The Compliance Report Problem
Azure Policy dashboard: "850 Arc-enabled servers, 72% compliant"
VMware vCenter: "547 VMs total"
Math: 850 - 547 = 303 ghost registrations
Our compliance data was fiction.
What Are Ghost Registrations?
Problem: When you delete a VM, Azure Arc registration persists.
Result:
- Compliance reports include servers that don't exist
- Cost tracking is wrong
- Security dashboards show phantom vulnerabilities
- Nobody knows which servers are real
How It Happens
Scenario 1: Delete VM Without Removing Arc Agent
Most common
- VMware admin deletes VM
- Arc agent never uninstalls (VM gone)
- Arc registration stays in Azure
- Shows as "offline" forever
Scenario 2: VM Name Reuse
- Delete VM named "SQL-PROD-01"
- Create new VM with same name
- Now TWO Arc registrations for "SQL-PROD-01"
- Which one is real? Nobody knows.
Scenario 3: Failed Deletions
- Try to delete Arc registration
- API times out
- Azure portal shows "deleted"
- Resource Graph still shows it
The Impact
Compliance Reports Are Fiction
Azure Policy: "347 servers need patches"
Reality: 64% of those are ghosts
Finance: "Why are we patching 347 servers when we only have 220?"
Cost Tracking Is Wrong
Arc costs $5/server/month if you exceed free tier.
Bill: $4,250/month (850 servers)
Reality: $2,735/month (547 servers)
Overpayment: $1,515/month = $18K/year
Security False Positives
Microsoft Defender: "Critical vulnerabilities on 150 servers"
SOC team: Spends 40 hours investigating
Reality: 96 of those servers don't exist
How to Detect Ghosts
Method 1: Resource Graph Query
kql
Top comments (0)