Introduction to Azure Arc on Windows Server 2019
Azure Arc extends Azure management capabilities to infrastructure running outside of Azure, including on-premises servers, servers in other clouds, and edge devices. By connecting a Windows Server 2019 machine to Azure Arc, you can manage it from the Azure portal just like a native Azure VM, apply Azure Policy for compliance, use Azure Defender for threat protection, enable Azure Monitor for performance metrics and log collection, and use Update Management for patch compliance. Azure Arc is especially valuable for hybrid environments where organizations want consistent governance and management tooling across cloud and on-premises workloads without migrating everything to Azure. The Azure Connected Machine agent is the lightweight agent installed on Windows Server 2019 that establishes the connection.
Prerequisites and Requirements
Before onboarding a Windows Server 2019 machine to Azure Arc, ensure the following prerequisites are met. You need an active Azure subscription with the Owner or Contributor role on a resource group. The server must have outbound HTTPS access on port 443 to Azure endpoints. If a proxy is in use, configure the agent to use it. The server requires at least 128 MB RAM available for the agent and 1 GB disk space. The server should be domain-joined or workgroup-joined. Supported operating systems for the Connected Machine agent include Windows Server 2008 R2 through 2022. The Azure CLI or PowerShell with the Az module is needed for onboarding scripts.
Test-NetConnection -ComputerName "management.azure.com" -Port 443
Test-NetConnection -ComputerName "login.microsoftonline.com" -Port 443
Test-NetConnection -ComputerName "pas.windows.net" -Port 443Creating an Azure Service Principal for Arc Onboarding
Create a service principal in Azure AD with the Azure Connected Machine Onboarding role for non-interactive script-based enrollment. This is the recommended approach for enrolling multiple servers:
az login
az account set --subscription "Your-Subscription-ID"
az ad sp create-for-rbac --name "ArcOnboarding-SP" --role "Azure Connected Machine Onboarding" --scopes "/subscriptions/Your-Subscription-ID/resourceGroups/ArcServers-RG"Record the appId (client ID), password (client secret), and tenant. Create the resource group if it does not exist:
az group create --name "ArcServers-RG" --location "eastus"Downloading and Running the Onboarding Script
The easiest way to onboard a single server is to generate an onboarding script from the Azure portal or Azure CLI. In the portal, navigate to Azure Arc > Servers > Add, select Add a single server, and follow the wizard to generate a PowerShell script. The script includes your subscription ID, resource group, tenant ID, and service principal credentials. Download and run the generated script on Windows Server 2019:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMPinstall_windows_azcmagent.ps1"
& "$env:TEMPinstall_windows_azcmagent.ps1"After the agent installs, connect the machine to Azure Arc:
& "C:Program FilesAzureConnectedMachineAgentazcmagent.exe" connect `
--service-principal-id "your-sp-client-id" `
--service-principal-secret "your-sp-secret" `
--resource-group "ArcServers-RG" `
--tenant-id "your-tenant-id" `
--location "eastus" `
--subscription-id "your-subscription-id" `
--cloud "AzureCloud" `
--tags "Environment=Production,Role=WebServer"Verifying the Arc Connection
Verify the agent is running and the machine is connected to Azure Arc:
azcmagent show
azcmagent check
Get-Service himds | Select-Object Status, DisplayNameCheck from Azure CLI:
az connectedmachine list --resource-group "ArcServers-RG" --output table
az connectedmachine show --name "SERVER01" --resource-group "ArcServers-RG"In the Azure portal, navigate to Azure Arc > Servers to see the connected machine listed with a Connected status. The machine properties show OS version, agent version, and last heartbeat time.
Configuring Azure Policy for Arc Servers
Apply Azure Policy definitions to Arc-enabled servers for governance and compliance. Common policy assignments for servers include requiring agents for monitoring, ensuring specific OS configurations, and enforcing tagging requirements. Assign the Guest Configuration policy initiative which enables configuration assessment:
az policy assignment create
--name "arc-server-monitoring"
--display-name "Enable Azure Monitor for Arc Servers"
--policy-set-definition "Enable Azure Monitor for VMs"
--scope "/subscriptions/your-subscription-id/resourceGroups/ArcServers-RG"
--mi-system-assigned
--location "eastus"Check compliance status from the portal or CLI:
az policy state list --resource-group "ArcServers-RG" --filter "complianceState eq 'NonCompliant'" --output tableEnabling Azure Monitor for Arc Servers
Connect Azure Arc servers to a Log Analytics workspace to collect performance metrics and event logs. Install the Log Analytics agent extension via Azure Arc:
az connectedmachine extension create
--machine-name "SERVER01"
--resource-group "ArcServers-RG"
--name "MMAExtension"
--type "MicrosoftMonitoringAgent"
--publisher "Microsoft.EnterpriseCloud.Monitoring"
--type-handler-version "1.0"
--location "eastus"
--settings '{"workspaceId": "your-workspace-id"}'
--protected-settings '{"workspaceKey": "your-workspace-key"}'Alternatively use the newer Azure Monitor Agent:
az connectedmachine extension create
--machine-name "SERVER01"
--resource-group "ArcServers-RG"
--name "AzureMonitorWindowsAgent"
--type "AzureMonitorWindowsAgent"
--publisher "Microsoft.Azure.Monitor"
--type-handler-version "1.0"
--location "eastus"Using Azure Automation Update Management
Azure Automation Update Management provides centralized patch management for Arc-enabled servers. Link the Log Analytics workspace to an Automation account and enable Update Management. Assess the patch status of the Windows Server 2019 Arc machine:
az automation account create
--resource-group "ArcServers-RG"
--name "CorpAutomation"
--location "eastus"
--sku "Basic"
az automation update-management solution enable
--resource-group "ArcServers-RG"
--automation-account-name "CorpAutomation"
--workspace-id "your-workspace-id"Create an update deployment schedule to patch the server during a maintenance window:
az automation software-update-configuration create
--resource-group "ArcServers-RG"
--automation-account-name "CorpAutomation"
--name "WeeklyPatching"
--operating-system "Windows"
--windows classification="Critical, Security, UpdateRollup"
--schedule-start-time "2026-06-01T02:00:00"
--schedule-frequency "Week"
--schedule-interval 1Configuring Azure Defender for Arc Servers
Microsoft Defender for Servers extends threat protection to Arc-enabled Windows Server 2019 machines. Enable Defender for Servers at the subscription level:
az security pricing create --name "VirtualMachines" --tier "Standard"The Defender sensor is automatically deployed to Arc-enabled machines when Defender for Servers is enabled. Verify the MDE sensor extension is installed:
az connectedmachine extension list --machine-name "SERVER01" --resource-group "ArcServers-RG" --output tableManaging Arc Agent Configuration
Configure the Azure Connected Machine agent settings on the Windows Server 2019 machine. Lock agent configuration to prevent unauthorized changes:
azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent"
azcmagent config set proxy.url "http://proxy.contoso.com:8080"
azcmagent config set incomingconnections.ports "22,3389"Check agent configuration and status:
azcmagent config list
azcmagent show --output json
azcmagent logs --output "C:TempArcLogs.zip"Azure Arc on Windows Server 2019 bridges on-premises infrastructure with Azure cloud management, providing a unified control plane for governance, monitoring, patching, and security across hybrid environments without requiring workload migration.
