What Is Azure Arc for Servers
Azure Arc for servers is a Microsoft service that allows you to connect on-premises, multi-cloud, and edge servers — including Windows Server 2022 machines — to Azure, making them visible and manageable through the Azure portal as if they were native Azure resources. Once connected, an Arc-enabled server gets an Azure Resource Manager representation, allowing you to apply Azure Policy, Defender for Cloud, Azure Monitor, Azure Automation, and other Azure management services to machines that are running outside of Azure’s own datacenters.
For Windows Server 2022 deployments in on-premises datacenters, colocation facilities, or other cloud providers (AWS, GCP), Azure Arc bridges the management gap. You gain a single pane of glass in the Azure portal for your entire server estate, without migrating workloads to Azure IaaS. This is particularly valuable for organizations with hybrid infrastructures that want consistent governance, security baselines, and update management regardless of where the server physically runs.
The core component on the server side is the Azure Connected Machine agent (azcmagent), a lightweight agent service that runs on the server, authenticates to Azure, and maintains the Arc connection. The agent does not require inbound firewall rules — it communicates outbound over HTTPS (port 443) to Azure endpoints.
Prerequisites Before Connecting
Before running the Arc onboarding script on Windows Server 2022, ensure the following prerequisites are in place:
Azure subscription: You need an active Azure subscription with either Owner or Contributor role on the target resource group, plus the ability to register resource providers.
Required resource providers: Register these in your subscription if not already registered:
# Using Azure CLI (run from any machine with az cli installed)
az provider register --namespace Microsoft.HybridCompute
az provider register --namespace Microsoft.GuestConfiguration
az provider register --namespace Microsoft.HybridConnectivity
az provider register --namespace Microsoft.AzureArcData
# Verify registration
az provider show --namespace Microsoft.HybridCompute --query registrationStateResource group: Create a resource group for your Arc machines:
az group create --name rg-arc-servers --location eastusNetwork connectivity from the server: The Windows Server 2022 machine must have outbound HTTPS (port 443) access to the following endpoints:
management.azure.com, login.microsoftonline.com, *.his.arc.azure.com, *.guestconfiguration.azure.com, *.guestnotificationservice.azure.com, *.servicebus.windows.net, dc.services.visualstudio.com
Operating system requirements: Windows Server 2022 Standard or Datacenter, with .NET Framework 4.6 or later installed and TLS 1.2 enabled.
Service account (for scripted deployment): Create a service principal for onboarding at scale:
az ad sp create-for-rbac --name arc-onboarding-sp --role "Azure Connected Machine Onboarding" --scopes /subscriptions//resourceGroups/rg-arc-serversDownloading and Running the Arc Agent Installer
Microsoft provides a PowerShell onboarding script that downloads, installs, and registers the Connected Machine agent in a single step. Generate the onboarding script from the Azure portal (Azure Arc > Servers > Add > Add a single server) or construct it manually.
On the Windows Server 2022 machine, open an elevated PowerShell session and run:
# Download the installation script
Invoke-WebRequest -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMPinstall_windows_azcmagent.ps1"
# Install the agent
& "$env:TEMPinstall_windows_azcmagent.ps1"Once installed, connect the agent to Azure. You will need your Azure subscription ID, resource group, location, and tenant ID:
azcmagent connect `
--subscription-id "your-subscription-id" `
--resource-group "rg-arc-servers" `
--location "eastus" `
--tenant-id "your-tenant-id" `
--cloud "AzureCloud"This command opens an interactive browser authentication flow. For unattended/scripted deployments using a service principal:
azcmagent connect `
--subscription-id "your-subscription-id" `
--resource-group "rg-arc-servers" `
--location "eastus" `
--tenant-id "your-tenant-id" `
--service-principal-id "your-sp-app-id" `
--service-principal-secret "your-sp-secret" `
--cloud "AzureCloud" `
--resource-name "ws2022-server01"The --resource-name flag sets the Azure resource name. If omitted, it defaults to the machine’s hostname.
For large-scale deployments across many servers, use the Arc-enabled servers at-scale onboarding approach with service principal credentials embedded in a Group Policy script or Configuration Manager task sequence.
Verifying the Connection in Azure Portal and via CLI
After a successful azcmagent connect, verify the agent status on the server itself:
azcmagent showThe output shows the agent status, Azure resource ID, tenant ID, and the last heartbeat time. Expected output for a connected machine:
Resource Name : ws2022-server01
Resource Group : rg-arc-servers
Subscription ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Agent Status : Connected
Agent Last Heartbeat : 2025-05-17 10:22:14 +0000 UTC
Agent Version : 1.40.02693.007
Machine ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxCheck via Azure CLI:
az connectedmachine show --name ws2022-server01 --resource-group rg-arc-servers
az connectedmachine list --resource-group rg-arc-servers --output tableIn the Azure portal, navigate to Azure Arc > Servers to see your machine listed with a “Connected” status indicator.
Enabling Azure Defender for Cloud via Arc
Once connected, you can enable Microsoft Defender for Cloud (formerly Azure Security Center) on the Arc-enabled server. Defender for Cloud provides vulnerability assessment, threat detection, and security recommendations for the machine.
Enable the Defender for Servers plan on your subscription:
az security pricing create --name VirtualMachines --tier standardThe Defender for Cloud agent (MMA or AMA) is deployed to the Arc machine via an Arc extension. Install the Azure Monitor Agent extension:
az connectedmachine extension create `
--name AzureMonitorWindowsAgent `
--publisher Microsoft.Azure.Monitor `
--type AzureMonitorWindowsAgent `
--machine-name ws2022-server01 `
--resource-group rg-arc-servers `
--location eastus `
--enable-auto-upgrade trueCheck extension installation status:
az connectedmachine extension list --machine-name ws2022-server01 --resource-group rg-arc-servers --output tableAzure Policy and Machine Configuration
Azure Policy can be assigned to Arc-enabled servers just as it is assigned to native Azure VMs. You can enforce Windows configuration baselines (CIS benchmarks, security hardening), require specific Windows features, and audit compliance across your server estate.
Azure Machine Configuration (formerly Azure Policy Guest Configuration) uses DSC (Desired State Configuration) under the hood to audit and enforce settings inside the OS. The Guest Configuration extension is a prerequisite:
az connectedmachine extension create `
--name AzurePolicyforWindows `
--publisher Microsoft.GuestConfiguration `
--type ConfigurationforWindows `
--machine-name ws2022-server01 `
--resource-group rg-arc-servers `
--location eastusAssign a built-in policy to audit Windows Server security baseline compliance:
$scope = "/subscriptions/your-subscription-id/resourceGroups/rg-arc-servers"
az policy assignment create `
--name "audit-windows-security-baseline" `
--display-name "Audit Windows Server Security Baseline" `
--policy "72650e9f-97bc-4b2a-ab5f-9781a9fcecbc" `
--scope $scopeUpdate Management via Azure Arc
Azure Update Manager (formerly Update Management in Automation) supports Arc-enabled Windows Server 2022 machines directly. You can assess missing patches, schedule maintenance windows, and trigger patching from the Azure portal or via CLI — without requiring Azure Automation or a Log Analytics workspace as intermediaries (the newer Update Manager experience).
Check patch assessment status via CLI:
az connectedmachine assess-patches --name ws2022-server01 --resource-group rg-arc-serversInstall patches immediately (classify and include specific categories):
az connectedmachine install-patches `
--name ws2022-server01 `
--resource-group rg-arc-servers `
--maximum-duration PT2H `
--reboot-setting IfRequired `
--windows-parameters '{"classificationsToInclude":["Critical","Security"]}'Managing Tags and Organizing Arc Resources
Arc-enabled servers support the full Azure tagging taxonomy. Use tags to organize servers by environment, department, application, or patch group:
az resource tag `
--resource-group rg-arc-servers `
--name ws2022-server01 `
--resource-type Microsoft.HybridCompute/machines `
--tags Environment=Production Department=IT Application=WebFarm PatchGroup=Wave1Query Arc machines by tag for reporting and targeting:
az connectedmachine list --resource-group rg-arc-servers `
--query "[?tags.Environment=='Production']" `
--output tableArc Agent Maintenance and Troubleshooting
The Connected Machine agent runs as a Windows service. Check its status on the server:
Get-Service himds, ExtensionService, GCService | Select Name, Status, StartTypehimds is the Hybrid Instance Metadata Service — the core Arc agent. ExtensionService manages Arc extensions. GCService is the Guest Configuration service.
Restart the agent services if connectivity issues occur:
Restart-Service himds
Restart-Service ExtensionServiceCheck agent logs:
Get-ChildItem "C:ProgramDataAzureConnectedMachineAgentLog"
Get-Content "C:ProgramDataAzureConnectedMachineAgentLoghimds.log" -Tail 50Run the connectivity test built into the agent:
azcmagent checkThis tests connectivity to all required Azure endpoints and reports the result, helping identify firewall or proxy issues before they cause agent disconnection. To disconnect a server from Arc:
azcmagent disconnect --tenant-id "your-tenant-id"The Arc agent is updated automatically when new versions are released, provided the auto-update setting is enabled (default). To check the installed version and available update:
azcmagent version
