Introduction
Azure Arc for Servers comes with the azcmagent.exe utility that allows you to configure local agent settings and troubleshoot if needed. In this post, we will delve into the config.mode property, its available modes, and how to configure it to suit different use cases.
The config.mode property in Azure Arc for Servers is important for determining the operational capabilities of the agent. This setting controls the extent of functionality available to the agent, ranging from full operational capabilities to a restricted monitoring-only mode.
For more background on securing your environment with Azure Arc, refer to my earlier post on securing Tier 0 assets in Azure Arc by disabling Run Command. Additionally, if you’re looking to get started with managing the Azure Arc agent using PowerShell, check out my custom module in this detailed guide on Azure Arc Connected Agent Management.
What is the config.mode Property?
The config.mode property specifies the operational mode of the Azure Connected Machine Agent. This setting controls the extent of functionality available to the agent, ranging from full operational capabilities to a restricted monitoring-only mode.
Available Modes
- Full Mode
- Description: Full mode enables all the features and functionalities of the Azure Connected Machine Agent. This includes the ability to manage extensions, use guest configuration, and enable remote connectivity tools.
- Use Case: This mode is ideal for scenarios where comprehensive management and monitoring of connected machines are required.
Monitor Mode
Description: Monitor mode is a restricted configuration designed solely for monitoring purposes. In this mode, only a specific set of extensions aimed at monitoring are permitted. Guest configuration and remote connectivity tools are disabled to ensure minimal operational overhead and enhanced security.
Use Case: This mode is suitable for environments where monitoring is the primary requirement and additional management functionalities are unnecessary or need to be restricted for security reasons.
Default Setting
By default, the config.mode property is set to full. This ensures that users have access to all the functionalities provided by the Azure Connected Machine Agent out-of-the-box. However, depending on your specific needs, you might want to switch to enhance security.
How to Configure config.mode
Use the azcmagent config set command with the correct syntax. Here are the examples for both full and monitor modes:
#Enable full mode
azcmagent config set config.mode full
#Enable monitor mode
azcmagent config set config.mode monitor
Verify the Configuration
To confirm that the mode has been set correctly, use the following command:
azcmagent config list
Impact of Monitor Mode
- Allowed Extensions: In monitor mode, only specific monitoring-related extensions are allowed. This includes extensions such as:
- Microsoft.EnterpriseCloud.Monitoring/OmsAgentForLinux
- Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentLinux
- Microsoft.Azure.Monitor/AzureMonitorLinuxAgent
- Qualys/LinuxAgent.AzureSecurityCenter
- Microsoft.Azure.Security.Monitoring/AzureSecurityLinuxAgent
- Microsoft.Azure.AzureDefenderForServers/MDE.Linux
- Microsoft.Azure.Monitor.VirtualMachines.GuestHealth/GuestHealthLinuxAgent
- Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.DEV/GuestHealthLinuxAgent
- Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent
- Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentWindows
- Microsoft.Azure.Monitor/AzureMonitorWindowsAgent
- Qualys/WindowsAgent.AzureSecurityCenter
- Microsoft.Azure.AzureDefenderForServers/MDE.Windows
- Microsoft.Azure.AzureDefenderForSQL/AdvancedThreatProtection.Windows
- Microsoft.Azure.Security.Monitoring/AzureSecurityWindowsAgent
- Microsoft.Azure.Security/IaaSAntimalware
- Microsoft.Azure.Geneva/GenevaMonitoring
- Microsoft.Azure.AzureDefenderForSQL/VulnerabilityAssessment.Windows
- Microsoft.Azure.Monitor.VirtualMachines.GuestHealth/GuestHealthWindowsAgent
- Microsoft.Sentinel.AzureMonitorAgentExtensions.Internal/DnsExtension
- Microsoft.Sentinel.AzureMonitorAgentExtensions/MicrosoftDnsAgent
- Disabled Guest Configuration: The guest configuration services are disabled in monitor mode. This will impact machine configuration services from the Azure side, limiting the ability to apply configuration policies and enforce compliance on the monitored machines.
resources
| where type == "microsoft.hybridcompute/machines"
| extend ['Agent Mode'] = properties.agentConfiguration.configMode
| project name, ['Agent Mode']
Viewing the Configuration Mode through the Azure Portal
To view the current configuration mode and allowed extensions through the Azure Portal, follow these steps:
- Open the Azure Portal
- Open the Server Object
- Click on JSON VIEW
- In the server object’s overview, find and click on the JSON VIEW option.
- Review the configMode and extensionsAllowList properties
Viewing the Configuration Mode with KQL Queries
To view the current configuration mode and allowed extensions for your Azure Arc servers, you can use KQL queries in the Azure Resource Graph Explorer and Log Analytics Workspace.
Using Azure Resource Graph Explorer
Directly from Log Analytics Workspace
arg("").resources
| where type == "microsoft.hybridcompute/machines"
| extend ['Agent Mode'] = properties.agentConfiguration.configMode
| project name, ['Agent Mode']
Defender for Endpoint and Live Response
Even when the agent is in monitor mode, certain security extensions, such as Defender for Endpoint, can still be enabled. This means that Live Response can still be used to execute scripts on the machines.
Here’s what you need to know:
- Defender for Endpoint Extension: The Defender for Endpoint extension can be enabled in monitor mode. This extension is crucial for providing advanced threat protection and security monitoring capabilities.
- Live Response: With the Defender for Endpoint extension enabled, you can still utilize Live Response to execute scripts and perform other security operations on your machines. This is important for incident response and proactive threat hunting.
Practical Considerations
When deciding which mode to use, consider the following:
- Security: If your environment requires strict security measures and minimal external interactions, monitor mode is the safer option.
- Functionality: If you need full access to management tools, extension management, and guest configurations, full mode will be necessary.
Conclusion
The config.mode property is a key setting in the Azure Connected Machine Agent that allows users to tailor the agent’s functionality to their specific needs. Whether you require full management capabilities or a streamlined monitoring-only setup, understanding and configuring this property correctly can help optimize your cloud operations.
By leveraging the config.mode property, you can ensure that your Azure Connected Machine Agent is configured in the most efficient and secure manner possible, aligning with your operational requirements and security policies.