Azure ARC Agent Allow Lists for Azure Update Manager

by Jeff Pigott | Posted on

If you are needing to secure Azure ARC enabled servers, you may choose to block guest configuration and extensions. This sounds like a great idea to block both, but some services may need to use the ARC Extension. One service that uses the extension is Azure Update Manager. When assessing and installing updates for Azure ARC servers there are 2 extension allow lists that need to be added.

Disable guest configuration:

  • azcmagent config set guestconfiguration.enabled false

Enable extensions:

  • azcmagent config set extensions.enabled  true

Windows

Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/WindowsPatchExtension" --add

Allow periodic assessment:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/WindowsOsUpdateExtension" --add 

Allow SQL Server ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.AzureData/WindowsAgent.SqlServer" --add

Allow Azure Monitor ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentWindows" --add

azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent" --add

Allow Defender ARC Extension:
azcmagent config set extensions.allowlist "Qualys/WindowsAgent.AzureSecurityCenter,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.Azure.AzureDefenderForSQL/AdvancedThreatProtection.Windows" --add

Linux

Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension"

Allow periodic assessment:        
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/LinuxPatchExtension" --add

After running the commands, the output of “azmagent config list” should look like this image below.

This output shows that the allow list has the 2 extensions added, guest configuration is disabled, and that extensions are enabled, but would be limited to what is part of the allow list.

  • azcmagent config list

Windows

A computer screen with white text Description automatically generated

Linux

Here is the link for more Azure ARC security options: Security overview – Azure Arc | Microsoft Learn

Post Views: 138

About the author

Jeff Pigott is a Senior Cloud Solution Architect at Microsoft, with expertise in Azure technologies such as Arc, DevOps, security, storage, and more. He has over 29 years of experience in IT, development, and DevOps, working with various platforms, tools, and languages. He is passionate about learning the newest Microsoft technologies and services, and holds several Azure certifications.

Related Posts