In earlier version of Azure Local (Azure Stack HCI 22H2 and earlier) we had to add a separate network adapter to all virtual machines in our stack that should be covered by Azure benefits / Azure verifications for VMs (Azure Arc: Update management, Policy, Defender e.g.), but beginning 23H2 and forward, it is not needed anymore to have the network adapter configured for all generation 2 VMs as Hyper-V guest integration service can communicate directly with the virtual machines.

We do still need the attestration configuration in our stack so we cannot delete the VMSwitch “AZSHCI_HOST-IMDS_DO_NO_MODIFY”. If you find that this VMSwitch is missing or you deleted it, running the command below will also recreate it.

If you are in the process of upgrading from 22H2 to 23H2, or have completed it but missed the cleanup, you can still do it.

You can first validate if virtual machines are covered by version 1 of attestration by running this command:

Get-AzStackHCIVMAttestation

If it shows all VMs only using version 1, you can go ahead and remove it for all VMs:

Disable-AzStackHCIAttestation -RemoveVM

Now you can enable Attestation again:

Enable-AzStackHCIAttestation

Use the Get command again to monitor that all VMs have switched to version 2. All VMs should automatically register. If you have Generation 1 VMs, they would need to be configured for Legacy OS support. Follow this guide if needed: https://learn.microsoft.com/en-us/azure/azure-local/deploy/azure-verification?view=azloc-2506&tabs=azure-ps