Servers not rebooting following update (WSUS)
Has anyone else encountered an issue with servers sometimes not rebooting straight away following an update installed via WSUS? It sits at restart pending for 24 hours, until the next update check is due, then reboots. This is particularly an issue with terminal servers because (for reasons best known to Microsoft), these offer ordinary users the option to update and restart (under normal circumstances, only an admin has the restart option visible). so there is a whole day where one person could inadverteltly reboot a terminal server, thereby potentially causing others logged in to lose what they are working on. I've trawled through the event log on an affected server, and I can't see any clear reason why it doesn't reboot immediately on all occasions (with some updates it does reboot - this behaviour is not consistent). The affected updates seem to be .NET monthly cumulative ones, but I can't say for sure whether it's only them affected, nor is it clear whether only terminal servers do this (I hope to clarify this with testing over the next few weeks). However, either way it's the terminal servers which are the problem - the other servers are only accessible by admins, who know not to reboot them during working hours unless really necessary). ThanksWindows Server 2025 Terminal Servers - start menu pinned icons
I'm designing the config for some terminal servers running Server 2025. I want to pin specific icons to the start menu. In Server 2022 (or Windows 10), this was simply a process of setting up the reference machine how I wanted it, then Export-StartLayout -Path "C:\Export\MStartMenuLayout.xml" to generate the config file, whcih was then applied using the GPO Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Start Layout - this worked fine. On Server 2025 (and Windows 11), however, it appears that this doesn't work the same any more. Although the export command works, it generates a JSON file now rather than an XML. OK, so I saved the file with the JSON extension, and copied the old GPO, amending the name of the config file to point to the new one. However, it still doesn't work and this documentation: https://learn.microsoft.com/en-us/windows/configuration/start/layout?tabs=intune-10%2Cintune-11&pivots=windows-11 Would appear to indicate that it can only be done using Intune. If it was Windows 11 I could do that, but as this is Server 2025 it isn't an option - Intune cannot manage server OSs even if I wanted to do that. Can anyone suggest any alternative methods of doing this? All I want to do is configure a common set of pinned apps for all users - I'm not bothered about configuring any other aspects of the start menu as the defaults are OK. Thanks
Server 2019 reporting wrong build via PowerShell
Hi, I've had this issue both this month and also in September. Both times, after installing the patch Tuesday update, my management tool is providing the wrong build for Windows Server 2019 due to a very strange issue. When manually looking in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" I see that the build (for November) is 6532. However, when I retrieve the exact same data using PowerShell, it report back with build 6530? Does anyone know why these builds are different? Is this just a Microsoft issue? I've only ever had this issue these two specific months, never before...WAC - Server not addable from AD
Hi, i installed actual WAC public preview with my domain account (local admin) on a Server 2025 (26257). When i start WAC and i want to add window Server i can´t search Active Directory, because it says: "We can’t search Active Directory because the Windows Admin Center computer isn’t joined to an Active Directory domain. It’s also possible that your account doesn’t have permission to read from Active Directory." Can you help, because server is domain joined. SPN is also set on AD Computer Account with http/admincenter.domain.internal.
Azure Change Tracking & Inventory: Simplified onboarding to manage in-guest changes on Azure Arc VMs
Explore new Azure native few clicks onboarding experience for Change Tracking & Inventory on Azure Arc servers, streamlining in-guest change management operations, while strengthening your adaptive cloud strategy.Azure Automation is revising Service and Subscription Limits
Starting 7 th January 2025, Azure Automation will be revising its Service and Subscription limits to ensure fair distribution of cloud resources across all customers. This change is another step towards improving the reliability and performance of the service while optimizing resource utilization. Since the resource requirements vary across organizations and evolve over time, we are empowering customers to configure their quotas based on actual usage. Revised limits The current Service and Subscription limits for Azure Automation can be found here. To start with, we are revising the limits for two resources: Maximum number of Automation accounts in a subscription in a region. Maximum number of concurrent running jobs at the same instance of time per Automation account You will get an error message when you exceed the limits mentioned below: Resource Limit Notes Maximum number of Automation accounts in a subscription in a region 10 2 1 Enterprise and CSP subscriptions would be able to create accounts in any of the regions supported by the service. Pay-as-you-go, Sponsored, MSDN, MPN, Azure Pass subscriptions can create Automation accounts in any of theregions supported by the service. Free trial, Azure for Student, Azure in Open subscriptions can create only one Automation account per region per subscription. Allowed list of regions: EastUS, EastUS2, WestUS, NorthEurope, SoutheastAsia, and JapanWest2 Maximum number of concurrent running jobs at the same instance of time per Automation account per region 50 10 5 Enterprise and CSP subscriptions Pay-as-you-go, Sponsored, MSDN, MPN, Azure Pass subscriptions Free trial, Azure for Student, Azure in Open subscriptions Frequently asked questions When will the new limits come into effect? New limits would be effective starting 7 th January 2025 across all commercial regions. Your patience during the transition period is appreciated. How do I check my current resource usage? You will be able to check your usage of Automation accounts and concurrently running jobs through Quotas service on Azure portal or while creating a support request under the category ‘Service and Subscription limits (Quotas)’. Quotas service on Azure portal will be enabled once deployment starts in January 2025. My current usage is more than the revised limits. What should I do? Rest assured that your current usage of both resources - Automation accounts and concurrent running jobs - will be honored and will not be impacted. For example, consider you are an Enterprise customer. Your new limit is 10 Automation accounts and current usage is 12 accounts. Even though your usage is higher than the new limit, your usage of 12 accounts would be honored and then considered as your new limit. When you exceed the new limit of 12 accounts, you would get an error. I need more resources than my current limits. What should I do? You will get complete control to request for quota increase and decrease based on your changing business requirements. Once the changes are deployed in January 2025, you will be able to check your current usage, current limit and request for quota changes by creating a support request under the category ‘Service and Subscription limits (Quotas)’ for ‘Azure Automation’. Detailed steps to request for quota changes would be shared once deployment starts in January 2025. Please feel free to reach out to askazureautomation@microsoft.com for any questions or feedback.
Ensure failover capacity at optimal cost with Azure Site Recovery
Business Continuity and Disaster Recovery (BCDR) is becoming increasingly crucial as the data estates of customers are growing. Azure Site Recovery (ASR) is the Virtual Machine (VM) Disaster Recovery (DR) service provided by Azure and is a key component of several customers' BCDR strategies. ASR enables the replication of workloads from a primary location to a secondary location. In the event of an outage at the primary site, workloads can be accessed from the secondary location by failing over. Once the primary location is operational again, it is possible to fail back to it.In this article, we address a common question: How can you improve the chances of capacity availability for completing failovers at optimal costs? When planning the Disaster Recovery strategy, it’s essential to understand that the cloud ecosystem operates on a shared responsibility model between customers and cloud providers. If compute capacity is unavailable in the DR region due to some reasons, failovers may fail with allocation issues. Therefore, it is recommended to identify the workloads that require high SLA for capacity availability in the DR location, based on business criticality or compliance requirements. For these critical workloads, you are recommended to opt-in for On-Demand Capacity Reservations when using Azure Site Recovery. When youconfigure capacity reservation group with ASR, Capacity Reservation SLA gets added for failovers in DR location. Please keep in mind that capacity reservation has cost implications. How can cost be optimized for capacity reservations? Capacity Reservations are priced at the same rate as the underlying VM size. To optimize cost when using Capacity Reservation along with ASR, you can also use Azure VM Reserved Instances or Azure Savings plan for compute. This is because capacity reservations are eligible for Savings Plan andReserved Instances term commitments discounts. Azure Reserved Instances or Azure Savings Plan do not provide any capacity SLA but provide discounted rates for commitments whereas Capacity Reservation provides the capacity SLA. Keep in mind that reserved instances or savings plan only cover the compute cost of VMs; additional costs (like OS license cost, software licenses, etc.) will still apply. Azure Reserved Instances allows you to commit to one-year or three-year term of compute capacity by paying up-front or monthly at a discounted rate compared to pay-as-you-go rates, enabling customers to save up to 72% for the VM cost. Azure Savings Plan allows you to reduce compute usage costs by up to 65% compared to pay-as-you-go rates by making an hourly spend commitment across all in-scope instances. Depending on your workloads pattern and needs, you candecide between a savings plan and a reservation. If you have workloads that run continuously and are stable, Azure Reserved Instance may be the preferable option. If you have workloads that are dynamic and evolving, Azure Savings Plan may be a preferable option. If you are using Azure Reserved Instances for the ASR protected workload configured for regional protection, note that the targeted region would not be covered by the Reserved Instance pricing that was being applied in the source region. The target region would require its own Azure Reserved Instance commitment to cover the additional VMs in the failed over region. Since failed over workloads are typically short term and tend to be failed back to the original source, you will need to determine if additional Reserved Instance commitments make sense for your situation. If you are using Azure Savings plan, ensure ASR failed over VMs arewithin scope of the savings plan. With Azure savings plan, hourly usage charges incurred from savings plan-eligible resources, which are within the benefit scope of the savings plan, are discounted and applied to your hourly commitment until the hourly commitment is reached. Illustration Let us take an example of an Azure Reserved Instance: Source location of VMs: East US2 Target location: West US2 2 VMs: each of D4s_v5 (4 vCPU, 16 GiB RAM), one running Windows utilizing Azure Hybrid Benefit and the other Linux. Both these VMs have ASR configured with the source VM size configured for ASR target as well. Target resource group named: asr-westus2-rg You have also associated aCapacity Reservation Group while configuring ASR on each of above VMs. This associated capacity reservation group has two (2) VM instances of size D4s_v5. By default, capacity reservation will utilize the pay-as-you-go pricing of the D4s_v5 VM. The cost for this capacity reservation will be for two D4s_v5 VMs in West US2 per month (2*140.16 = USD 280.32). So irrespective of whether you have failed over to West US2 or not, you will keep paying USD 280.32 per month for capacity reservation. Now, you purchase reserved instance for 2 VMs of size D4s_v5 in West US2 for a commitment term of 3 years with the scope as single resource group (asr-westus2-rg) which is same resource group used as target resource group for ASR. The price for reserved instance for 3-year term is (2*51.8592 = 103.7184) USD 103.7184 per month, thus having ~63% of cost savings. This reserved instance applies to your capacity reservation, and you are paying USD ~104 per month effectively. Please note that prices in the illustration are fromPricing - Windows Virtual Machines | Microsoft Azure as on 08-Nov-2024. For Windows, Azure Hybrid Benefits (AHB) were also applied while making the above calculations. Prices are estimates only and are not intended as actual price quotes. Actual prices may vary. nshot of price from Azure Pricing Page for Windows OS with AHB applied Conclusion Using Capacity Reservation along with Reserved Instances or Savings plan together can provide high SLAs for capacity availability at discounted rates. One thing to note before we conclude this article is that you can use Azure Site Recovery to perform global disaster recovery to replicate VM between any two regions if Azure Site Recovery supports them. These 2 regions can be non-paired regions as well. Please note: Scope of this article is disaster recovery for Azure VMs.Everything New in Azure Governance @ Ignite 2024
You've come to the right place if you're looking for everything happening with Azure Governance at Microsoft Ignite, November 19-22, 2024. Azure Governance is an ecosystem of neatly integrated services that provide the ability to ensure speed and control across your cloud environment. From enforcing rules in your cloud environment to querying the state of your resources at-scale, Azure Governance services keep your resources secure and compliant with corporate standards. The Azure Governance team is excited to share all the following new features across our product portfolio. For each of the features, you will find an accompanying announcement with scenario details, documentation and blog posts to follow along! Azure Change Analysis Change Actor – Generally Available We are excited to announce the General Availability of Change Actor in Azure, a feature that enhances Change Analysis by identifying who made changes to your resources and how. With this update, you can audit changes across all tenants and subscriptions, seeing who initiated changes and with which identity. Changes are available in under five minutes and are queryable for fourteen days, allowing for timely auditing and troubleshooting. Additionally, you can craft charts and pin results to Azure dashboards based on specific change queries through Azure Resource Graph, providing a comprehensive view of changes across your environment. Change Actor experience in Azure Portal Overview of change analysis: https://learn.microsoft.com/azure/governance/resource-graph/changes/get-resource-changes?tabs=azure-cli Change analysis portal experience: https://learn.microsoft.com/azure/governance/resource-graph/changes/view-resource-changes Change actor blog announcement: https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/announcing-the-general-availability-of-change-actor/4171801 Azure Policy Policy Versioning support Built-in Definitions – Public Preview With Versioning, you can now gradually ingest built-in definition changes with zero-gap in enforcement! All Azure Policy built-in definitions will now follow a standardized version pattern: at assignment time, simply specify the version number of the built-in definition to enforce on your environment. Have a previous definition version already assigned? Leverage assignment-level selectors and overrides property to gradually update the assignment to the latest version of the built-in definition. Additionally, versioning awareness is displayed in compliance logs on a per-resource basis, enhancing your ability to govern and evolve your cloud governance policies with greater agility. Tech Community Blog: https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/public-preview-announcement-azure-policy-built-in-versioning/4186105 MS Learn Documentation: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-basics#version-preview Query Component-level policy compliance in Azure Resource Graph Effortlessly query policy compliance down to the component-level across your AKS, Key Vault, and Managed HSM resources in Azure Resource Graph! With component-level granularity of AKS Policy compliance, you verify if your pods are using approved base images, audit the labelling of your namespaces or ensure your Managed HSM instances to configure the required security settings—all through ARG. Through a unified experience with Azure Policy and Azure Resource Graph, you can gain deeper insights into the compliance state of each AKS component with precision, ensuring your resources are always in line with your organization’s standards. AKS Policy component-level compliance in ARG CEL-based support for AKS Policy (preview) Introducing CEL and VAP support in AKS Policy! Common Expression Language (CEL) is a Kubernetes-native expression language that can be used to declare validation rules of a policy. Validating Admission Policy (VAP) feature provides in-tree policy evaluation, reduces admission request latency, and improves reliability and availability. The supported validation actions include Deny, Warn, and Audit. Custom policy authoring for CEL/VAP is allowed, and existing users won't need to convert their Rego to CEL as they will both be supported and be used to enforce policies. You'll be able to view violation messages at request time and audit results in the portal just like with Rego. MS Learn documentation: https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#171 Support for Expansion in AKS Policy Introducing expansion, a shift left feature that lets you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc.) will produce admissible pods. Expansion shouldn't change the behavior of your policies; rather, it just shifts Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. To enable expansion for a given policy definition, set.policyRule.then.details.source to All, and if needed, use a mutation with source Generated to mutate the what-if pods for evaluation purposes. MS Learn documentation: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#170 Expanded list of Policy for AKS Built-In Definitions – Generally Available Azure Policy has expanded the list of mutation built-in definitions for Azure Kubernetes Service (AKS). These new definitions allow you to automatically remediate the configuration of your AKS pods and containers at scale across your cluster. With this update, you can manage and enforce configuration changes more efficiently, ensuring consistency and compliance within your AKS environment. With Mutation policies, you can: Enforcing Resource Limits: Automatically set resource limits on pods and containers to prevent any single workload from consuming too many resources. Injecting Sidecars: Mutate pod specifications to include sidecar containers for logging, monitoring, or security purposes, without requiring changes to the original pod definitions. Setting Environment Variables: Specify the environment variables set in containers, which can be used for configuration or to pass secrets securely. MS Learn documentation: https://learn.microsoft.com/azure/aks/policy-reference Azure Machine Configuration Support for User Assigned Identity Based Access for Configuration Packages – Generally Available User Assigned Identity support for configuration package access in Azure Machine Configuration is now Generally Available, reinforcing our commitment to security and simplicity in at-scale server management for all Azure customers. This feature enhances your server configuration management lifecycle by providing a secure and straightforward alternative to the use of Shared Access Signature (SAS) Tokens for anonymous access. With User Assigned Identities, you can now privately access configuration packages stored in Azure Storage Blobs, ensuring that your server management operations are both secure and efficient. Tech Community Blog: Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities MS Learn Documentation: https://learn.microsoft.com/azure/governance/machine-configuration/how-to/create-policy-definition SSH Posture control through Machine Configuration – Generally Available Additional built-in capabilities to enhance your Linux management scenarios are now generally available through Azure policy and Machine Configuration! Through new built-in policies, you can manage your SSH configuration settings declaratively at-scale. SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons help you to document compliance for auditors with confidence and evidence. They also enable you to take action when non-compliance is observed. MS Learn documentation: https://learn.microsoft.com/azure/osconfig/overview-ssh-posture-control-mc Azure Resource Graph ARG PowerBI – Generally Available We are pleased to announce General Availability of the Azure Resource Graph Power BI connector! Now, you can run queries against your Azure resources and visualize the results directly in Power BI. With seamless integration, you can connect Azure Resource Graph with Power BI Desktop or Power BI service to analyze your Azure resources, and the connector has an optional setting to return all records if your query results exceed 1,000 records. This feature provides deeper insights and more control over your Azure resources, enhancing your ability to manage and govern your cloud infrastructure. Learn documentation: https://learn.microsoft.com/azure/governance/resource-graph/power-bi-connector-quickstart?tabs=power-bi-desktop Azure Resource Graph Copilot – Public Preview With the release of the Azure Resource Graph (ARG) skill within Copilot, customers can access the ARG query skill through Azure Portal or Github Copilot. Questions about resource governance like “how many Linux VMs do I own” will be sent to the ARG Skill. With this release, customers can easily turn natural language questions into ARG queries. ARG Copilot helps users create queries to quickly surface insights about resources and simplify operational investigations. ARG Copilot in Azure Portal ARG Copilot in Github Copilot MS Learn documentation: https://learn.microsoft.com/azure/copilot/get-information-resource-graph ARG GET/LIST API - Private preview Now available for private preview is the Azure Resource Graph GET/LIST API, a highly scalable, fast, and performant alternative to existing control plane GET and List API calls within the Azure ecosystem. This API allows you to mitigate issues related to throttling, such as performance degradation and failed requests offering a 10X higher Read throttling quota to callers, ensuring faster and more efficient read operations for your critical cloud native workload. Contact argpms@microsoft.com to join the private preview program! Azure Resource Manager All New Azure Resource Manager Throttling Experience We are thrilled to announce the modernization of Azure Resource Manager throttling. This upgrade introduces a revamped throttling experience for Azure subscriptions, bringing increased limits and a token bucket algorithm for managing API requests! Throttling limits have increased by roughly 30 times for writes, 2.4 times for deletes, and 7.5 times for reads. Tech Community Blog:https://azure.microsoft.com/updates?id=azure-resource-manager-throttling Learn documentation: https://learn.microsoft.com/azure/azure-resource-manager/management/request-limits-and-throttling Azure Resource Notification ContainerserviceEventresources System Topic for AKS - Public Preview We are excited to announce public preview of the Azure Resource Notification ContainerServiceEventResources system topic that empowers customers with proactive notifications for critical AKS cluster maintenance events, covering statuses such as scheduled, started, and completed. By enhancing planning capabilities, this feature reduces operational disruptions and minimizes costs, allowing you to manage maintenance with greater confidence and efficiency. MS Learn documentation: https://learn.microsoft.com/azure/event-grid/event-schema-containerservice-resources Stay Updated Keep in touch with Azure Governance products, announcements, and key scenarios. Bookmark the Azure Governance Tech Community Blog, then follow us @AzureGovernance on X (previously known as Twitter) Share Product feedback/ideas with us here- Azure Governance · Community For questions, you can reach us at: Azure Policy: policypm@microsoft.com Azure Resource Graph: argpms@microsoft.com
