Public Preview: Audit and Enable Windows Recovery Environment (WinRE) for Azure Arc-enabled Servers
Windows Recovery Environment is a secure, isolated partition that enables diagnostics and repair when a system encounters critical failures – such as a stop error (commonly known as the blue screen of death). WinRE provides a reliable fallback mechanism for mission-critical workloads, allowing IT administrators to recover systems quickly and securely. With this Public Preview, Azure Arc introduces a set of Azure Policies that allow organizations to audit and enable WinRE across their fleet of Arc-enabled Windows Servers. These policies are powered by the Machine Configuration component of the Azure Connected Machine agent, which ensures secure and compliant configuration enforcement. Through the Azure Policy, the Azure Connected Machine agent detects whether WinRE is configured and reports its health status. If WinRE is not configured and the WinRE partition has been provisioned, customers can enable WinRE through the Azure Policy. These Azure Policies are available at no additional cost for servers covered under: Windows Server 2012 Extended Security Updates (ESUs) Microsoft Defender for Servers Plan 2 Windows Server Software Assurance attestation Windows Server Pay-as-you-Go licensing For other servers, these policies will incur charges associated with Azure Machine Configuration. To get started, deploy and assign these Azure Policies to Azure Arc-enabled servers in your existing subscription. [Preview]: Audit Windows machines that do not have Windows Recovery Environment (WinRE) enabled [Preview]: Configure Windows Recovery Environment (WinRE) on Windows machines Auditing and enablement of WinRE through Azure Arc underscores the capability of Azure Arc to increasingly afford resiliency across hybrid, multicloud, and edge workloads.
Addressing Air Gap Requirements through Secure Azure Arc Onboarding
This blog post explores the challenges and solutions for implementing air gap environments in highly regulated sectors like finance, healthcare, and government. It discusses the complexities of air gap implementation, the importance of control and data plane separation, and provides architectural patterns for secure Azure Arc onboarding. By adopting a zero-trust approach and leveraging Azure Arc, organizations can achieve secure, compliant connectivity while modernizing their IT operations.Announcing the General Availability of the Azure Arc Gateway for Arc-enabled Servers!
We’re excited to announce the General Availability of Arc gateway for Arc‑enabled servers. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc. What’s new: To Arc‑enable a server, customers previously had to allow 19 distinct endpoints. With Arc gateway GA, you can do the same with just 7, a ~63% reduction that removes friction for security and networking teams. Why This Matters Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway: Accelerates onboarding for Arc‑enabled servers by cutting down the proxy/firewall approvals needed to get started. Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure. How Arc gateway works Arc gateway introduces two components that work together to streamline connectivity: Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint. Azure Arc Proxy (on every Arc‑enabled server): A component of the connected machine agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required. At a high level, traffic flows: Arc agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service. Scenario Coverage As part of this GA release, common Arc‑enabled Server scenarios are supported through the gateway, including: Windows Admin Center SSH Extended Security Updates (ESU) Azure Extension for SQL Server For other scenarios, some customer‑specific data plane destinations (e.g., your Log Analytics workspace or Key Vault URLs) may still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. Over time, the number of scenarios filly covered by Arc gateway will continue to grow. Get started Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell. Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall. Onboard or update servers to use your Arc gateway resource and start managing them with Azure Arc. For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. You can also watch a quick Arc gateway Jumpstart demo to see the experience end‑to‑end. FAQs Does Arc gateway require new software on my servers? No additional installation - Arc Proxy is part of the standard connected machine agent for Arc‑enabled servers. Will every Arc scenario route through the gateway today? Many high‑value server scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. When will Arc gateway for Azure Local be GA? Today! Please refer to the Arc gateway GA on Azure Local Announcement to learn more. When will Arc gateway for Arc-enabled Kubernetes be GA? We don't have an exact ETA to share quite yet for Arc gateway GA for Arc-enabled Kubernetes. The feature is currently still in Public Preview. Please refer to the Public Preview documentation for more information. Tell us what you think We’d love your feedback on Arc gateway GA for servers—what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.
Announcing General Availability of Azure Local on Microsoft Azure Government Cloud
We are excited to announce that Azure Local is now generally available for Azure Government customers. Building on the momentum from our public preview, Azure Local is ready for production deployments, enabling government organizations to run cloud-connected infrastructure at their own physical locations under their operational control and helps them align compliance with stringent regulatory and security requirements. What is Azure Local? Azure Local brings the familiar Azure experience to your on-premises infrastructure allowing agencies to deploy, manage, and scale infrastructure locally while more easily integrating with the broader Azure ecosystem. With Azure Local, government customers benefit from unified management, robust security, and operational flexibility, whether running virtual machines, containers, or mission-critical applications. Key Features Streamlined Deployment & Management: Azure Local enables agencies to deploy, configure, and manage infrastructure directly from the Azure portal or using infrastructure-as-code tools like ARM templates. This approach helps simplify provisioning, allows for consistency across environments, and reduces operational overhead. IT teams can quickly set up clusters, define networking and storage, and automate updates, making day-to-day management predictable and efficient. Unified Observability: With native integration to Azure Monitor and Azure Arc, Azure Local provides comprehensive visibility across all distributed resources. Agencies can monitor virtual machines, Kubernetes clusters, and physical infrastructure from a single dashboard, leveraging over 60 built-in metrics, insights dashboards, and customizable alert rules. This unified view helps teams proactively manage performance, troubleshoot issues, and maintain compliance across both local and cloud environments. Non-Disruptive Updates: Azure Local helps support easier update management through Azure Update Manager. Administrators can schedule and apply updates to one or multiple instances with just a few clicks. The platform orchestrates workload migration and rolling updates across physical nodes, helping mission-critical applications remain available and uninterrupted, even during maintenance windows. Flexible Workload Support: Agencies can run a wide range of workloads on Azure Local, from general-purpose Azure Local Virtual Machines to containerized applications using Arc enabled Azure Kubernetes Services. The platform helps offer flexible sizing, networking, and storage options to meet diverse requirements. Customers can bring their own VM images for specialized needs or select from a curated set of images in the Azure Marketplace, enabling rapid deployment of both legacy and modern workloads. Security by Default: Azure Local is built with a hardened security posture, leveraging Microsoft’s best practices for infrastructure protection. Integration with Microsoft Defender for Cloud helps provide more unified security management, continuous threat detection, and automated remediation across all resources. Agencies can benefit from advanced security controls, including network isolation, identity management, and compliance monitoring. Extended Security Updates (ESU): For agencies running legacy Microsoft products, Azure Local helps offer access to Extended Security Updates, enabling continued protection with fundamental patches beyond end-of-support dates. This capability helps organizations maintain compliance and security for older workloads while planning for modernization. Trusted Launch: Azure Local supports Trusted Launch for virtual machines, providing enhanced protection against rootkits and bootkits. VMs are equipped with virtual TPM (vTPM), enabling Secure Boot and features like BitLocker encryption. The vTPM state is preserved during live migration and automatic failover, enabling data integrity and security throughout the VM lifecycle. Getting Started Visit the https://portal.azure.us/ to download the latest Azure Local OS image and create your instance. Customize your deployment to meet your agency’s requirements for cluster configuration, networking, and storage. To learn more, visit https://learn.microsoft.com/en-us/azure/azure-local/ Why Azure Local for Government? Azure Local helps deliver the scalability, reliability, and compliance government agencies desire while maintaining operational control and data residency. Agencies can confidently modernize infrastructure, support mission-critical workloads, and meet evolving regulatory standards. Conclusion The general availability of Azure Local in Azure Government marks a major milestone in empowering agencies with secure, scalable, and efficient distributed cloud infrastructure. We invite government customers to deploy Azure Local today and unlock new possibilities for modernization and operational excellence. Stay tuned for ongoing enhancements as we continue to innovate and expand Azure Local’s capabilities to support your mission.Announcing the General Availability of Arc Gateway for Azure Local
Hello everyone, Now that the Azure Arc gateway is GA is announced, we are super happy to also announce the General Availability of the Arc Gateway for Azure Local! This launch represents a major leap forward in how organizations can securely and efficiently connect their on-premises and edge environments to Azure. Arc Gateway revolutionizes Azure Local connectivity to Azure If you’ve ever tried to connect on-premises resources to Azure, you know the challenges: dozens (sometimes hundreds!) of outbound firewall rules, complex configurations, and ongoing security concerns. It’s a lot to manage, and frankly, it’s not the experience we want for our customers or partners. Arc Gateway changes the game. With a single, centralized HTTPS egress point for all Azure-bound traffic from your Azure Local instances and workloads, you dramatically reduce complexity and risk. Instead of managing countless endpoints, you only need to allow a small, well-defined set—making your environment more secure and much easier to operate. What Makes Arc Gateway for Azure Local to Stand Out? Let me highlight what makes Arc Gateway stand out: Unified and secure Azure Traffic Management: All HTTPS traffic from your Azure Local instances flows through one front door—the Arc Gateway. No more sprawling firewall rules or wildcards. Significantly Fewer Endpoints: We’ve reduced the number of required endpoints from over 100 to fewer than 28. This means less guess work and a much simpler security posture. Comprehensive Integration for your workloads: Arc Gateway isn’t just for infrastructure endpoints. It also fully supports Azure Local VMs with Arc gateway, and AKS clusters in preview mode, streamlining connectivity across your entire hybrid estate. Seamless Enterprise Proxy Integration: Already using an enterprise proxy? Arc Gateway fits right in, routing outbound traffic through your existing proxy before heading to Azure. For a deeper technical dive, I encourage you to check out our detailed article: Azure Local – Arc gateway outbound connectivity deep dive FAQs: Is it possible to enable Arc gateway on my existing Azure local clusters? We are working hard to enable this feature in a future release of Azure Local. Can I enable Arc gateway on my existing Azure Local VMs if it was not enabled for the infrastructure during deployment? Using Arc gateway for your Azure Local VMs is possible regardless of the infrastructure. If you have a working Arc gateway resource you can deploy new Azure Local VMs or attach existing Azure Local VMs if guest management is enabled. Can I enable Arc gateway on my existing Azure Local AKS Clusters? If you enabled Arc gateway during deployment for the Azure Local infrastructure, AKS Clusters will implicitly leverage the Arc gateway running on the hosts. AKS Clusters running in Azure Local with Arc gateway will remain in Public Preview until GA is released in the future. Getting Started: To get started with Arc gateway for Azure Local, visit our documentation and deployment guides. We encourage you to explore the new capabilities and share your feedback with the team. Arc gateway in Azure Local overview Overview of Azure Arc gateway for Azure Local - Azure Local | Microsoft Learn How to deploy Azure Local using Arc gateway. Register Azure Local using Arc gateway - Azure Local | Microsoft Learn How to deploy Azure Local VMs using Arc gateway. Create Azure Local virtual machines using Arc gateway - Azure Local | Microsoft Learn How to deploy AKS Clusters on Azure Local using Arc gateway. Create AKS cluster in Azure Local with Arc gateway | Microsoft Learn Cristian Edwards, Azure Local Principal Product Manager
SQL Server enabled by Azure Arc is now generally available in the US Government Virginia region
We’re thrilled to announce that SQL Server enabled by Azure Arc on Windows is now generally available in the US Government Virginia region. With this, U.S. government agencies and organizations can manage SQL Server instances outside of Azure from the Azure Government portal, in a secure and compliant manner. SQL Server enabled by Azure Arc resources in US government Virginia can be onboarded and viewed in the Azure Government portal just like any Azure resource, giving you a single pane of glass to monitor and organize your SQL Server estate in the Gov cloud. Available Features Currently, in the US Government Virginia region, SQL Server enabled by Azure Arc provides the following features: Connect your SQL Server to Azure Arc (onboard) a SQL Server instance to Azure Arc. SQL Server inventory which includes the following capabilities in the Azure portal: View SQL Server instances as Azure resources. View databases Azure resources. View the properties for each server. For example, you can view the version, edition, and database for each instance. Subscribe to Extended Security Updates in a production environment. Manage licensing and billing of SQL Server enabled by Azure Arc. License virtual cores. Review licensing limitations. All other features aren't currently available. How to Onboard Your SQL Server Onboarding SQL Server enabled by Azure Arc in the Government cloud is a two-step process that you can initiate from the Azure (US Gov) portal. Step 1: Connect hybrid machines with Azure Arc-enabled servers Step 2: Connect your SQL Server to Azure Arc on a server already enabled by Azure Arc Limitations The following SQL Server features aren't currently available in any US Government region: Failover cluster instance (FCI) Availability group (AG) License physical cores (p-cores) with unlimited virtualization. License physical cores (p-cores) without virtual machines. SQL Server associated services: SQL Server Analysis Services SQL Server Integration Services SQL Server Reporting Services Power BI Report Server Future Plans and Roadmap This is a major first step in bringing Azure Arc’s hybrid data management to Azure Government, and we will continue to do additional enhancements to achieve service parity. Conclusion The availability of SQL Server enabled by Azure Arc in the US Gov Virginia region marks an important milestone for hybrid data management in Government. If you’re an Azure Government user managing SQL Server instances, we invite you to try out SQL Server enabled by Azure Arc in US Government in Viginia region. And please, share your feedback with us through the community forum or your Microsoft representatives. Learn More: SQL Server enabled by Azure Arc in US Government SQL Server enabled by Azure Arc Update: September 12, 2025 As part of our ongoing improvements, we’ve lifted certain limitations in US Government Virginia. You can now onboard SQL Server enabled by Azure Arc environments with: Always On availability groups Associated SQL Server services: SQL Server Analysis Services SQL Server Integration Services SQL Server Reporting Services Power BI Report Server Update: September 22, 2025 As part of our ongoing improvements, we’ve lifted more limitations in US Government Virginia. You can now have SQL Server enabled by Azure Arc environments with: License physical cores (p-cores) with unlimited virtualization. License physical cores (p-cores) without virtual machines.
GA: Enhanced Audit in Azure Security Baseline for Linux
We’re thrilled to announce the General Availability (GA) of the Enhanced Azure Security Baseline for Linux—a major milestone in cloud-native security and compliance. This release brings powerful, audit-only capabilities to over 1.6 million Linux devices across all Azure regions, helping enterprise customers and IT administrators monitor and maintain secure configurations at scale. What Is the Azure Security Baseline for Linux? The Azure Security Baseline for Linux is a set of pre-configured security recommendations delivered through Azure Policy and Azure Machine Configuration. It enables organizations to continuously audit Linux virtual machines and Arc-enabled servers against industry-standard benchmarks—without enforcing changes or triggering auto-remediation. This GA release focuses on enhanced audit capabilities, giving teams deep visibility into configuration drift and compliance gaps across their Linux estate. For our remediation experience, there is a limited public preview available here: What is the Azure security baseline for Linux? | Microsoft Learn Why Enhanced Audit Matters In today’s hybrid environments, maintaining compliance across diverse Linux distributions is a challenge. The enhanced audit mode provides: Granular insights into each configuration check Industry aligned benchmark for standardized security posture Detailed rule-level reporting with evidence and context Scalable deployment across Azure and Arc-enabled machines Whether you're preparing for an audit, hardening your infrastructure, or simply tracking configuration drift, enhanced audit gives you the clarity and control you need—without enforcing changes. Key Features at GA ✅ Broad Linux Distribution Support 📘 Full distro list: Supported Client Types 🔍 Industry-Aligned Audit Checks The baseline audits over 200+ security controls per machine, aligned to industry benchmarks such as CIS. These checks cover: OS hardening Network and firewall configuration SSH and remote access settings Logging and auditing Kernel parameters and system services Each finding includes a description and the actual configuration state—making it easy to understand and act on. 🌐 Hybrid Cloud Coverage The baseline works across: Azure virtual machines Arc-enabled servers (on-premises or other clouds) This means you can apply a consistent compliance standard across your entire Linux estate—whether it’s in Azure, on-prem, or multi-cloud. 🧠 Powered by Azure OSConfig The audit engine is built on the open-source Azure OSConfig framework, which performs Linux-native checks with minimal performance impact. OSConfig is modular, transparent, and optimized for scale—giving you confidence in the accuracy of audit results. 📊 Enterprise-Scale Reporting Audit results are surfaced in: Azure Policy compliance dashboard Azure Resource Graph Explorer Microsoft Defender for Cloud (Recommendations view) You can query, export, and visualize compliance data across thousands of machines—making it easy to track progress and share insights with stakeholders. 💰 Cost There’s no premium SKU or license required to use the audit capabilities with charges only applying to the Azure Arc managed workloads hosted on-premises or other CSP environments—making it easy to adopt across your environment. How to Get Started Review the Quickstart Guide 📘 Quickstart: Audit Azure Security Baseline for Linux Assign the Built-In Policy Search for “Linux machines should meet requirements for the Azure compute security baseline” in Azure Policy and assign it to your desired scope. Monitor Compliance Use Azure Policy and Resource Graph to track audit results and identify non-compliant machines. Plan Remediation While this release does not include auto-remediation, the detailed audit findings make it easy to plan manual or scripted fixes. Final Thoughts This GA release marks a major step forward in securing Linux workloads at scale. With enhanced audit now available, enterprise teams can: Improve visibility into Linux security posture Align with industry benchmarks Streamline compliance reporting Reduce risk across cloud and hybrid environmentsUpgrade Azure Local operating system to new version
Today, we’re sharing more details about the end of support for Azure Local, with OS version 25398.xxxx (23H2) on October 31, 2025. After this date, monthly security and quality updates stop, and Microsoft Support remains available only for upgrade assistance. Your billing continues, and your systems keep working, including registration and repair. There are several options to upgrade to Azure Local, with OS version 26100.xxxx (24H2) depending on which scenario applies to you. Scenario #1: You are on Azure Local solution, with OS version 25398.xxxx If you're already running the Azure Local solution, with OS version 25398.xxxx, there is no action required. You will automatically receive the upgrade to OS version 26100.xxxx via a solution update to 2509. Azure Local, version 23H2 and 24H2 release information - Azure Local | Microsoft Learn for the latest version of the diagram. If you are interested in upgrading to OS version 26100.xxxx before the 2509 release, there will be an opt-in process available in the future with production support. Scenario #2: You are on Azure Stack HCI and haven’t performed the solution upgrade yet Scenario #2a: You are still on Azure Stack HCI, version 22H2 With the 2505 release, a direct upgrade path from version 22H2 OS (20349.xxxx) to 24H2 OS (26100.xxxx) has been made available. To ensure a validated, consistent experience, we have reduced the process to using the downloadable media and PowerShell to install the upgrade. If you’re running Azure Stack HCI, version 22H2 OS, we recommend taking this direct upgrade path to the version 24H2 OS. Skipping the upgrade to the version 23H2 OS will be one less upgrade hop and will help reduce reboots and maintenance planning prior to the solution upgrade. After then, perform post-OS upgrade tasks and validate the solution upgrade readiness. Consult with your hardware vendor to determine if version 24H2 OS is supported before performing the direct upgrade path. The solution upgrade for systems on the 24H2 OS is not yet supported but will be available soon. Scenario #2b: You are on Azure Stack HCI, version 23H2 OS If you performed the upgrade from Azure Stack HCI, version 22H2 OS to version 23H2 OS (25398.xxxx), but haven’t applied the solution upgrade, then we recommend that you perform post-OS upgrade tasks, validate the solution upgrade readiness, and apply the solution upgrade. Diagram of Upgrade Paths Conclusion We invite you to identify which scenarios apply to you and take action to upgrade your systems. On behalf of the Azure Local team, we thank you for your continuous trust and feedback! Learn more To learn more, refer to the upgrade documentation. For known issues and remediation guidance, see the Azure Local Supportability GitHub repository.
