Connect an existing Windows server to Azure Arc using Configuration Manager with a Task Sequence

The following Jumpstart scenario will guide you on how to connect a Windows machine to Azure Arc with a Task Sequence using Configuration Manager.

This guide assumes that you already have an installation of Microsoft Configuration Manager and a basic understanding of the product, at least one active Windows server client, an active distribution point.

Prerequisites

  • Install or update Azure CLI to version 2.25.0 and above. Use the below command to check your current installed version.

    az --version
    
  • Create Azure service principal (SP)

    To connect a server to Azure Arc, an Azure service principal assigned with the “Contributor” role is required. To create it, login to your Azure account run the below command (this can also be done in Azure Cloud Shell).

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "<Unique SP Name>" --role "Contributor" --scopes /subscriptions/$subscriptionId
    

    For example:

    az login
    subscriptionId=$(az account show --query id --output tsv)
    az ad sp create-for-rbac -n "JumpstartArc" --role "Contributor" --scopes /subscriptions/$subscriptionId
    

    Output should look like this:

    {
    "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "displayName": "JumpstartArc",
    "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

    NOTE: If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password.

    NOTE: The Jumpstart scenarios are designed with as much ease of use in-mind and adhering to security-related best practices whenever possible. It is optional but highly recommended to scope the service principal to a specific Azure subscription and resource group as well considering using a less privileged service principal account

  • Azure Arc-enabled servers depends on the following Azure resource providers in your subscription in order to use this service. Registration is an asynchronous process, and registration may take approximately 10 minutes.

    • Microsoft.HybridCompute

    • Microsoft.GuestConfiguration

      az provider register --namespace 'Microsoft.HybridCompute'
      az provider register --namespace 'Microsoft.GuestConfiguration'
      

      You can monitor the registration process with the following commands:

      az provider show --namespace 'Microsoft.HybridCompute'
      az provider show --namespace 'Microsoft.GuestConfiguration'
      
  • Create a new Azure resource group where you want your machine(s) to show up.

    Screenshot showing Azure Portal with empty resource group

  • Download the az_connect_win_ConfigMgr PowerShell script.

  • Change the environment variables according to your environment and save the script.

    Screenshot showing PowerShell script

Creating an msi application to deploy the Azure Connected Machine agent within the Task Sequence

  • Download the Azure Connected Machine agent package for Windows from the Microsoft Download Center and copy it to the Configuration Manager server.

  • Login to the Configuration Manager console.

  • After logging in, go to the “Software Library” workspace. Under “Application Management”, click “Applications” and click “Create Application”.

    Screenshot showing the creation of a new application

  • Browse to the location of the downloaded Azure Connected Machine agent MSI package and click “Next”.

    Screenshot showing the path of the agent

  • Add any relevant information about this application. Keep the defaults for the installation program and install behavior and click “Next” to finalize the application.

    Screenshot showing the application configuration

    Screenshot showing the created application

  • Select the newly created application and click on “Distribute Content”.

    Screenshot showing initiating a content distribution

  • Keep the defaults and click “Next”.

    Screenshot showing the initial content distribution wizard

  • Make sure to have the Azure Connected Machine agent application selected click “Next”.

    Screenshot showing the application being distributed

  • Click “Add”, select “Distribution Point” and select one or more distribution points where you would like to distribute the application.

    Screenshot showing the distribution point option

    Screenshot showing the distribution point selection

  • Click “Next” to finalize the wizard and initiate the content distribution.

    Screenshot showing a successful content distribution

Creating a custom Task Sequence for the Azure Connected Machine agent deployment

In order for Configuration Manager to onboard servers in this scenario, we will need to create a custom Task Sequence that has two steps; first to deploy the Azure Connected Machine agent as an application and second to run the “azcmagent connect” command to onboard to Azure Arc.

  • Go to the “Software Library” workspace. Under “Operating Systems”, select “Task Sequences”, click “Create Task Sequence” and select “Create a new custom task sequence”.

    Screenshot showing a new custom task Sequence

  • Give the Task Sequence and name, leave all the defaults and click “Next” to finalize the wizard.

    Screenshot showing a new custom task Sequence properties

  • Select the newly created Task Sequence and Click “Edit” to open the Task Sequence editor.

    Screenshot showing the task Sequence editor

  • Click “Add” to add a new Task Sequence step, select “Software” and click on “Install Application”.

    Screenshot showing adding an application install step

  • Give the step a name, and click the “edit” button to select the Azure Connected Machine agent application.

    Screenshot showing adding the agent application

    Screenshot showing adding the agent application step completed

  • Click “Add” to add a new Task Sequence step, select “General” and click on “Run PowerShell Script”.

    Screenshot showing adding the Powershell script step

  • Give the step a name, “Select the PowerShell execution policy” to be Bypass, select the option to “Enter a PowerShell script” and click “Add Script”.

    Screenshot showing adding the PowerShell script details

  • Paste the content of the az_connect_win_ConfigMgr PowerShell script you downloaded earlier and click “Ok”.

    Screenshot showing adding the PowerShell script code

  • Click “Ok” to finalize the task sequence.

    Screenshot showing adding the finished task sequence

Deployment

  • Go to the “Assets and Compliance” workspace. Expand on “Device Collections” and select the collection that contains the server(s) you want to onboard. Click “Deploy” and click “Task Sequence”.

    Screenshot showing deploying the task sequence

  • Click on “Browse” and select the Task Sequence created.

    Screenshot showing selecting the task sequence to deploy

  • Choose the deployment to be available (the deployment can be required or available based on your scenario).

    Screenshot showing selecting the enforcement method

  • Keep the defaults and finalize the Task Sequence deployment wizard.

  • Connect to the server to be onboarded and open “Software Center”. After the server’s machine policy has been refreshed, you should see the Task Sequence deployment in the Applications available in Software Center.

    Screenshot showing software center

  • Click on the Task Sequence deployment and click “Install”.

    Screenshot showing software center installation step

  • The progress of the Task Sequence will be displayed showing the two steps we created.

    Screenshot showing the first task sequence step

    Screenshot showing the second task sequence step

    Screenshot showing the task sequence completion

  • Upon completion, you will have your Windows server, connected as a new Azure Arc-enabled server resource inside your resource group.

    Screenshot showing the server onboarded

    Screenshot showing the server connected successfully

Delete the deployment

The most straightforward way is to delete the server via the Azure Portal, just select server and delete it.

Screenshot showing delete resource function in Azure Portal

If you want to delete the entire environment, just delete the Azure resource group.

Screenshot showing delete resource group function in Azure Portal