x90 - Azure ARC Bulk Powershell Enrolment

xchg eax, eax

Networking | 2024-03-02 17:16:13

The Microsoft Azure landscape is changing drastically and it's doing a good job of moving resource management to a more modern view. Coupled with Microsoft's security initiatives (Intune, Defender, Sentinel, Copilots for Security), Azure ARC is a great way of managing on-prem servers for updates.

Microsoft has a few ways of enrolling on-prem machines into ARC, but it's tedious to do this without bulk enrolment. Currently they support Config Manager, Group Policy or Ansible bulk enrolment. There is a Powershell option, but I guess it's meant as a starting point for devs as it doesn't actually do much. Let's fix it and have it remote install via Powershell to domain joined machines.

Follow the initial steps of creating the subscription, resource group and service principal. Grab the latest "Basic Script" ie Powershell (as the below might be out of date) and wrap it around some Invoke-Command. Replace the values in <> that come from your script that it generates for you.

# Read machine names from CSV file
$machineNames = Import-Csv -Path "arc_machines.csv" | Select-Object -ExpandProperty MachineName
$credential = (Get-Credential)

# Iterate through each machine
foreach ($machineName in $machineNames) {
    try {
        # Invoke-Command to run commands in an elevated context on the remote machine
        Write-Host "Attempting to install on $machineName"
        Invoke-Command -ComputerName $machineName -Credential $credential -ScriptBlock {
            # Code to execute on the remote machine
            $ServicePrincipalId="";
            $ServicePrincipalClientSecret="";
    
            $env:SUBSCRIPTION_ID = "";
            $env:RESOURCE_GROUP = "";
            $env:TENANT_ID = "";
            $env:LOCATION = "";
            $env:AUTH_TYPE = "principal";
            $env:CORRELATION_ID = "";
            $env:CLOUD = "AzureCloud";

            [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;

            # Download the installation package
            Invoke-WebRequest -UseBasicParsing -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMP\install_windows_azcmagent.ps1";

            # Install the hybrid agent
            & "$env:TEMP\install_windows_azcmagent.ps1";
            if ($LASTEXITCODE -ne 0) { exit 1; }

            # Run connect command
            & "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --service-principal-id "$ServicePrincipalId" --service-principal-secret "$ServicePrincipalClientSecret" --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";
        }
    }
    catch {
        Write-Host "Error occurred while connecting to $machineName : $_" -ForegroundColor Red
    }
}

Next create the file arc_machines.csv with one column called MachineName and each row being the DNS/NETBIOS name of the machine you want to remote into. The script will ask for your domain creds when starting which will be used to Invoke-Command into the remote host. It'll then use the Service Principal to enroll the machine into ARC.