Introduction:
Managing Windows Server benefits licensing across hybrid environments can be challenging. Azure Arc combined with Azure Policy simplifies this by automatically enforcing licensing compliance. This blog explains how the provided policy works and how to deploy it.
Why implement this policy?
Automating Windows Server Licensing Benefits with Azure Arc Policy ensures that all eligible machines are seamlessly enabled for essential management services, including Azure Update Manager, Best Practice Assessment, Change Tracking, Inventory, and Windows Admin Center integration. For organizations managing hundreds or thousands of servers, manual enablement can be time-consuming and error prone. This policy continuously monitors your environment, automatically identifying newly added machines and highlighting those missing the required benefits, so you can maintain compliance and streamline operations at scale
This learn document detail the benefits available when Windows Server is connected via Azure Arc, especially for machines with Software Assurance or subscription licenses: https://learn.microsoft.com/en-us/azure/azure-arc/servers/windows-server-management-overview?tabs=portal
Note – Ensure that your organization has the proper Software Assurance Benefits to cover the machines that are being assigned. Please reference this link for billing information Windows Server Management enabled by Azure Arc - Azure Arc | Microsoft Learn
"Customers need to explicitly attest for their Azure Arc-enabled servers or enroll in Windows Server pay-as-you-go to be exempt from billing for these services. Eligibility isn't inferred directly from the enablement to Azure Arc. Eligibility is not inferred from licensing status for the Azure Arc-enabled SQL Server instances that may be connected to an Azure Arc-enabled."
Policy Purpose and Logic
The policy ensures Arc-enabled Windows Servers are licensed correctly. It evaluates machines based on OS type, license status, and conditions for Software Assurance or Pay-As-You-Go. If compliance is missing, a remediation policy deploys the appropriate license profile.
Key Conditions
- Applies to resources of type Microsoft.HybridCompute/machines with osType = windows.
- Checks if licenseProfile.licenseStatus equals Licensed.
- Uses existenceCondition to determine if the machine should have SA or PAYG licensing based on osSku and licenseChannel.
Deployment Details
The policy uses DeployIfNotExists effect. It deploys licenseProfiles under the Arc machine resource. Two scenarios are handled:
- Pay-As-You-Go: If licenseChannel contains 'PGS', productProfile.subscriptionStatus is set to Enabled.
- Software Assurance: If licenseChannel does not contain 'PGS', softwareAssuranceCustomer is set to true.
The Policy
The policy is located in GitHub (Link) and AzPolicyAdvertiser (Link).
Download the policy files to be used in the following steps.
Policy Description
For 2025 server, if license type is Pay-as-you-go, then this will check the Pay-as-you-go box in license menu. If 2025 and not Pay-as-you-go license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers
How to Deploy the Policy
After downloading the policy file, use Az PowerShell to create and assign the policy:
#Create policy definition
New-AzPolicyDefinition `
-Name "activate-azure-benefits-for-windows-arc-machines" `
-DisplayName "Activate Azure Benefits for Windows Arc Machines" `
-Policy 'azurepolicy.json' `
-ManagementGroupName "<MyManagementGroup>" `
-Mode Indexed
#Assign policy definition
$Policy = Get-AzPolicyDefinition -Name 'activate-azure-benefits-for-windows-arc-machines' -ManagementGroupName "<ScopeOfDefinitionCreation>"
New-AzPolicyAssignment `
-Name "activate-arc-benefits" `
-DisplayName "Activate Azure Benefits for Windows Arc Machines" `
-PolicyDefinition $Policy `
-Scope "/providers/Microsoft.Management/managementGroups/<MyManagementGroup>" `
-Location 'eastus' `
-IdentityType 'SystemAssigned'
# Optional use subscriptions instead of management groups.
# or "/subscriptions/<SubscriptionId>"
You can also copy and paste the contents of the policy into the portal or use a policy-as-code solution of your choice.
Compliance
The compliance blade of the Azure Policy will show the machines that do not abide by the policy definition. In this example many of the machines are not enabled for the Windows Server Benefits. The next step will be to use remediation tasks to enable these machines.
On the Policy Remediation blade, you can initiate a remediation task to add the machines to enable the Azure Arc Benefits.
Choose between the two radio button options for remediating all the selected locations, a single location, or select specific resources to remediate.
When the Remediate button is pressed, a task is summitted and a notification will be displaced when the task is completed.
The process may take some time and a status of In Progress will be displayed until the status changes to Complete.
After this is completed go back and look at the Azure Arc Benefits – Windows Server Blade and you will see the machines activated.
Note on Pay-as-you-go enablement
When a Windows machine is deployed using Pay-as-you-go, as an example a new Windows Server 2025 machine, the status of the license after creation will be “Unlicensed” as shown below. The policy is not evaluating Unlicensed machines. The machine will need to have the Pay-as-you-go with Azure check box checked at least one time to “License” the machine.
After the machine is Licensed the License details will show:
Now if the machine would have the benefits removed in the future by unchecking the box, the machine will be audited with the policy. As an example, the Arc machine would show that the License type is Pay-as-you-go, Licensed, Disabled (for the Azure Benefits).
Summary
This policy automates Windows Server licensing for Arc-enabled machines. It ensures compliance by deploying license profiles for Software Assurance or Pay-As-You-Go scenarios. Deploying this policy reduces manual effort and enforces consistent licensing across your hybrid environment.
Microsoft