Scale Onboarding for Windows
Onboarding multiple Windows servers using Windows Admin Center.
Introduction
There are a number of different approaches to scale onboard on prem Windows servers. Again the docs and the jumpstart are great resources.
Alternatives approaches include:
- portal generated PowerShell scripts, again using the service principal
- the Az.ConnectedMachine module for PowerShell
- the VMware.PowerCLI module for PowerShell
- using PowerShell DSC
- leveraging Update Management
- using Azure Hybrid Services within Windows Admin Center
We will default to using Windows Admin Center, but if you do not have either the Global Administrator or Privileged Identity Administrator role in Azure AD then you should skip Windows Admin Center and instead select one of the other approaches to onboard the Windows VMs.
This page will walk through the installation of Windows Admin Center in gateway mode and then discover the other Windows VMs. This will be full instructions rather than a challenge.
Once that is done then use the references to work out how to authenticate to Azure and leverage the Azure hybrid services within Windows Admin Center.
Windows Admin Center
This section assumes you have used the Terraform repo with the defaults to create your on prem VMs. It will step through the installation of Windows Admin Center on win-01, which we will use as our gateway server.
Gateway Server
- RDP to win-01
- Disable IEC in Server Manager
- Use Internet Explorer to install Microsoft Edge
- Ensure you select the Windows Server 2019 version from the drop down
- As you are using Bastion then the browser will auto-detect your laptop’s OS
- Install Windows Admin Center
- Use a self signed certificate for this hack
- Redirect HTTP port 80 traffic to HTTPS
- You may close the Bastion session at this point
Configure Windows Admin Center
- Copy the win-01 FQDN from
terraform output
- Use your browser to connect to
https://<fqdn>
- win-01 has a public IP and the NSG permits WinRM access
- Skip the warning for the self signed certificate
- Click on More choices and select Use a different account
- Authenticate as win-01\onpremadmin
- Windows Admin Center will load
- Click on + Add and select Server
- Enter win-02 as the server name
- Use another account for this connection
- Authenticate as win-02\onpremadmin
- Click on Add with credentials
- Repeat for win-03
Note that the Terraform repo deploys Windows VMs into a workgroup rather than a domain and uses local admin accounts. The VM’s registries have been modified to allow local account tokens.In a domain context then adding servers is much cleaner, supporting lists and AD search.
You now have all of the Windows servers
Azure hybrid center
OK, enough handholding. Back to the challenge format.
Register with Azure
- Register the gateway to Azure
- The created service principal requires admin consent
⚠️Do not re-use the service principal that has the “Azure Connected Machine Onboarding” role. You need to create a different appId and service principal for Windows Admin Center.
Allow the Azure wizard to create a new app registration. This app will be called WindowsAdminCenter-https://<fqdn>
.
⚠️ The app registration creation requires admin consent, and this is where you need to be Global Administrator or Privileged Role Administrator when you sign in to Azure on step 5.
Azure AD app
For info, the automatically created app registration will have specific API permissions:
- Azure Active Directory Graph
- Directory.AccessAsUser.All
- User.Read
- Azure Service Management
- user_impersonation
It will also have a replyUri set for the application to work correctly. You can see this in the manifest for the app registration.
"replyUrlsWithType": [
{
"url": "https://<fqdn>:6516/*",
"type": "Web"
}
],
On your engagements it may make more sense to precreate the app with the api permissions replyUri set. If so, follow the manual steps.
Onboard the three Windows VMs
Success criteria
Screen share with your proctor to show that you achieved:
- Onboarding all windows servers
- Rerun the Resource Graph query or workbook
Resources
- Windows Admin Center
- Connect hybrid machines to Azure from Windows Admin Center
- App Registration detail for Windows Admin Center
- Azure Arc docs
- Connect hybrid machines to Azure at scale
- Az.ConnectedMachine module for PowerShell
- PowerShell DSC
- Update Management
- Azure Arc Jumpstart
- VMware.PowerCLI module for PowerShell
Next
All of the servers are onboarded. In the next step we will use the new Azure Monitor Agent and Data Collection Rules to capture metrics and logs from the on prem servers.
Help us improve
Azure Citadel is a community site built on GitHub, please contribute and send a pull request
Make a change