💻 Windows Server 2025 Arc Capabilities
Windows Server 2025 ships with the Azure Connected Machine agent pre-installed in the operating system image on supported hardware (Azure Local, Azure VMs). For existing on-premises servers, the agent must be deployed — but once connected, WS2025 servers gain a level of Azure integration that previous versions only approximated.
The key differentiator with WS2025 is Azure Edition — a variant of Windows Server 2025 Datacenter that is exclusively for Arc-connected environments (Azure Local, Azure VMs). Azure Edition enables features that require cloud connectivity:
- Hotpatch: Apply security patches without a server reboot — major operational benefit for high-availability clusters
- SMB over QUIC: File sharing over the internet without a VPN, secured by TLS 1.3
- Azure Automanage: Automated management best practices applied without manual configuration
- Extended Security Updates (ESU) via Arc: Free ESUs for Azure Arc-enabled servers running older Windows Server versions
🚀 Onboarding at Scale
For enterprises with hundreds or thousands of servers, manual Arc onboarding is impractical. The three recommended approaches for scale:
# Download and install the Connected Machine agent silently
$servicePrincipalId = "<your-sp-client-id>"
$servicePrincipalSecret = "<your-sp-secret>"
$tenantId = "<your-tenant-id>"
$subscriptionId = "<your-subscription-id>"
$resourceGroup = "rg-arc-servers"
$location = "westeurope"
# Run the onboarding script
& "$env:ProgramFiles\AzureConnectedMachineAgentzcmagent.exe" connect `
--service-principal-id $servicePrincipalId `
--service-principal-secret $servicePrincipalSecret `
--tenant-id $tenantId `
--subscription-id $subscriptionId `
--resource-group $resourceGroup `
--location $location `
--correlation-id (New-Guid)Scale deployment: For large estates, use Azure Arc's Service Principal-based onboarding script generated from the Azure portal (Azure Arc → Servers → Add → Add multiple servers). This generates a pre-configured script with your tenant settings embedded — deployable via ConfigMgr, Intune, GPO startup scripts, or Ansible.
📋 Policy Enforcement
Once servers are Arc-connected, Azure Policy applies identically to them as to Azure-native VMs. The Azure Security Benchmark policy initiative is the recommended starting point — it covers 200+ controls across identity, network, data protection, and monitoring.
For Windows Server specifically, the Windows machines should meet requirements for the Azure compute security baseline Guest Configuration policy is particularly valuable — it validates 240 security settings directly on the OS without requiring a separate tool.
🛡️ Defender Integration
Microsoft Defender for Servers Plan 2 provides the most comprehensive protection when deployed via Arc, including:
- Defender for Endpoint P2 (MDE) deployed automatically via Arc extension
- File Integrity Monitoring (FIM) for critical system files and registry keys
- Just-In-Time (JIT) VM access — available for on-premises servers via Arc
- Adaptive application controls — allowlisting recommendations based on observed behavior
- Agentless vulnerability assessment via Qualys or MDVM
🔁 Azure Update Manager
Azure Update Manager replaces Update Management in Azure Automation and provides a unified update experience for Arc-enabled servers, Azure VMs, and Azure Local nodes from a single pane of glass.
| Feature | Azure VMs | Arc Servers | Azure Local |
|---|---|---|---|
| OS patching | ✅ | ✅ | Via LCM |
| Assessment on-demand | ✅ | ✅ | ✅ |
| Maintenance windows | ✅ | ✅ | ✅ |
| Hotpatch (no reboot) | WS2022 Azure Ed. | WS2025 Azure Ed. | WS2025 Azure Ed. |
| Pre/post scripts | ✅ | ✅ | ✅ |
📊 Monitoring & Alerts
Arc-connected servers send performance counters and event logs to a Log Analytics workspace, enabling the same Azure Monitor dashboards and alert rules used for cloud VMs. For Windows Server 2025, the Azure Monitor Agent (AMA) replaces the legacy MMA and OMS agents — AMA supports multi-homing (sending data to multiple workspaces) and uses Data Collection Rules (DCRs) for fine-grained control over what data is collected and where it goes.
Event
| where EventLog == "System"
and EventLevelName == "Error"
and Source in ("disk", "volmgr", "StorPort", "iScsiPrt")
| summarize count() by Computer, Source, bin(TimeGenerated, 1h)
| where count_ > 5
| project TimeGenerated, Computer, Source, ErrorCount=count_💱 Hotpatch Licensing
Hotpatch for Windows Server 2025 Azure Edition is free for servers running on Azure Local (included in the Azure Local subscription). For other on-premises servers connected via Arc, Hotpatch requires Windows Server Subscription — a monthly per-core subscription available through Azure. This adds approximately $0.015/core/hour, making it cost-effective compared to downtime costs for patching reboots in production environments.