Azure ARC Agent Allow Lists

by Jeff Pigott | Posted on

If you are needing to secure Azure ARC enabled servers, you may choose to block guest configuration and extensions. This sounds like a great idea to block both, but some services may need to use the ARC Extension. One service that uses the extension is Azure Update Manager. When assessing and installing updates for Azure ARC servers there are 2 extension allow lists that need to be added.

Disable guest configuration:

  • azcmagent config set guestconfiguration.enabled false

Enable extensions:

  • azcmagent config set extensions.enabled  true

Windows

Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/WindowsPatchExtension" --add

Allow periodic assessment:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/WindowsOsUpdateExtension" --add 

Allow SQL Server ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.AzureData/WindowsAgent.SqlServer" --add

Allow Azure Monitor ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentWindows" --add

azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent" --add

Allow Defender ARC Extension:
azcmagent config set extensions.allowlist "Qualys/WindowsAgent.AzureSecurityCenter,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.Azure.AzureDefenderForSQL/AdvancedThreatProtection.Windows" --add

Disabling Run Command
To disable the Run Command on Azure Arc-enabled servers
azcmagent config set extensions.blocklist "microsoft.cplat.core/runcommandhandlerwindows"

Linux

Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension"

Allow periodic assessment:        
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/LinuxPatchExtension" --add

Disabling Run Command
azcmagent config set extensions.blocklist "microsoft.cplat.core/runcommandhandlerlinux"

After running the commands, the output of “azmagent config list” should look like this image below.

This output shows that the allow list has the 2 extensions added, guest configuration is disabled, and that extensions are enabled, but would be limited to what is part of the allow list.

  • azcmagent config list

Windows

A computer screen with white text Description automatically generated

Linux

Here is the link for more Azure ARC security options: Security overview – Azure Arc | Microsoft Learn

Post Views: 403

About the author

Jeff Pigott is a Senior Cloud Solution Architect at Microsoft, specializing in Azure Infrastructure technologies including Azure Arc, Azure Update Manager, SQL DB, security, and storage. With over 29 years of experience in IT, development, and DevOps, Jeff has worked with a wide range of platforms, tools, and languages. Jeff is passionate about staying up-to-date with the latest Microsoft technologies and services, and holds multiple Azure certifications.

Related Posts