Archive for What's new with Azure Connected Machine agent
Caution
This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
The primary What's new in Azure Connected Machine agent? article contains updates for the last six months, while this article contains all the older information.
Note
The following released version, date, and content only correspond to the actual deployment of the Microsoft Azure clouds.
It provides the evolution history of Azure Arc-Enabled server service on Azure Public cloud in most cases. Please note that there are certain cases that may not be consistent with the actual deployment of Azure operated by 21Vianet.
The Azure Connected Machine agent receives improvements on an ongoing basis. This article provides you with information about:
- Previous releases
- Known issues
- Bug fixes
Version 1.37 - December 2023
New features
- Rocky Linux 9 is now a supported operating system
- Added Oracle Cloud Infrastructure display name as a detected property
Fixed
- Restored access to servers with Windows Admin Center in Azure
- Improved detection logic for Microsoft SQL Server
- Agents connected to sovereign clouds should now see the correct cloud and portal URL in azcmagent show
- The installation script for Linux now automatically approves the request to import the packages.microsoft.com signing key to ensure a silent installation experience
- Agent installation and upgrades apply more restrictive permissions to the agent's data directories on Windows
- Improved reliability when detecting Azure Stack HCI as a cloud provider
- Removed the log zipping feature introduced in version 1.37 for extension manager and machine configuration agent logs. Log files are still rotated automatically.
- Removed the scheduled tasks for automatic agent upgrades (introduced in agent version 1.30). We'll reintroduce this functionality when the automatic upgrade mechanism is available.
- Resolved Azure Connected Machine Agent Elevation of Privilege Vulnerability
Version 1.36 - November 2023
Known issues
The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.36. Upgrade to version 1.37 or later to use this feature.
New features
- azcmagent show now reports extended security license status on Windows Server 2012 server machines.
- Introduced a new proxy bypass option,
ArcData
, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc. - The CPU limit for extension operations on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.
- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.
- New executable names for the extension manager (
gc_extension_service
) and machine configuration (gc_arc_service
) agents on Windows to help you distinguish the two services. For more information, see Windows agent installation details.
Bug fixes
- azcmagent connect now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.
- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.
- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.
- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.
Version 1.35 - October 2023
Known issues
The Windows Admin Center in Azure feature is incompatible with Azure Connected Machine agent version 1.35. Upgrade to version 1.37 or later to use this feature.
New features
- The Linux installation script now downloads supporting assets with either wget or curl, depending on which tool is available on the system
- azcmagent connect and azcmagent disconnect now accept the
--user-tenant-id
parameter to enable Lighthouse users to use a credential from their tenant and onboard a server to a different tenant. - You can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to
Allow/None
. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn't need to allow any extensions to be installed. Learn more about local security controls.
Fixed
- Improved reliability when installing Microsoft Defender for Endpoint on Linux by increasing available system resources and extending the timeout
- Better error handling when a user specifies an invalid location name to azcmagent connect
- Fixed a bug where clearing the
incomingconnections.enabled
configuration setting would show<nil>
as the previous value - Security fix for the extension allowlist and blocklist feature to address an issue where an invalid extension name could impact enforcement of the lists.
Version 1.34 - September 2023
New features
Extended Security Updates for Windows Server 2012 and 2012 R2 can be purchased and enabled through Azure Arc. If your server is already running the Azure Connected Machine agent, upgrade to agent version 1.34 or later to take advantage of this new capability.
New system metadata is collected to enhance your device inventory in Azure:
- Total physical memory
- More processor information
- Serial number
- SMBIOS asset tag
Network requests to Microsoft Entra ID (formerly Azure Active Directory) now use
login.chinacloudapi.cn
instead oflogin.chinacloudapi.cn
Fixed
- Better handling of disconnected agent scenarios in the extension manager and policy engine.
Version 1.33 - August 2023
Security fix
Agent version 1.33 contains a fix for CVE-2023-38176, a local elevation of privilege vulnerability. Azure recommends upgrading all agents to version 1.33 or later to mitigate this vulnerability. Azure Advisor can help you identify servers that need to be upgraded. Learn more about CVE-2023-38176 in the Security Update Guide.
Known issue
azcmagent check validates a new endpoint in this release: <geography>-ats.his.arc.azure.cn
. This endpoint is reserved for future use and not required for the Azure Connected Machine agent to operate successfully. However, if you're using a private endpoint, this endpoint will fail the network connectivity check. You can safely ignore this endpoint in the results and should instead confirm that all other endpoints are reachable.
This endpoint will be removed from azcmagent check
in a future release.
Fixed
- Fixed an issue that could cause a VM extension to disappear in Azure Resource Manager if it's installed with the same settings twice. After upgrading to agent version 1.33 or later, reinstall any missing extensions to restore the information in Azure Resource Manager.
- You can now set the agent mode before connecting the agent to Azure.
- The agent now responds to instance metadata service (IMDS) requests even when the connection to Azure is temporarily unavailable.
Version 1.32 - July 2023
New features
- Added support for the Debian 12 operating system
- azcmagent show now reflects the "Expired" status when a machine has been disconnected long enough for the managed identity to expire. Previously, the agent only showed "Disconnected" while the Azure portal and API showed the correct state, "Expired."
Fixed
- Fixed an issue that could result in high CPU usage if the agent was unable to send telemetry to Azure.
- Improved local logging when there are network communication errors
Version 1.31 - June 2023
Known issue
The first release of agent version 1.31 had a known issue affecting customers using proxy servers. The issue displays as AZCM0026: Network Error
and a message about "no IP addresses found" when connecting a server to Azure Arc using a proxy server. A newer version of agent 1.31 was released on June 14, 2023 that addresses this issue.
To check if you're running the latest version of the Azure connected machine agent, navigate to the server in the Azure portal or run azcmagent show
from a terminal on the server itself and look for the "Agent version." The table below shows the version numbers for the first and patched releases of agent 1.31.
Package type | Version number with proxy issue | Version number of patched agent |
---|---|---|
Windows | 1.31.02347.1069 | 1.31.02356.1083 |
RPM-based Linux | 1.31.02347.957 | 1.31.02356.970 |
DEB-based Linux | 1.31.02347.939 | 1.31.02356.952 |
New features
- Added support for Amazon Linux 2023
- azcmagent show no longer requires administrator privileges
- You can now filter the output of azcmagent show by specifying the properties you wish to output
Fixed
- Added an error message when a pending reboot on the machine affects extension operations
- The scheduled task that checks for agent updates no longer outputs a file
- Improved formatting for clock skew calculations
- Improved reliability when upgrading extensions by explicitly asking extensions to stop before trying to upgrade.
- Increased the resource limits for the Update Manager extension for Linux, Microsoft Defender Endpoint for Linux, and Azure Security Agent for Linux to prevent timeouts during installation
- azcmagent disconnect now closes any active SSH or Windows Admin Center connections
- Improved output of the azcmagent check command
- Better handling of spaces in the
--location
parameter of azcmagent connect
Version 1.30 - May 2023
New features
- Introduced a scheduled task that checks for agent updates on a daily basis. Currently, the update mechanism is inactive and no changes are made to your server even if a newer agent version is available. In the future, you'll be able to schedule updates of the Azure Connected Machine agent from Azure. For more information, see Automatic agent upgrades.
Fixed
- Resolved an issue that could cause the agent to go offline after rotating its connectivity keys.
azcmagent show
no longer shows an incomplete resource ID or Azure portal page URL when the agent isn't configured.
Version 1.29 - April 2023
New features
- The agent now compares the time on the local system and Azure service when checking network connectivity and creating the resource in Azure. If the clocks are offset by more than 120 seconds (2 minutes), a nonblocking error is shown. You might encounter TLS connection errors if the time of your computer doesn't match the time in Azure.
azcmagent show
now supports an--os
flag to print extra OS information to the console
Fixed
- Fixed an issue that could cause the guest configuration service (gc_service) to repeatedly crash and restart on Linux systems
- Resolved a rare condition under which the guest configuration service (gc_service) could consume excessive CPU resources
- Removed "sudo" calls in internal install script that could be blocked if SELinux is enabled
- Reduced how long network checks wait before determining a network endpoint is unreachable
- Stopped writing error messages in "himds.log" referring to a missing certificate key file for the ATS agent, an inactive component reserved for future use.
Version 1.28 - March 2023
Fixed
- Improved reliability of delete requests for extensions
- More frequent reporting of VM UUID (system firmware identifier) changes
- Improved reliability when writing changes to agent configuration files
- JSON output for
azcmagent connect
now includes Azure portal URL for the server - Linux installation script now installs the
gnupg
package if it's missing on Debian operating systems - Removed weekly restarts for the extension and guest configuration services
Version 1.27 - February 2023
Fixed
- The extension service now correctly restarts when the Azure Connected Machine agent is upgraded by Update Manager
- Resolved issues with the hybrid connectivity component that could result in the "himds" service crashing, the server showing as "disconnected" in Azure, and connectivity issues with Windows Admin Center and SSH
- Improved handling of resource move scenarios that could impact Windows Admin Center and SSH connectivity
- Improved reliability when changing the agent configuration mode from "monitor" mode to "full" mode.
- Increased the resource limits for the Microsoft Sentinel DNS extension to improve log collection reliability
- Tenant IDs are better validated when connecting the server
Version 1.26 - January 2023
Download for Linux
Note
Version 1.26 is only available for Linux operating systems.
Fixed
- Increased the resource limits for the Microsoft Defender for Endpoint extension (MDE.Linux) on Linux to improve installation reliability
Version 1.25 - January 2023
New features
- Red Hat Enterprise Linux (RHEL) 9 is now a supported operating system
Fixed
- Reliability improvements in the machine (guest) configuration policy engine
- Improved error messages in the Windows MSI installer
- Additional improvements to the detection logic for machines running on Azure Stack HCI
Version 1.24 - November 2022
New features
azcmagent logs
improvements:- Only the most recent log file for each component is collected by default. To collect all log files, use the new
--full
flag. - Journal logs for the agent services are now collected on Linux operating systems
- Logs from extensions are now collected
- Only the most recent log file for each component is collected by default. To collect all log files, use the new
- Agent telemetry is no longer sent to
dc.services.visualstudio.com
. You might be able to remove this URL from any firewall or proxy server rules if no other applications in your environment require it. - Failed extension installs can now be retried without removing the old extension as long as the extension settings are different
- Increased the resource limits for the Azure Update Manager extension on Linux to reduce downtime during update operations
Fixed
- Improved logic for detecting machines running on Azure Stack HCI to reduce false positives
- Auto-registration of required resource providers only happens when they are unregistered
- Agent will now detect drift between the proxy settings of the command line tool and background services
- Fixed a bug with proxy bypass feature that caused the agent to incorrectly use the proxy server for bypassed URLs
- Improved error handling when extensions don't download successfully, fail validation, or have corrupt state files
Version 1.23 - October 2022
New features
- The minimum PowerShell version required on Windows Server has been reduced to PowerShell 4.0
- The Windows agent installer is now compatible with systems that enforce a Microsoft publisher-based Windows Defender Application Control policy.
- Added support for Rocky Linux 8 and Debian 11.
Fixed
- Tag values are correctly preserved when connecting a server and specifying multiple tags (fixes known issue from version 1.22).
- An issue preventing some users who tried authenticating with an identity from a different tenant than the tenant where the server is (will be) registered has been fixed.
- The
azcamgent check
command no longer validates CNAME records to reduce warnings that did not impact agent functionality. - The agent will now try to obtain an access token for up to 5 minutes when authenticating with an Azure Active Directory service principal.
- Cloud presence checks now only run once at the time the
himds
service starts on the server to reduce local network traffic. If you live migrate your virtual machine to a different cloud provider, it will not reflect the new cloud provider until the service or computer has rebooted. - Improved logging during the installation process.
- The install script for Windows now saves the MSI to the TEMP directory instead of the current directory.
Version 1.22 - September 2022
Known issues
- The 'connect' command uses the value of the last tag for all tags. You will need to fix the tags after onboarding to use the correct values.
New features
- The default login flow for Windows computers now loads the local web browser to authenticate with Azure Active Directory instead of providing a device code. You can use the
--use-device-code
flag to return to the old behavior or provide service principal credentials for a non-interactive authentication experience. - If the resource group provided to
azcmagent connect
does not exist, the agent tries to create it and continue connecting the server to Azure. - Added support for Ubuntu 22.04
- Added
--no-color
flag for all azcmagent commands to suppress the use of colors in terminals that do not support ANSI codes.
Fixed
- The agent now supports Red Hat Enterprise Linux 8 servers that have FIPS mode enabled.
- Agent telemetry uses the proxy server when configured.
- Improved accuracy of network connectivity checks
- The agent retains extension allow and blocklists when switching the agent from monitoring mode to full mode. Use azcmagent config clear to reset individual configuration settings to the default state.
Version 1.21 - August 2022
New features
azcmagent connect
usability improvements:- The
--subscription-id (-s)
parameter now accepts friendly names in addition to subscription IDs - Automatic registration of any missing resource providers for first-time users (extra user permissions required to register resource providers)
- Added a progress bar during onboarding
- The onboarding script now supports both the yum and dnf package managers on RPM-based Linux systems
- The
- You can now restrict the URLs used to download machine configuration (formerly Azure Policy guest configuration) packages by setting the
allowedGuestConfigPkgUrls
tag on the server resource and providing a comma-separated list of URL patterns to allow.
Fixed
- Improved reliability when reporting extension installation failures to prevent extensions from staying in the "creating" state
- Support for retrieving metadata for Google Cloud Platform virtual machines when the agent uses a proxy server
- Improved network connection retry logic and error handling
- Linux only: resolves local escalation of privilege vulnerability CVE-2022-38007
Version 1.20 - July 2022
Known issues
- Some systems might incorrectly report their cloud provider as Azure Stack HCI.
New features
- Added support for connecting the agent to the Azure operated by 21Vianet
- Added support for Debian 10
- Updates to the instance metadata collected on each machine:
- GCP VM OS is no longer collected
- CPU logical core count is now collected
- Improved error messages and colorization
Fixed
- Agents configured to use private endpoints correctly download extensions over the private endpoint
- Renamed the
--use-private-link
flag on azcmagent check to--enable-pls-check
to more accurately represent its function
Version 1.19 - June 2022
Known issues
- Agents configured to use private endpoints incorrectly download extensions from a public endpoint. Upgrade the agent to version 1.20 or later to restore correct functionality.
- Some systems might incorrectly report their cloud provider as Azure Stack HCI.
New features
- When installed on a Google Compute Engine virtual machine, the agent detects and reports Google Cloud metadata in the "detected properties" of the Azure Arc-enabled servers resource. Learn more about the new metadata.
Fixed
- Resolved an issue that could cause the extension manager to hang during extension installation, update, and removal operations.
- Improved support for TLS 1.3
Version 1.18 - May 2022
New features
- You can configure the agent to operate in monitoring mode, which simplifies configuration of the agent for scenarios where you only want to use Arc for monitoring and security scenarios. This mode disables other agent functionality and prevents use of extensions that could make changes to the system (for example, the Custom Script Extension).
- VMs and hosts running on Azure Stack HCI now report the cloud provider as "HCI" when Azure benefits are enabled.
Fixed
systemd
is now an official prerequisite on Linux- Guest configuration policies no longer create unnecessary files in the
/tmp
directory on Linux servers - Improved reliability when extracting extensions and guest configuration policy packages
- Improved reliability for guest configuration policies that have child processes
Version 1.17 - April 2022
New features
- The default resource name for AWS EC2 instances is now the instance ID instead of the hostname. To override this behavior, use the
--resource-name PreferredResourceName
parameter to specify your own resource name when connecting a server to Azure Arc. - The network connectivity check during onboarding now verifies private endpoint configuration if you specify a private link scope. You can run the same check anytime by running azcmagent check with the new
--use-private-link
parameter. - You can now disable the extension manager with the local agent security controls.
Fixed
- If you attempt to run
azcmagent connect
on a server already connected to Azure, the resource ID is shown on the console to help you locate the resource in Azure. - Extended the
azcmagent connect
timeout to 10 minutes. azcmagent show
no longer prints the private link scope ID. You can check if the server is associated with an Azure Arc private link scope by reviewing the machine details in the Azure portal, CLI, or PowerShell.azcmagent logs
collects only the two most recent logs for each service to reduce ZIP file size.azcmagent logs
collects Guest Configuration logs again.
Version 1.16 - March 2022
Known issues
azcmagent logs
doesn't collect Guest Configuration logs in this release. You can locate the log directories in the agent installation details.
New features
- You can now granularly control allowed and blocked extensions on your server and disable the Guest Configuration agent. See local agent controls to enable or disable capabilities for more information.
Fixed
- The "Arc" proxy bypass keyword no longer includes Azure Active Directory endpoints on Linux
- The "Arc" proxy bypass keyword now includes Azure Storage endpoints for extension downloads
Version 1.15 - February 2022
Known issues
- The "Arc" proxy bypass feature on Linux includes some endpoints that belong to Azure Active Directory. As a result, if you only specify the "Arc" bypass rule, traffic destined for Azure Active Directory endpoints will not use the proxy server as expected.
New features
- Network check improvements during onboarding:
- Added TLS 1.2 check
- Onboarding aborts when required networking endpoints are inaccessible
- New
--skip-network-check
flag to override the new network check behavior - On-demand network check now available using
azcmagent check
- Proxy bypass is now available for customers using private endpoints. This feature allows you to send Azure Active Directory and Azure Resource Manager traffic through a proxy server, but skip the proxy server for traffic that should stay on the local network to reach private endpoints.
- Oracle Linux 8 is now supported
Fixed
- Improved reliability when disconnecting the agent from Azure
- Improved reliability when installing and uninstalling the agent on Active Directory Domain Controllers
- Extended the device login timeout to 5 minutes
- Removed resource constraints for Azure Monitor Agent to support high throughput scenarios
Version 1.14 - January 2022
Fixed
- Fixed a state corruption issue in the extension manager that could cause extension operations to get stuck in transient states. Customers running agent version 1.13 are encouraged to upgrade to version 1.14 as soon as possible. If you continue to have issues with extensions after upgrading the agent, submit a support ticket.
Version 1.13 - November 2021
Known issues
- Extensions might get stuck in transient states (creating, deleting, updating) on Windows machines running the 1.13 agent in certain conditions. Azure recommends upgrading to agent version 1.14 as soon as possible to resolve this issue.
Fixed
- Improved reliability when installing or upgrading the agent.
New features
- Local configuration of agent settings now available using the azcmagent config command.
- Support for configuring proxy server settings using agent-specific settings instead of environment variables.
- Extension operations execute faster using a new notification pipeline. You might need to adjust your firewall or proxy server rules to allow the new network addresses for this notification service (see networking configuration). The extension manager falls back to the existing behavior of checking every 5 minutes when the notification service is inaccessible.
- Detection of the AWS account ID, instance ID, and region information for servers running in Amazon Web Services.
Version 1.12 - October 2021
Fixed
- Improved reliability when validating signatures of extension packages.
azcmagent_proxy remove
command on Linux now correctly removes environment variables on Red Hat Enterprise Linux and related distributions.azcmagent logs
now includes the computer name and timestamp to help disambiguate log files.
Version 1.11 - September 2021
Fixed
- The agent now supports on Windows systems with the System objects: Require case insensitivity for non-Windows subsystems policy set to Disabled.
- The guest configuration policy agent automatically retries if an error occurs during service start or restart events.
- Fixed an issue that prevented guest configuration audit policies from successfully executing on Linux machines.
Version 1.10 - August 2021
Fixed
The guest configuration policy agent can now configure and remediate system settings. Existing policy assignments continue to be audit-only.
The guest configuration policy agent now restarts every 48 hours instead of every 6 hours.
Version 1.9 - July 2021
New features
Added support for the Indonesian language
Fixed
Fixed a bug that prevented extension management in the West US 3 region
Version 1.8 - July 2021
New features
- Improved reliability when installing the Azure Monitor Agent extension on Red Hat and CentOS systems
- Added agent-side enforcement of max resource name length (54 characters)
- Guest Configuration policy improvements:
- Added support for PowerShell-based Guest Configuration policies on Linux operating systems
- Added support for multiple assignments of the same Guest Configuration policy on the same server
- Upgraded PowerShell Core to version 7.1 on Windows operating systems
Fixed
- The agent continues running if it is unable to write service start/stop events to the Windows Application event log
Version 1.7 - June 2021
New features
- Improved reliability during onboarding:
- Improved retry logic when HIMDS is unavailable
- Onboarding continues instead of aborting if OS information isn't available
- Improved reliability when installing the Log Analytics agent for Linux extension on Red Hat and CentOS systems
Version 1.6 - May 2021
New features
- Added support for SUSE Enterprise Linux 12
- Updated Guest Configuration agent to version 1.26.12.0 to include:
- Policies execute in a separate process.
- Added V2 signature support for extension validation.
- Minor update to data logging.
Version 1.5 - April 2021
New features
- Added support for Red Hat Enterprise Linux 8 and CentOS Linux 8.
- New
-useStderr
parameter to direct error and verbose output to stderr. - New
-json
parameter to direct output results in JSON format (when used with -useStderr). - Collect other instance metadata - Manufacturer, model, and cluster resource ID (for Azure Stack HCI nodes).
Version 1.4 - March 2021
New features
- Added support for private endpoints, which is currently in limited preview.
- Expanded list of exit codes for azcmagent.
- You can pass agent configuration parameters from a file with the
--config
parameter. - Automatically detects the presence of Microsoft SQL Server on the server
Fixed
Network endpoint checks are now faster.
Version 1.3 - December 2020
New features
Added support for Windows Server 2008 R2 SP1.
Fixed
Resolved issue preventing the Custom Script Extension on Linux from installing successfully.
Version 1.2 - November 2020
Fixed
Resolved issue where proxy configuration resets after upgrade on RPM-based distributions.
Version 1.1 - October 2020
Fixed
- Fixed proxy script to handle alternate GC daemon unit file location.
- GuestConfig agent reliability changes.
- GuestConfig agent support for US Gov Virginia region.
- GuestConfig agent extension report messages to be more verbose if there is a failure.
Version 1.0 - September 2020
This version is the first generally available release of the Azure Connected Machine Agent.
Plan for change
- Support for preview agents (all versions older than 1.0) will be removed in a future service update.
- Removed support for fallback endpoint
.azure-automation.net
. If you have a proxy, you need to allow the endpoint*.his.arc.azure.com
. - VM extensions can't be installed or modified from Azure Arc if the agent detects it's running in an Azure VM. This is to avoid conflicting extension operations being performed from the virtual machine's Microsoft.Compute and Microsoft.HybridCompute resource. Use the Microsoft.Compute resource for the machine for all extension operations.
- Name of guest configuration process has changed, from gcd to gcad on Linux, and gcservice to gcarcservice on Windows.
New features
- Added
azcmagent logs
option to collect information for support. - Added
azcmagent license
option to display EULA. - Added
azcmagent show --json
option to output agent state in easily parseable format. - Added flag in
azcmagent show
output to indicate if server is on a virtual machine hosted in Azure. - Added
azcmagent disconnect --force-local-only
option to allow reset of local agent state when Azure service cannot be reached. - Added
azcmagent connect --cloud
option to support other clouds. In this release, only Azure is supported by service at time of agent release. - Agent has been localized into Azure-supported languages.
Fixed
- Improvements to connectivity check.
- Corrected issue with proxy server settings being lost when upgrading agent on Linux.
- Resolved issues when attempting to install agent on server running Windows Server 2012 R2.
- Improvements to extension installation reliability
Next steps
Before evaluating or enabling Arc-enabled servers across multiple hybrid machines, review Connected Machine agent overview to understand requirements, technical details about the agent, and deployment methods.
Review the Planning and deployment guide to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.