Sign in Subscribe
Azure Arc Featured

How to enable automatic upgrades for Azure Arc Agent (Public Preview)

Learn how to enable the new public preview feature for automatic Azure Arc agent upgrades. Step-by-step PowerShell examples, scripts for multiple servers, and monitoring with KQL included.

Sarah Lean

4 min read
How to enable automatic upgrades for Azure Arc Agent
How to enable automatic upgrades for Azure Arc Agent

Previously I wrote about updating the Azure Arc agent. Now, I’m pleased to share that a new public preview feature enables automatic upgrades of the Azure Arc agent on enabled servers. This is a major step forward in keeping the agent secure, up to date, and equipped with the latest capabilities.

In this post, I’ll walk you through how to enable automatic upgrades and how to report on their status.

Azure Arc agent automatic upgrade

Keeping the Azure Arc agent updated is important for several reasons: 

  • Access to new server management capabilities
  • Reliability from bug fixes and agent improvements
  • Compliance by applying the latest security patches and enhancements

In the past, upgrades had to be done manually or with tools like Windows Server Update Services (WSUS). With this public preview, agents running version 1.48 or later can use the Auto Agent Upgrade feature. This ensures the agent stays on the latest Azure Connected Machine agent version without disrupting workloads.

To enable automatic upgrades, you need to set the enableAutomaticUpgrade property to true. Once set, agents will upgrade within one version of the latest release. This can be configured using PowerShell.

Within Azure PowerShell you need to log in and set the context:

Connect-AzAccount
Set-AzContext -Subscription "YOUR SUBSCRIPTION"

The input the following: 

Set-AzContext -Subscription "YOUR SUBSCRIPTION"
$params = @{
  ResourceGroupName = "YOUR RESOURCE GROUP"
  ResourceProviderName = "Microsoft.HybridCompute"
  ResourceType = "Machines"
  ApiVersion = "2024-05-20-preview"
  Name = "YOUR MACHINE NAME"
  Method = "PATCH"
  Payload = '{"properties":{"agentUpgrade":{ "enableAutomaticUpgrade":true}}}'
}
Invoke-AzRestMethod @params

Ensure you replace the relevant values with your own. 

The above example updates a single machine. But what if you need to enable Auto Agent Upgrade on multiple servers?

Option 1 – Enable on all servers in a resource group

If all the Arc enabled servers are within the same resource group you can run the following script:

$machines = Get-AzResource -ResourceGroupName "rg-arc" -ResourceType "Microsoft.HybridCompute/machines"
foreach ($m in $machines) {
    Write-Host "Updating $($m.Name)..."
    $params = @{
      ResourceGroupName    = $m.ResourceGroupName
      ResourceProviderName = "Microsoft.HybridCompute"
      ResourceType         = "Machines"
      ApiVersion           = "2024-05-20-preview"
      Name                 = $m.Name
      Method               = "PATCH"
      Payload              = '{"properties":{"agentUpgrade":{ "enableAutomaticUpgrade":true}}}'
    }
    Invoke-AzRestMethod @params
}

This will list all the Arc enabled servers within the resource group then loop round until all have the Auto Agent Upgrade feature enabled. 

Enable on all servers in a resource group
Enable on all servers in a resource group

Option 2 – Enable on all servers in a subscription

If you’d like to apply the setting to all Arc machines within your subscriptions regardless of the resource group they are listed in you can run this PowerShell script:

$machines = Get-AzResource -ResourceType "Microsoft.HybridCompute/machines"
foreach ($m in $machines) {
    Write-Host "Updating $($m.Name) in $($m.ResourceGroupName)..."
    $params = @{
      ResourceGroupName    = $m.ResourceGroupName
      ResourceProviderName = "Microsoft.HybridCompute"
      ResourceType         = "Machines"
      ApiVersion           = "2024-05-20-preview"
      Name                 = $m.Name
      Method               = "PATCH"
      Payload              = '{"properties":{"agentUpgrade":{ "enableAutomaticUpgrade":true}}}'
    }
    Invoke-AzRestMethod @params
}

If you have hundreds of machines this could take a while since it will run sequentially, so you may wish to look at using a Parallel version instead which is available within PowerShell 7+.   

Monitor Azure Arc agent automatic upgrade status

It’s important to monitor which Azure Arc enabled servers have Auto Agent Upgrade enabled. This helps you identify which agents update automatically and which require manual updates.

In order to query which Arc enabled servers have the feature enabled or not you can run the Azure Resource Graph Explorer Kusto (KQL) query:

resources
| where type =~ 'microsoft.hybridcompute/machines'
| extend PropertiesObject = parse_json(properties)
| extend agentUpgradeObj = parse_json(PropertiesObject.agentUpgrade)
| project name, enableAutomaticUpgrade = tostring(agentUpgradeObj.enableAutomaticUpgrade)

This query will list the name of your Arc enabled server and whether or not the Auto Agent Upgrade feature is enabled or not. 

Azure Resource Graph Explorer
Azure Resource Graph Explorer

I’ve also updated my Azure Arc Windows and Linux Dashboard to show this information as well. 

buy me a coffee
buy me a coffee

Wrapping Up

Keeping agents up to date no longer needs to be manual or complex tasks.  With the automatic upgrades in Azure Arc you can gain peace of mind that your servers always have the latest fixes, features and security improvements.  Whether you manage a handful of servers or hundreds across subscriptions, enabling this preview feature can save time and reduce risk. Try it out, monitor the results, and let me know how you get on!