentinel, right? You can also connect your data and actually send this to Microsoft Sentinel. And this will help you detect threats and fight those and actually find out if there is everything good or bad in your network and actually go and work with these attacks. This is not just like for Windows Server obviously. This can pull in all kinds of like log information and security data from all over different scenarios. So if you look at the different resources here, you have different information from Azure and on-prem appliances but also from other cloud providers as well. So if I just scroll through here a little bit, you can see here there's a ton of different solutions you can actually pull data in. So again, Azure Monitor, a powerful solution when it comes to monitor your Windows servers and with Arc you can even use that for on-premises Windows servers as well. So pretty excited. So with that, I wanna give it over to Jodi who's gonna talk about how to govern your Windows Server using Azure Arc. Awesome. Thanks so much, Thomas. Great to hear about the monitoring capabilities on Windows Server. I feel like whenever there's a presentation on monitoring, I'm learning one new thing that I'm taking away for myself. So kind of continuing on that same angle of now you have these Azure Arc enabled servers connected in your environment. Sort of what's the next step? You can monitor but how do you organize these resources? How do you track compliance of these resources? And how do you actually enforce change in a safe and consistent manner? That's where we're gonna be talking today about some of the services that can help you govern these Windows servers including Azure Update Management as well as Azure Policy and Machine Configuration. So we're really excited about some new capabilities with Azure Update Manager that allows you to actually have a unified patching assessment and delivery of updates to your Windows servers connected to Azure Arc. And similarly on the policy side, we're gonna be going through some of the built-in policies that you can apply to get started improving the compliance of your servers right away with remediation across again, these versatile security and organizational standards. And one thing that we get asked about a ton when we're talking about some of the capabilities on Azure Arc is really what's the guest management story here? And how do I actually impact and monitor and change these settings that are going on within the guest operating system? So we're gonna be talking about these three things and then we'll be hopping over into the Azure portal again for a quick demo. So Azure Policy is really the way that you can control and govern your servers at scale. And again, this isn't gonna be news to anybody who is managing virtual machines or other resources today in Azure but it becomes especially powerful when you're able to extend those same controls to your Arc-enabled resources, especially for Windows Server. So the first thing we're gonna be talking about briefly is some of the enforcement and compliance capabilities. So in policy, we actually offer real-time policy evaluation and enforcement. So you're able to see across a really wide range of servers what your most recent TLS setting is and we'll be going through that in a demo. How you match your organization's security benchmarks, how you can ensure that certain extensions are either allowed or disallowed. And this is done through both a periodic as well as an on-demand compliance evaluation. So if you need to understand what the compliance of that resource is in between policy evaluations, you're able to again trigger that on-demand scan through our APIs. And we again also have that guest management through machine config policies and we'll be going through what that looks like in the portal as well shortly. And the reason that we keep talking about this at scale story here as well with Azure Arc is because connecting into Azure allows you the opportunity to really think about how you want to organize these resources in a way that aligns with the optimal structure for your organization or applications, between resource groups, subscriptions, management groups, you're really able to control both the environment as well as the resources, really well at scale and make sure that all of the resources within these scopes are compliant. And to do this, we have the concept of policies which map to individual rules or initiatives which represent that group of policies. But of course, there's always going to be the question of, I've applied this policy across thousands of servers on a management group level but I have a legacy application within this subscription that I want to make sure is exempt from this specific policy rollout. You can also exclude subscopes or create exemptions so that certain resources are not touched by these policies as well. And of course, the third thing, the thing that everyone's interested in, remediation and automation. So with all of these capabilities, if this is going to be done sort of at each individual scope or if this needs to be done manually, that's going to actually like create quite a lot of work for you as admins to go ahead and do. So you're allowed to remediate existing resources at scale and actually trigger a remediation action across the entire scope of that policy definition. And you can actually even trigger automatic remediations at deployment time. And so this is actually really powerful because once you create the guardrails within your Azure environment, whenever you add a new resource into the scope of an existing policy definition, that change will happen actually by default. So say again, we'll use the TLS example. Say you wanna ensure that your servers are running the most up-to-date version of TLS. If that policy is set to deploy at the management group scope, if you add a new server into that scope, that change will happen by default once it's connected into Azure. And again, you can trigger functions, logic apps or even web hooks connected to Event Grid to again trigger these compliance state changes, trigger a remediation task in the event of compliance state changes. But what does this really mean in the context of guest management? So today the machine configuration service allows you to dynamically assign configurations through Windows servers as well as even your Linux machines running in Azure and anywhere else through Arc-enabled servers. And this provides continuous auditing and enforcement of configuration settings with this at scale, as well as granular reporting. And one thing I really like to touch on here is even if your server becomes disconnected or is turned off, the most up-to-date compliance information will still be in Azure. So you're able to conduct these compliance scans even if that machine is turned off. We store all of those records for you. But how do you get started? With machine configuration, we have two main ways that you can deploy the service. The first one is through built-in content, through built-in policies that are provided and maintained by Microsoft. And you're even allowed to bring in your own best practice configurations into Azure through custom artifact deployment and PowerShell DSC. But let's go over into the portal and see what this looks like. So we're going to touch on Azure Update Manager and let's just check out what that unified patching capability looks like. So we can see in this subscription that I'm in, we have 40 pending updates across six machines and we're able to really easily see which Windows updates we need to be concerned about. And you're able to, again, sort of filter between your resource groups, locations, resource types, workloads, MSRC severity, which is super important, depending on how often you're coming to, you're coming to analyze these patches as well. And what's really, really cool here as well is you can trigger a one-time update or you can actually go ahead and schedule these updates so that they occur within a patching window. So we can add a schedule here where we can say that this patch can start on maybe Saturday during off-time and we're giving it almost four hours. We're giving it almost four hours to go ahead and complete the necessary patches. So this really gives you a lot of reliability in terms of the way that you're able to conduct your updates across your arch-enabled servers. And we're super excited about this and all of the other work that you can do through Azure Update Manager. So let's go in and check out the Azure Policy Portal. So as I mentioned, we have a lot of built-in content that teams across Microsoft publish so that you're able to use their services as well as Azure broadly in a really easy point-and-click way. So you can see that we have initiatives here that span really common security best practices as well as built-in policies where you can configure your time zone across Windows machines. Microsoft Update should be enabled on Windows servers. Like the list here really goes on and on for the number of policies that you can apply quite easily to your arch-enabled servers. So we're gonna go ahead and take a look at, again, a policy where you can audit your TLS on your Windows servers. And if you're specifically interested in what guest management capabilities we provide by default, you can click into the policy category and then go into the guest configuration category. So you can see here that you can configure secure communication protocol across your Windows machines. And we can go in and assign that to the arch-enabled servers that we have within the subscription. So what we're gonna go ahead and do is just quickly click into the scope that we're interested in monitoring. So we'll go to the subscription that I'm working in and we'll just collect the entire subscription for now. But optionally, if you wanted to exclude an individual resource or resource group, you could exclude that as well. So there's some really cool features, actually, that are important, I think, as you're rolling out these policies to really large surfaces and large numbers of servers, which resource selectors as well as overrides. So one of the things that we like to talk about is really making sure that the policies that you're rolling out are being done in a very safe and gradual manner. So one of the ways that we provide this is through resource selectors. And what this lets you do is trim down the total number of resources that this policy is gonna be applied to at one time. And a few of the examples that we have here are between resource types, resource locations, or subscription level resources. And so let's say that you have a subscription where you have both arch-enabled servers as well as Azure VMs that are also Windows servers, you could choose which resource that you wanted to roll this out to first or you could decide to toggle to a specific resource that maybe has less traffic to foresee what the compliance results are and then how that enforcement takes effect on a lower traffic region before expanding it to the total number of regions where you're operating these servers. And overrides here as well allow you to change the effect without modifying a policy definition. So in policy, there are a couple of different effects. Audit if not exists, which audits the configuration of those resources and deploy if not exists, which actually again sort of deploys the change that you've specified within the policy definition. Now let's say that you actually wanted to roll this out in audit only first so that you could see the compliance results of your policy ahead of rolling out a pretty widespread change and potentially causing an adverse effect. You could change the effect of this policy without actually having to go in and change the line of code within the policy definition. In this case, we're using the Azure portal but as Thomas mentioned, one of the really great things about Azure through the Azure Resource Manager is you can access and manage these resources through every supported client. So PowerShell, CLI, Terraform, Bicep, ARM templates, you name it. And so instead of having to go and change references to the code where that effect is being labeled, you can actually just go ahead and add this override and we'll take that into account in the policy definition so that you're having to go make that change. So to make sure that this applies to your Arc Connected servers, you can just go ahead and toggle this to true and then you're good to go ahead and review and create the policy. One of the things that I wanna show you though is what it actually means to monitor the compliance of these policies and how you can actually fix events of non-compliance. So let's just go ahead and look at the TLS policy that I was able to apply earlier and we can see here that within this resource group only one out of three servers is compliant. And so we're able to super easily create a remediation task where we are able to bring these two servers into compliance through upgrading them to TLS 1.2. So I hope that this helped give you a little bit of a taste on what's possible through Azure policy as well as Azure Update Manager. Hope you enjoy the rest of your day. Thanks for listening in.