Merge pull request #312925 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-10 16:00 UTC

Author: learn-build-service-prod[bot]

articles/artifact-signing/how-to-sign-ci-policy.md

@@ -20,56 +20,56 @@ To complete the steps in this article, you need:
 - An Artifact Signing account, identity validation, and certificate profile.
 - Individual or group assignment of the Artifact Signing Certificate Profile Signer role.
 - [Azure PowerShell in Windows](/powershell/azure/install-azps-windows) installed.
-- [Az.TrustedSigning](/powershell/module/az.trustedsigning/) module downloaded.
+- [Az.ArtifactSigning](/powershell/module/az.artifactsigning/) module downloaded.
 
 ## Sign a CI policy
 
 1. ⁠Open [PowerShell 7](https://github.com/PowerShell/PowerShell/releases/latest).
 
-1. Optionally, you can create a *metadata.json* file that looks like this example:(`"Endpoint"` URI value must be a URI that aligns with the region where you created your Artifact Signing account and certificate profile when you set up these resources.)
+1. Optionally, you can create a *metadata.json* file that looks like this example: (`"Endpoint"` URI value must be a URI that matches the region where you created your Artifact Signing account and certificate profile when you set up these resources.)
 
    ```json
    {
    "Endpoint":"https://xxx.codesigning.azure.net/",
-   "CodeSigningAccountName":"<Artifact Signing Account Name>",
+   "CodeSigningAccountName":"<Signing Account Name>",
    "CertificateProfileName":"<Certificate Profile Name>"
    }
    ```
 
-1. Get the [root certificate](/powershell/module/az.trustedsigning/get-aztrustedsigningcertificateroot) that you want to add to the trust store:
+1. Get the [root certificate](/powershell/module/az.artifactsigning/get-azartifactsigningcertificateroot?view=azps-15.4.0&preserve-view=true) that you want to add to the trust store:
 
    ```powershell
-   Get-AzTrustedSigningCertificateRoot -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer
+   Get-AzArtifactSigningCertificateRoot -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer
    ```
 
    If you're using a *metadata.json* file, run this command instead:
 
    ```powershell
-   Get-AzTrustedSigningCertificateRoot -MetadataFilePath C:\temp\metadata.json -Destination c:\temp\root.cer 
+   Get-AzArtifactSigningCertificateRoot -MetadataFilePath C:\temp\metadata.json -Destination c:\temp\root.cer 
    ```
 
-1. To get the [Extended Key Usage (EKU)](/powershell/module/az.trustedsigning/get-aztrustedsigningcustomereku) to insert into your policy:
+1. To get the [Extended Key Usage (EKU)](/powershell/module/az.artifactsigning/get-azartifactsigningcustomereku?view=azps-15.4.0&preserve-view=true) to insert into your policy:
 
    ```powershell
-   Get-AzTrustedSigningCustomerEku -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ 
+   Get-AzArtifactSigningCustomerEku -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ 
    ```
 
    If you're using a *metadata.json* file, run this command instead:
 
    ```powershell
-   Get-AzTrustedSigningCustomerEku -MetadataFilePath C:\temp\metadata.json 
+   Get-AzArtifactSigningCustomerEku -MetadataFilePath C:\temp\metadata.json 
    ```
 
-1. To [sign your policy](/powershell/module/az.trustedsigning/invoke-aztrustedsigningcipolicysigning), run the `invoke` command:
+1. To [sign your policy](/powershell/module/az.artifactsigning/invoke-azartifactsigningcipolicysigning?view=azps-15.4.0&preserve-view=true), run the `invoke` command:
 
    ```powershell
-   Invoke-AzTrustedSigningCIPolicySigning -accountName TestAccount -profileName TestCertProfile -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
+   Invoke-AzArtifactSigningCIPolicySigning -accountName TestAccount -profileName TestCertProfile -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
    ```
 
    If you're using a *metadata.json* file, run this command instead:
 
    ```powershell
-   Invoke-AzTrustedSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
+   Invoke-AzArtifactSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
    ```
 
 ## Create and deploy a CI policy

articles/automation/whats-new.md

@@ -4,7 +4,7 @@ description: Significant updates to Azure Automation updated each month.
 services: automation
 ms.subservice:
 ms.topic: overview
-ms.date: 08/12/2025
+ms.date: 03/10/2026
 ms.custom: references_regions
 ms.author: v-rochak2
 author: RochakSingh-blr
@@ -23,6 +23,16 @@ Azure Automation receives improvements on an ongoing basis. To stay up to date w
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Automation](whats-new-archive.md).
 
+## March 2026
+
+### Security Update: Azure Automation Windows Hybrid Worker Extension (1.3.74)
+
+Windows Hybrid Worker Extension Version 1.3.74 includes a security improvement that strengthens access controls for communication with Hybrid Instance Metadata Service (HIMDS).
+
+Under specific startup timing conditions, the Windows Hybrid Worker Extension tries to connect to HIMDS before the service is fully initialized. In this narrow window, a local nonprivileged process can impersonate the metadata service endpoint and gain unauthorized read access to protected metadata or configuration information.
+
+This release addresses the issue by adding an extra validation to ensure that it connects only to trusted, system owned metadata endpoints. These changes enhance protection of system metadata and configuration information by ensuring access is limited to trusted system components.
+
 ## August 2025
 
 ### Deployment resumption: Azure Automation revised Service and Subscription limits

articles/azure-vmware/media/hcx-commands/set-hcx-scale.png

@@ -3,8 +3,8 @@ title: Use VMware HCX Run Commands
 description: Use VMware HCX Run Commands in Azure VMware Solution
 ms.topic: how-to
 ms.service: azure-vmware
-ms.custom: engagement-fy23
-ms.date: 3/22/2024
+ms.custom: engagement-fy26
+ms.date: 3/5/2026
 # Customer intent: As a cloud administrator, I want to execute VMware HCX Run Commands in an Azure VMware Solution, so that I can manage and scale the HCX Manager efficiently while maintaining service integrity during operations.
 ---
 
@@ -35,31 +35,73 @@ Optional run command parameters.
 1. Wait for command to finish. It can take few minutes for the VMware HCX appliance to come online. 
 
 ## Scale VMware HCX manager  
-Use the Scale VMware HCX Cloud Manager Run Command to increase the resource allocation of your VMware HCX Cloud Manager virtual machine to 8 vCPUs and 24-GB RAM from the default setting of 4 vCPUs and 12-GB RAM, ensuring scalability. 
+Use the Scale VMware HCX Cloud Manager Run Command to increase the resource allocation of your VMware HCX Cloud Manager virtual machine, ensuring scalability for larger deployments and increased concurrent migrations.
+
+**Supported in HCX 4.10+**
 
 **Scenario**: Mobility Optimize Networking (MON) requires VMware HCX Scalability. For more details on [MON scaling](https://kb.vmware.com/s/article/88401)  
 
 >[!NOTE] 
 > VMware HCX Cloud Manager will be rebooted during this operation, and this may affect any ongoing migration processes. 
 
-1. Navigate to the Run Command panel on in an Azure VMware Solution private cloud on the Azure portal. 
+1. Navigate to the **Run Command** panel under **Operations** in an Azure VMware Solution private cloud on the Azure portal. 
 
-1. Select the **Microsoft.AVS.HCX** package dropdown menu and select the **Set-HcxScaledCpuAndMemorySetting** command.
+2. Select the **Microsoft.AVS.HCX** package dropdown menu and select the **Set-HcxScaledCpuAndMemorySetting** command.
 
     :::image type="content" source="media/hcx-commands/set-hcx-scale.png" alt-text="Diagram that shows run command parameters for Set-HcxScaledCpuAndMemorySetting command." border="false" lightbox="media/hcx-commands/set-hcx-scale.png"::: 
 
-1. Agree to restart VMware HCX by toggling ``AgreeToRestartHCX`` to **True**. 
-    You need to acknowledge that the virtual machine will be restarted.  
-    
-     
-    >[!NOTE]
-    > If this required parameter is set to false that cmdlet execution will fail. 
+3. Set parameters and select Run. Optional run command parameters.
 
-1. Select **Run** to execute.
-    This process takes between 10-15 minutes.  
+   If the parameters are used incorrectly, they can halt active migrations and replications and cause other issues. Brief description of each parameter with an example of when it should be used:
+
+   **ScaleFormFactor Parameter** - Specifies the target form factor for the HCX Manager VM — *"Medium"* or *"Large"*. Defaults to *"Medium"* if not specified. See [Form Factor Specification](use-hcx-run-commands.md) for details on each size.
+
+   **DiskStorageFormat Parameter** - Specifies the storage format for the new disk added during scaling — *"Thin"*, *"Thick"*, or *"EagerZeroedThick"*. Defaults to *"Thin"*. See [Disk Storage Formats] for guidance on choosing a format.
+
+   **AgreeToRestartHCX Parameter** (required) - Acknowledgment that the HCX Manager VM will be restarted during the scaling operation. Must be set to *True* for the command to execute. If set to *False*, the cmdlet execution will fail.
+
+   **Force Parameter** - Bypasses safety checks such as active migration and replication detection and existing snapshot validation. Use this parameter when a migration is stuck in an active state and you still need to proceed with scaling.
+
+   **SkipSnapshot Parameter** - Skips the creation of a pre-scaling snapshot. Requires the *-Force* parameter to be set. Not recommended, as the automatic snapshot provides a safety net for failure recovery.
+
+4. Select **Run** to execute. This process takes between 10-15 minutes.  
 
-    >[!NOTE]
-    > VMware HCX cloud manager will be unavailable during the scaling. 
+ >[!NOTE]
+ > VMware HCX Cloud Manager will be unavailable during the scaling.
+
+### Form Factor Specifications
+
+| Form Factor | vCPU | Memory | Disk | Use Case |
+| :--- | :--- | :--- | :--- | :--- |
+| **Small** (current default) | 4 | 12 GB | 60 GB | Small deployments, <500 VMs |
+| **Medium** | 8 | 24 GB | 120 GB | Medium deployments, 500-2000 VMs |
+| **Large** | 32 | 48 GB | 300 GB | Large deployments, >2000 VMs |
+>[!NOTE]
+>"Small" is the default form factor already deployed. It is not a selectable option in the *Set-HcxScaledCpuAndMemorySetting* command. The command only scales up to **Medium** or **Large**.
+
+### Disk Storage Formats
+
+| Format | Description | Performance | Space Efficiency | Use Case |
+| :--- | :--- | :--- | :--- | :--- |
+| **Thin**  | Lazy-zeroed thin provisioning | Good | High | Default, most environments |
+| **Thick** | Eager-zeroed thick provisioning | Better | Low | Performance-critical |
+| **EagerZeroedThick** | Zeroed at creation | Best | Lowest | Maximum performance |
+
+>[!NOTE]
+>Use the default "Thin" unless specific performance requirements dictate otherwise. Thin disks grow on-demand, while Thick and EagerZeroedThick allocate full space immediately.
+
+### Automatic Failure Recovery
+If scaling fails at any point during execution, the system automatically recovers:
+
+1. **Snapshot revert** - Automatically reverts to the pre-scaling snapshot.
+   
+2. **Power on** - Powers on HCX Manager from the snapshot state (last known good configuration).
+   
+3. **Error reporting** - Returns detailed error information.
+ 
+4. **No manual intervention required** - The systems automatically recovers to a working state.
+
+**Recovery time**: Typically 5-10 minutes to revert and power on.
 
 ## Take a snapshot of VMware HCX Cloud Manager