03-Azure/01-03-Infrastructure /02_Hybrid_Azure_Arc_Servers/ Update Challenge Walkthrough with additional Information

03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md

@@ -31,7 +31,7 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen
 ![image](./img/4_Create_Secret.png)
 
 
-### Task 3: Call the secret without providing any credentials
+### Task 3 (Linux): Call the secret without providing any credentials
 
 1. Connect via SSH to the Virtual Machine *microhack-arc-servers-lin01*.
 
@@ -41,7 +41,6 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen
 sudo -i
 ```
 
-
 3. Install your favorite JSON parser. In this example we will use jq.
 
 ```
@@ -50,7 +49,7 @@ apt-get -y install jq
 
 4. Request an access token for the Key Vault using the following command:
 
-```
+```shell
 ChallengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]")
 ChallengeToken=$(cat $ChallengeTokenPath)
 if [ $? -ne 0 ]; then
@@ -60,26 +59,80 @@ else
 fi
 ```
 
-`❗Hint: The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.`
+   > **Note**  
+   >  For Windows machines you can use the following command:
+
+```powershell
+        Function Get-AzureArcToken {
+            [cmdletbinding()]
+            param(
+                [string]$ResourceURI
+            )
+            # Build up URL
+            $SafeString = [System.Net.WebUtility]::URLEncode($ResourceURI)
+            $URI = "http://localhost:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource={0}" -f $SafeString
+            # Get Arc API Token
+            try {
+                Invoke-WebRequest -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true" } -Verbose:0
+            }
+            catch {
+                $script:response = $_.Exception.Response
+            }
+
+            # Extract the path to the challenge token
+            $tokenpath = $script:response.Headers["WWW-Authenticate"].TrimStart("Basic realm=")
+
+            # Read the token
+            $token = Get-Content $tokenpath
+
+            # Acquire and return Access Token
+            Invoke-RestMethod -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true"; Authorization = "Basic $token" }
+        }
+```
+
+
+> **❗Hint:**  
+> The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.`
 
 4. Verify that you received an access token using the following command:
 
-```
+```shell
 token=$(echo "$AccessToken" | jq -r '.access_token')
 echo $token
 ```
 You should see the access token in the output. In addition, the result is saved in the variable *token* for the next step.
 
 5. Now, it's time to call the Azure Key Vault instance to retrieve the secret from the previous task.
 
-```
+```shell
 curl 'https://mh-arc-servers-kv0815.vault.azure.net/secrets/kv-secret?api-version=2016-10-01' -H "Authorization: Bearer $token"
 ```
 
-`❗Hint: Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly.`
+> **❗Hint:**  
+> Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly.
 
 ![image](./img/5_result_secret.png)
 
+   > **Note**  
+   >  For Windows machines you can use the following command:
+
+```powershell
+        # Get an Azure KeyVault Access Token with new Function
+        $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net'
+        # Setup Query Attributes
+        $Query = @{
+            # URI of the specific secret we want
+            Uri     = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1"
+            Method  = "Get"
+            Headers = @{
+                Authorization = "Bearer $($AccessToken.access_token)"
+            }
+        }
+
+        # Retrieve Secrets
+        Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl *
+```
+
 Congratulations! You retrieved the secret from your Key Vault without providing any credentials. The resulting possibilities are limitless. You can use it for managing certificates or any secret that is necessary to run your on-premises application. 
 
-You successfully completed challenge 3! 🚀🚀🚀
+You successfully completed challenge 3! 🚀🚀🚀

03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md

@@ -72,7 +72,17 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu
 
 ### Create the Machine Configuration as Azure Policy
 
-1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions.  
+1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions.
+
+    > **Warning**  
+    >  The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell.
+    >  To install the required modules use:
+    >  ```powershell
+    >  Install-Module -Name Az -Repository PSGallery -Force
+    >  Install-Module -Name GuestConfiguration -Repository PSGallery -Force
+    >  ```
+
+
     > **Note**  
     >  You will need at least the *Storage Blob Data Contributor* role to be able to upload the file.   
 
@@ -103,7 +113,7 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu
     $sas = New-AzStorageBlobSASToken -Context $ctx -Container $containerName -Blob $fileName -Permission r -ExpiryTime $expiratioNDate -FullUri
     ```
 
-2. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions.  
+3. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions.  
     > **Note**  
     > Depending on your machine configuration, this might need to be executed with local administrative privileges.
     ```powershell
@@ -129,8 +139,8 @@ Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azu
     # Create new policy from definition file
     New-AzPolicyDefinition -Name $name -Policy $configurationPolicy.Path -ManagementGroupName $tenantID 
     ```
-3. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below.
+4. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below.
 
     ![PolicyAssignmentRemediation.png](./img/PolicyAssignmentRemediation.png)
 
-4. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ```
+5. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ```