Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Essential machine management (preview)
Essential machine management simplifies the onboarding and configuration of management for Azure virtual machines (VMs) and arc-enabled servers. When you enable a subscription for essential machine management, all VMs and arc-enabled servers in that subscription are automatically enrolled and configured with a curated set of management features. This ensures that your machines are consistently configured for monitoring, security, and management.
Prerequisites
- Log Analytics workspace to collect log data collected from VMs.
- Azure Monitor workspace to collect metrics data collected from VMs.
- User assigned managed identity as described in Managed identity section below.
Required permissions
User
The user performing the enrollment must have the following roles in the subscription being enabled:
- Essential Machine Management Administrator
- Managed Identity Operator roles
- Resource Policy Contributor
If you're using a Log Analytics workspace or Azure Monitor workspace in a different subscription than the one being enabled for essential machine management:
- The user account must also have the Essential Machine Management Administrator role in the resource group of the Log analytics workspace or Azure Monitor workspace.
- The Microsoft.ManagedOps resource provider needs to be registered in the subscription of the Log analytics workspace or Azure Monitor workspace. Use the Azure PowerShell command:
Register-AzResourceProvider -ProviderNamespace "Microsoft.ManagedOps".
Managed identity
The enrollment requires a user assigned managed identity with Contributor permission for the subscription.
If you're using a Log Analytics workspace or Azure Monitor workspace in a different subscription than the one being enabled for essential machine management, then the managed identity must also have Contributor permissions in the resource group of the Log Analytics workspace or Azure Monitor workspace.
Features enabled
Essential machine management enables a standard set of features and allows you to optionally enable additional security features.
Essentials tier
The following features are part of the essentials tier.
| Feature | Description |
|---|---|
| Azure Monitor | Monitors and provides insights into VM performance and health. Configures metric-based recommended alerts. |
| Azure Update Manager | Automates the deployment of operating system updates to VMs. |
| Azure Machine Configuration | Audits the Azure security baseline policy |
| Azure Change Tracking and Inventory | Tracks changes to VM configurations and maintains an inventory of resources. |
Essentials tier pricing
Note
During the initial phase of public preview, the Essential Machine Management features are provided at no extra charge. Logs generated from Change Tracking and Inventory incur a separate charge for both Azure Virtual Machines and Arc-enabled servers.
- For Azure Virtual Machines only, capabilities enabled by Essential Machine Management are provided at no extra charge.
- For Azure Arc-enabled servers with Windows Server Software Assurance, Windows Server PayGo, and Windows Server Extended Security Updates, capabilities enabled by Essential Machine Management are provided at no extra charge.
- For all other Arc-enabled servers, Essential Machine Management will be priced at $9 per server per month once billing is enabled at a future date. An announcement and documentation update will be posted when billing begins.
Security tier
The following security features are available as part of essential machine management. You can choose to enable any combination of these features for the enrolled VMs. Features in this section may incur an additional charge.
| Feature | Description | Cost |
|---|---|---|
| Foundational CSPM | Provides foundational cloud security posture management (CSPM) capabilities to assess and improve the security of your cloud resources. | No |
| Defender CSPM | Advanced cloud security posture management (CSPM) capabilities to enhance the security of your cloud resources. | Yes |
| Defender for cloud | Advanced threat protection and security management for VMs. | Yes |
Enable a subscription
To enable machine management for a subscription, select Essential machine management from the Configuration menu, and click Enable.
Note
During public preview, the Azure portal is the only supported method for enabling machine management.
👁 Screenshot of essential machine management screen with no subscriptions enabled.
Existing VMs
Essential machine management is enabled for each subscription to automatically onboard all Azure VMs and arc-enabled servers in that subscription. Once enabled, any VMs added to the subscription are enrolled and configured with the selected features. The following behavior applies to existing VMs in the subscription when essential machine management is enabled.
- Existing services will retain their configuration. For example, if a VM is already using Update Management with a maintenance schedule, it will still follow that maintenance schedule.
- After the subscription is enabled, remediation tasks are created to enable the selected service for all existing VMs in the subscription.
Warning
Use caution with the public preview if you have existing VMs with Change Tracking enabled. In this case, an additional Change Tracking DCR will be created and associated with the VM. Since Change Tracking supports only a single DCR though, either DCR could be assigned. If you would like to use the ManagedOps DCR, please remove the existing DCR.
Excluding VMs
There is currently no ability to exclude VMs in the enabled subscription. All VMs in the subscription are onboarded and configured with the selected features.
Disable a subscription
Disable a subscription by selecting it and then clicking Offboard. When you disable a subscription, any VMs added to that subscription are no longer configured with the selected management features. The configuration isn't changed for existing VMs though. They will continue to be managed with the existing features until you manually remove them.
Warning
When you disable a subscription, machines in that subscription no longer use consolidated pricing. Pricing for these machines will revert to standard pricing for each individual service, which will most likely increase your costs. Ensure that you disable any unneeded services on existing VMs to avoid additional charges.
Troubleshooting
See Troubleshoot essential machine management (preview) for help resolving common issues with essential machine management. This article also identifies the objects created during enrollment and how to verify their creation.
Detailed configuration
The following table describes the specific configuration applied to each VM when essential machine management is enabled.
| Feature | Configuration details |
|---|---|
| Azure Monitor | - Installs Azure Monitor agent - Collects standard set of performance counters. - Configures metric-based recommended alerts |
| Azure Update Manager | - Installs extension (Microsoft.CPlat.Core.LinuxPatchExtension or Microsoft.CPlat.Core.WindowsPatchExtension)- Periodic assessment enabled. |
| Azure Machine Configuration | - Installs extension (Microsoft.GuestConfiguration.ConfigurationforLinux or Microsoft.GuestConfiguration.ConfigurationforWindows)- Applies the Linux security baseline and Windows security baseline in Audit only mode. |
| Azure Change Tracking and Inventory | - Installs extension (Microsoft.Azure.ChangeTrackingAndInventory.<br>ChangeTracking-Windows or Microsoft.Azure.ChangeTrackingAndInventory.ChangeTracking-Linux)- Uses Log Analytics workspace specified in onboarding. - Collects basic files and registry keys. |
| Defender CSPM | - All settings on by default. |
Next steps
Feedback
Was this page helpful?