Azure Automanage for Machines Best Practices - Windows

Caution

On 31 August 2024, both Automation Update Management and the Log Analytics agent it uses will be retired. Migrate to Azure Update Manager before that. Refer to guidance on migrating to Azure Update Manager here. Migrate Now.

These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices on a Windows Server VM. They are essential to our best practices white paper, which you can find in our Cloud Adoption Framework.

For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more, go to Azure Automanage for virtual machines.

Supported Windows Server versions

Automanage supports the following Windows versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2022 Azure Edition
  • Windows 10

Participating services

Service Description Configuration Profile1
Machines Insights Monitoring Azure Monitor for Machines monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Production
Backup Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your machines. Charges are based on the number and size of VMs being protected. Production
Microsoft Defender for Cloud Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Automanage will configure the subscription where your VM resides to the free-tier offering of Microsoft Defender for Cloud (Enhanced security off). If your subscription is already onboarded to Microsoft Defender for Cloud, then Automanage will not reconfigure it. Production, Dev/Test
Microsoft Antimalware Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. Note: Microsoft Antimalware requires that there be no other antimalware software installed, or it may fail to work. Production, Dev/Test
Update Management You can use Update Management in Azure Automation to manage operating system updates for your machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Production, Dev/Test
Change Tracking & Inventory Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Production, Dev/Test
Machine configuration Machine configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the Windows security baselines using the guest configuration extension. For Windows machines, the machine configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. Learn more. To modify the audit mode for Windows machines, use a custom profile to choose your audit mode setting. Learn more Production, Dev/Test
Boot Diagnostics Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it is booting up by collecting serial log information and screenshots. This will only be enabled for machines that are using managed disks. Production, Dev/Test
Windows Admin Center Use Windows Admin Center (preview) in the Azure portal to manage the Windows Server operating system inside an Azure VM. This is only supported for machines using Windows Server 2016 or higher. Automanage configures Windows Admin Center over a Private IP address. If you wish to connect with Windows Admin Center over a Public IP address, please open an inbound port rule for port 6516. Automanage onboards Windows Admin Center for the Dev/Test profile by default. Use the preferences to enable or disable Windows Admin Center for the Production and Dev/Test environments. Production, Dev/Test
Azure Automation Account Azure Automation supports management throughout the lifecycle of your infrastructure and applications. Production, Dev/Test
Log Analytics Workspace Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary. Production, Dev/Test

1 The configuration profile selection is available when you are enabling Automanage. You can also create your own custom profile with the set of Azure services and settings that you need.

Next steps

Try enabling Automanage for machines in the Azure portal.