Admin's guide to Azure Arc Hyper-V management

How to get started with Azure Arc

Azure Arc is not a replacement Hyper-V management platform but rather a complementary one to existing administrative tools and processes. Azure Arc centralizes the management of disparate on-premises systems and gives those systems a way to consume Azure-native services, such as Azure Monitor, Azure Storage, Azure Key Vault and Microsoft Defender for Cloud. It also presents a different approach to traditional management approaches.

To start, you need an Azure subscription. The good thing is that there's essentially no requirement regarding the type needed; you can use a DevTest, Visual Studio or free subscription to test Azure Arc onboarding. You must register the following resource providers to ensure the subscription can support Arc-enabled servers:

• Microsoft.HybridCompute
• Microsoft.GuestConfiguration
• Microsoft.HybridConnectivity
• Microsoft.AzureArcData

If you're using Azure PowerShell, you can check the provider status using the Get-AzResourceProvider cmdlet, for example:

Get-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute

And then use the Register-AzResourceProvider cmdlet, for example:

Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute

There's additional information as well as a full list of commands for both Azure PowerShell and Azure CLI on the Microsoft Learn site.

In the Microsoft Entra ID tenant associated with your subscription, you need the following built-in roles assigned to your account:

• Azure Connected Machine Onboarding for the Resource Group where you plan to onboard the Hyper-V system (a Contributor or higher role will also work)
• Azure Connected Machine Resource Administrator role in the Resource Group to work with an onboarded machine

Lastly, verify the chose Azure region supports Arc-enabled servers. Use Microsoft's Product Availability by Region website, filter on Azure Arc-enabled servers and search for your preferred location in the list of regions.

The next step is to make sure the Hyper-V system is ready. At the time of writing, every version of Windows Server from 2012 through Windows Server 2025 is fully supported as an Arc-enabled server, including both full desktop and Server Core installations. This tutorial uses an installation script locally on the server, which requires local administrator rights. The Hyper-V host must be able to connect to the internet via port 443 (HTTPS) either directly or using a proxy server.

The Hyper-V host does not need to be bare metal; it can be a VM using nested virtualization. However, it shouldn't be an Azure VM, as VMs hosted on Azure have their own management capabilities.

How to onboard a Hyper-V host to Azure Arc

There are several ways to onboard a new system to Azure Arc, but this walkthrough will demonstrate a simple GUI-based approach.

1. From the Hyper-V host, log into the Azure portal and navigate to the Azure Arc blade. This is the location to manage Arc-enabled systems and to onboard new ones. If the host runs Server Core, then you'll need to do this from any system with a browser.
2. Expand Azure Arc resources and select Machines. This is where any Arc-enabled systems will appear, and where you can launch administrative tasks.
3. Select Add/Create and then Add a machine. This page presents a range of options for performing ad-hoc onboarding of systems into Azure. One of the most common is to generate an installation script via the Add a single server option, but in this example we'll use Add Windows Server with installer, which lets you download the installation executable directly.
   
   The following link has the executable you can download without logging into the Azure portal. Windows Server 2022 and later versions come with this package, so you can trigger the onboarding directly. Onboarding Server Core systems require the installation script option.

4. Launch the executable and click Next. The installer will check the system, software and network requirements, and will then install and configure the Azure Connected Machine agent. The agent will set up the Azure Hybrid Instance Metadata Service, which runs as a virtual account (NT SERVICE\himds). This account needs rights to log on as a service, but the agent installation will take care of that automatically.
5. Select Configure to connect the Arc agent to your Azure subscription. Sign in to Azure to configure the agent. This is a one-time process; the credentials are not stored or used by the agent after onboarding.
6. At the prompt, configure the environment details indicating where to onboard the local Hyper-V server, including the tenant, subscription, resource group and Azure region. If you have access to multiple tenants and subscriptions, then you'll need to select the right ones. The onboarding region doesn't need to match the resource group's region. If your system needs a proxy server to connect to the internet, enter those details.
7. Click Next and your system will be onboarded to Azure Arc. To verify it worked, go back to the Azure portal and refresh the Azure Arc resources>Machines page to see the newly onboarded Hyper-V server.

How to connect additional workloads to Azure Arc

After onboarding the Hyper-V host to Azure Arc, you can also add the VMs running on the host. A simple approach is to just repeat the steps in the previous section on each VM -- download the executable or generate an installation script -- but that is not efficient. Let's try something a bit neater by using PowerShell Direct to onboard VMs to Azure Arc. PowerShell Direct provides the ability to run PowerShell commands and scripts on Windows-based Hyper-V VMs via the host VMBus.

1. In the Azure Arc machine page in the Azure portal, select Add/Create and then Generate script under Add a single server.
2. Select the correct options for subscription, resource group and region. Select Windows as the operating system and optionally untick Connect SQL Server.
3. Click through to the last page to see the resulting PowerShell script. Either download the script or copy the contents to a new file on your Hyper-V server, for example C:\Users\Administrator\OnBoardingScript.ps1.
4. On the Hyper-V host, open PowerShell and enter the following commands:

$credential = Get-Credential #Enter the local username/password for the remote VM)

Invoke-Command -Credential $credential -VMName <VMNAME> -FilePath C:\Users\Administrator\OnBoardingScript.ps1

5. The script will execute on the remote Windows VM: downloading and installing the Azure Connected Machine agent, and registering the system in the correct tenant and subscription. Once it's complete, refresh the Machines page in the Azure portal to see the newly onboarded Hyper-V VM.

This approach won't work with Linux VMs; PowerShell Direct isn't supported on Linux. Hyper-V's command-line tool hvc enables a connection to any VM using the VMBus, including Linux. Use the hvc ssh username@vmname command to SSH directly from the Hyper-V host to the Linux VM, assuming SSH has been set up correctly, to execute the onboarding shell script for Linux.

Using remote PowerShell via Azure Arc for VM management

After onboarding the Hyper-V host to Azure Arc, it's now possible to remotely administer via the Azure Arc management plane from virtually any system. For example, I am using a separate Ubuntu Linux system which has PowerShell and the Azure PowerShell modules installed. I've logged in using the Login-AzAccount command.

1. Retrieve a list of Arc-connected systems with the Get-AzConnectedMachine cmdlet to see the onboarded Hyper-V host.
2. Next, we'll create an empty text file on the Hyper-V host via Arc, using the New-AzConnectedMachineRunCommand cmdlet:

New-AzConnectedMachineCommand -ResourceGroupName <RGNAME> -Location <REGION> -MachineName <NAME> -RunCommandName "TestFile" -SourceScript "New-Item -Type File -Path 'C:\Windows\Temp' -Name test.txt"

3. Log in to the Hyper-V system and check the C:\Windows\Temp folder for the test.txt file.

Running the New-AzConnectedMachineRunCommand cmdlet from my Linux system, I used my Azure credentials to execute a command against the Hyper-V system using the registered Arc agent. My Linux system isn't talking directly to the Hyper-V system -- Azure Arc acts as the centralized management platform which links both systems.

Using this method, it's straightforward to execute PowerShell commands directly on the Hyper-V host and by using the New-VM, Get-VM and Set-VM cmdlets. It's easy to provision and manage Hyper-V VMs via Azure Arc. However, let's extend Arc's capabilities and enhance our management options with the Windows Admin Center.

Provisioning new VMs with the Windows Admin Center in Azure Arc

The Windows Admin Center offers an on-premises, centralized method to manage multiple systems, including Hyper-V hosts. When integrated with Azure Arc, you can access Windows Admin Center directly through the Azure portal without requiring VPN or direct private connectivity. The integration only requires outbound communication from the target system via port 443, with no inbound access or port forwarding needed.

Unlike installing the Arc agent, using Windows Admin Center in Azure Arc requires specific licensing. The Windows Server license must either come from Software Assurance or from pay-as-you-go via Microsoft Azure.

To set up Windows Admin Center integration, do the following:

1. In the Azure Arc blade in the portal, navigate to the Hyper-V host which you onboarded earlier, and navigate to Licenses and Windows Server.
2. Azure Arc will show the system's license details, activation status and the Arc agent status. If you're using an on-premises licensing model, such as multiple activation key (MAK), then Azure will not know if the system is covered with Software Assurance. You will have to manually confirm this by clicking the checkbox next to Activate Azure benefits.
3. Navigate to Windows management and go to Windows Admin Center.
4. Select Set up and the system will prompt you to choose a network port for the remote system to listen on. You can change the default port if necessary.
5. Click Install to install the AdminCenter extension on the Hyper-V host. Extensions for Arc-enabled systems function in essentially the same manner as Azure VM extensions, providing discrete applications that bring additional functionality, such as monitoring or Entra-integrated authentication. To see the progress of the installation, navigate to Settings and select Extensions.
6. After the extension installs, navigate back to Windows Admin Center. The UI should show Connect rather than Set up. Click Connect to establish connectivity to Windows Admin Center on the Hyper-V host.

Note: At the time of writing, only Chromium-based browsers, such as Microsoft Edge will work to connect to Windows Admin Center via Azure Arc. Non-Chromium browsers, such as Firefox don't work, even though you can use them to navigate the Azure portal.

Under Tools, you will find multiple Windows Server features now exposed directly in the Azure portal, including Firewall, Installed Apps, Remote Desktop, Virtual Machines and Virtual Switches.

Select Virtual Machines to see all the VMs currently configured on the Hyper-V host. Through this interface, you can perform almost the same administrative functions as you can when logged in locally to the server, including:

• creating and deleting VMs,
• modifying the configuration of existing VMs, and
• managing the host's virtual networks and Hyper-V settings.

Some operations remain local to the Hyper-V host, such as the location of files and folders for VM storage, and access to ISOs for operating system installation.

Navigate to the Remote Desktop blade for work that requires you to interact locally with the Hyper-V host. Remote Desktop enabled on the remote system allows you to open a secure session directly to the host as if it were a local connection.

This feature also extends to the VMs. Navigate back to Virtual Machines and select one of the running Windows VMs. Select Connect and then Connect again from the drop-down. Enter the credentials for the Hyper-V host (not the VM) to establish a Remote Desktop session to the VM via the Hyper-V host to interact directly with the VM without needing:

• a private network connection,
• enabling Remote Desktop on the VM, or
• onboarding the VM via Azure Arc.

Finally, select the PowerShell blade to open a remote interactive PowerShell session to the Hyper-V host and run any local PowerShell commands or scripts directly on the host, including the Azure Arc onboarding scripts.

James Bannan is a principal security consultant with more than 25 years of industry experience, specializing in Microsoft Azure architecture, security and automation. He is a published author and journalist, as well as a former Microsoft MVP and a current Microsoft Certified Trainer.