Azure verification for VMs on Azure Local

Applies to: Azure Local, version 23H2

Microsoft Azure offers a range of differentiated workloads and capabilities that are designed to run only on Azure. Azure Local extends many of the same benefits you get from Azure, while running on the same familiar and high-performance on-premises or edge environments.

Azure verification for VMs makes it possible for supported Azure-exclusive workloads to work outside of the cloud. This feature, modeled after the IMDS attestation service in Azure, is a built-in platform attestation service that is enabled by default on Azure Local, version 23H2 or later. It helps to provide guarantees for these VMs to operate in other Azure environments.

For more information about the previous version of this feature on Azure Local, version 22H2 or earlier, see Azure Benefits on Azure Local.

Benefits available on Azure Local

Azure verification for VM enables you to use these benefits available only on Azure Local:

Workload What it is How to get benefits
Extended Security Update (ESUs) Get security updates at no extra cost for end-of-support SQL and Windows Server VMs on Azure Local.
For more information, see Free Extended Security Updates (ESU) on Azure Local.
You must enable Legacy OS support for older VMs running version Windows Server 2012 or earlier with Latest Servicing Stack Updates.
Azure Virtual Desktop (AVD) AVD session hosts can run only on Azure infrastructure. Activate your Windows multi-session VMs on Azure Local using Azure VM verification.
Licensing requirements for AVD still apply. See Azure Virtual Desktop pricing.
Activated automatically for VMs running version Windows 11 multi-session with 4B update released on April 9, 2024 (22H2: KB5036893, 21H2: KB5036894) or later. You must enable legacy OS support for VMs running version Windows 10 multi-session with 4B update released on April 9, 2024 KB5036892 or later.
Windows Server Datacenter: Azure Edition Azure Edition VMs can run only on Azure infrastructure. Activate your Windows Server Azure Edition VMs and use the latest Windows Server innovations and other exclusive features.
Licensing requirements still apply. See ways to license Windows Server VMs on Azure Local.
Activated automatically for VMs running Windows Server Azure Edition 2022 with 4B update released on April 9, 2024 (KB5036909) or later.
Azure Update Manager Get Azure Update Manager at no cost. This service provides a SaaS solution to manage and govern software updates to VMs on Azure Local. Available automatically for Arc VMs created through the Arc Resource Bridge on Azure Local. With Software Assurance, you can attest your machine using Arc's Windows Server Azure benefits and licenses, and get AUM for free. For more information, see Azure Update Manager frequently asked questions.
Azure Policy guest configuration Get Azure Policy guest configuration at no cost. This Arc extension enables the auditing and configuration of OS settings as code for machines and VMs. Arc agent version 1.39 or later. See Latest Arc agent release.

Note

To ensure continued functionality, update your VMs on Azure Local to the latest cumulative update by June 17, 2024. This update is essential for VMs to continue using Azure benefits. See the Azure Local blog post for more information.

Manage Azure VM verification

Azure VM verification is automatically enabled by default in Azure Local, version 23H2 or later. The following instructions outline the prerequisites for using this feature and steps for managing benefits (optional).

Note

To enable Extended Security Updates (ESUs), you must do additional setup and turn on legacy OS support.

Host prerequisites

VM prerequisites

You can manage Azure VM verification using Windows Admin Center or PowerShell, or view its status using Azure CLI or the Azure portal. The following sections describe each option.

  1. In your Azure Local resource page, navigate to the Configuration tab.

  2. Under the feature Azure verification for VMs, view the host attestation status.

    Screenshot showing system status on the portal.

Legacy OS support

For older VMs that lack the necessary Hyper-V functionality (Guest Service Interface) to communicate directly with the host, you must configure traditional networking components for Azure VM verification. If you have these workloads, such as Extended Security Updates (ESUs), follow the instructions in this section to set up legacy OS support.

You can't view legacy OS support from the Azure portal at this time.

FAQ

This section provides answers to some frequently asked questions about using Azure Benefits.

What Azure-exclusive workloads can I enable with Azure VM verification?

See the full list here.

Does it cost anything to enable Azure VM verification?

No. Turning on Azure VM verification incurs no extra fees.

Can I use Azure VM verification on environments other than Azure Local?

No. Azure VM verification is a feature built into Azure Local, and can only be used on Azure Local.

If I just upgraded to version 23H2 from 22H2, and I previously turned on the Azure Benefits feature, do I need to do anything new?

If you upgraded a system that previously had Azure Benefits on Azure Local set up for your workloads, you don't need to do anything when you upgrade to Azure Local, version 23H2. When you upgrade, the feature remains enabled, and legacy OS support is turned on as well. However, if you want to use an improved way of doing VM-to-host communication through VM Bus in version 23H2, make sure that you have the required host prerequisites and the VM prerequisites.

I just set up Azure VM verification on my system. How do I ensure that Azure VM verification stays active?

  • In most cases, there's no user action required. Azure Local automatically renews Azure VM verification when it syncs with Azure.
  • However, if the system disconnects for more than 30 days and Azure VM verification shows as Expired, you can manually sync using PowerShell and Windows Admin Center. For more information, see syncing Azure Local.

What happens when I deploy new VMs, or delete VMs?

  • When you deploy new VMs that require Azure VM verification, they're automatically activated if they have the correct VM prerequisites.

  • However, for legacy VMs using legacy OS support, you can manually add new VMs to access Azure VM verification using Windows Admin Center or PowerShell, using the preceding instructions.

  • You can still delete and migrate VMs as usual. The NIC AZSHCI_GUEST-IMDS_DO_NOT_MODIFY still exists on the VM after migration. To clean up the NIC before migration, you can remove VMs from Azure VM verification using Windows Admin Center or PowerShell using the preceding instructions for legacy OS support, or you can migrate first and manually delete NICs afterwards.

What happens when I add or remove machines?

  • When you add a machine, it's automatically activated if it has the correct Host prerequisites.
  • If you're using legacy OS support, you might need to manually enable these machines. Run Enable-AzStackHCIAttestation [[-ComputerName] <String>] in PowerShell. You can still delete machines or remove them from the system as usual. The vSwitch AZSHCI_HOST-IMDS_DO_NOT_MODIFY still exists on the machine after removal from the system. You can leave it if you're planning to add the machine back to the system later, or you can remove it manually.

Next steps