Hold your Azure Related Machine agent up-to-date on a Home windows Server – Wim Matthyssen

On this weblog submit, you’ll learn to hold the Azure Related Machine agent up-to-date on Azure Arc-enabled Home windows servers, guaranteeing safe and dependable connectivity.

Conserving your Azure Related Machine agent up-to-date is crucial for sustaining a safe, supported, well-managed Azure Arc surroundings. Outdated brokers can result in missed updates, damaged insurance policies, and potential safety dangers.

Microsoft usually updates the Azure Related Machine agent to introduce new options, enhance efficiency, and deal with newly found threats. These updates guarantee your surroundings is protected and aligned with the newest enhancements.

💡 Because the time of writing, the newest model of the Azure Related Machine agent is 1.51. To remain knowledgeable about future releases, you possibly can discuss with the offical Microsoft Be taught web page.

On this weblog submit, you’ll learn to automate Azure Related Machine agent updates, serving to guarantee your Arc-enabled Home windows servers stay compliant, safe, and operational with minimal guide effort.

Desk of Contents

Conditions

• A standalone (workgroup) bodily or digital server working Home windows Server 2019, 2022, or 2025, onboarded to Azure Arc and utilizing Azure Related Machine agent model 1.50 or later.
• A website-joined bodily or digital server working Home windows Server 2019, 2022, or 2025, onboarded to Azure Arc with Azure Related Machine agent model 1.50 or later.
• A website controller or member server with entry to the Group Coverage Administration Console (GPMC) to create and configure a brand new Group Coverage Object (GPO).
• A area person account with permissions to create and configure Group Coverage Objects (GPOs).

Manually configure Azure Related Machine agent updates domestically from the server

To replace the Azure Related Machine agent by way of Home windows Replace, make sure that your system is about to obtain updates for different Microsoft merchandise.

To do that, RDP into the server and sign up with an account that has the required permissions. Then, open the Run dialog (Home windows + R), kind “ms-settings:“, and click on OK.

This may open the Home windows Settings app. From there, you possibly can navigate to Home windows Replace (or Replace 1 Safety on an older server OS the Home windows Server 2025).

This may open the Home windows Settings app. From there, navigate to Home windows Replace (or Replace & Safety on older server OS variations, resembling Home windows Server 2019 or 2022).

Subsequent, click on on Superior choices and toggle the slider subsequent to Obtain updates for different Microsoft merchandise (once you replace Home windows. – on older OS variations) to On.

Then click on “Test for updates” to see if the Azure Related Machine agent replace is obtainable. Chances are you’ll must examine greater than as soon as, particularly if you happen to simply enabled the Microsoft product updates setting.

Configure Azure Related Machine Agent updates utilizing a PowerShell script

Slightly than configuring the settings manually, you possibly can automate the method utilizing PowerShell, as outlined on this part.

Right here’s a quick overview of the PowerShell script I take advantage of for this course of:

• Test if PowerShell is working as Administrator, in any other case exit the script.
• Allow “Obtain updates for different Microsoft merchandise”.
• Register the Microsoft Replace service.
• Test for brand spanking new updates.

To make use of the script, begin by saving it as “Allow-Obtain-Updates-for-Different-Microsoft-Merchandise-WS2019-WS2022-WS2025.ps1”, or obtain it immediately from GitHub. Customise the variables to suit your particular surroundings, then run the script in Home windows PowerShell (as Administrator) immediately on the goal server.

💡 I sometimes reserve it domestically within the C:Temp folder on the server and run it from there.

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Variables

$international:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Learn -Motion {$international:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Inexperienced"
$foregroundColor2 = "Yellow"
$foregroundColor3 = "Crimson"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Test if PowerShell is working as Administrator, in any other case exit the script

$currentPrincipal = New-Object Safety.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
   Write-Host ($writeEmptyLine + "# Please run PowerShell as Administrator" + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor3 $writeEmptyLine
    exit
}
 
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script began

Write-Host ($writeEmptyLine + "# Script began. With out errors, it could possibly take as much as 1 minute to finish" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolorv $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Allow "Obtain updates for different Microsoft merchandise" 

$ServiceManager = New-Object -ComObject "Microsoft.Replace.ServiceManager"

# Add the Microsoft Replace service
# 7 = Microsoft Replace(permits updates for different Microsoft merchandise)
$ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Test if "Obtain updates for different Microsoft merchandise" is enabled

# Test if the service is registered
$msUpdateService = $ServiceManager.GetServices() | The place-Object { $_.ServiceID -eq "7971f918-a847-4430-9279-4a52d1efe18d" }

if ($msUpdateService) {
   Write-Host ($writeEmptyLine + "# The setting 'Obtain updates for different Microsoft merchandise' is enabled." + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor2 $writeEmptyLine
} else {
   Write-Host ($writeEmptyLine + "# The setting 'Obtain updates for different Microsoft merchandise' is NOT enabled." + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor3 $writeEmptyLine 
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Test for brand spanking new updates

Write-Host ($writeEmptyLine + "# Checking for brand spanking new updates..." + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine

strive {
    $updateSession = New-Object -ComObject "Microsoft.Replace.Session"
    $updateSearcher = $updateSession.CreateUpdateSearcher()
    $searchResult = $updateSearcher.Search("IsInstalled=0")

    if ($searchResult.Updates.Depend -gt 0) {
        Write-Host ($writeEmptyLine + "# New updates can be found:" + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine
        foreach ($replace in $searchResult.Updates) {
            Write-Host ("- " + $replace.Title) -foregroundcolor $foregroundColor1
        }
    } else {
        Write-Host ($writeEmptyLine + "# No new updates can be found." + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine
    }
} catch {
    Write-Host ($writeEmptyLine + "# An error occurred whereas checking for updates: $_" + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor3 $writeEmptyLine
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script accomplished

Write-Host ($writeEmptyLine + "# Script accomplished" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

💡 If the server has pending updates prepared to put in, make sure that to put in them first earlier than checking for brand spanking new updates once more. In any other case, the system might not detect the agent replace.

Automate Azure Related Machine Agent updates utilizing Group Coverage on domain-joined servers

In case your servers are a part of a website, it’s typically simpler and extra environment friendly to make use of a Group Coverage Object (GPO) to handle settings just like the Obtain updates for different Microsoft merchandise choice in Home windows Replace.

Enabling this setting additionally helps be certain that the Azure Related Machine agent stays updated. To configure it, log in to one in all your administration servers that has the Group Coverage Administration Console (GPMC) put in.

Begin by utilizing Distant Desktop (RDP) to connect with the server. Then, open Run (Home windows + R), kind “gpmc.msc“, and press Enter (or click on OK) to launch the Group Coverage Administration Console.

Within the Group Coverage Administration Console, navigate to the OU or area stage the place you wish to create a brand new GPO, or choose an present GPO the place you’d like so as to add the brand new setting. Proper-click the situation, then select “Create a GPO on this area, and Hyperlink it right here…” from the context menu.

Give the brand new GPO a transparent, human-readable identify, resembling Computer_WindowsUpdate_EnableMicrosoftProductUpdates_v1, then press Enter or click on OK to proceed.

Then, right-click the newly created GPO and choose “Edit“.

Then navigate to Laptop Configuration > Insurance policies > Administrative Templates: Coverage definitions (ADMX recordsdata) retrieved from the central retailer > Home windows Elements > Home windows Replace.

💡As a finest follow, it’s endorsed to retailer AMDX (Administrative Template XML) and AMDL (Administrative Template Language) recordsdata in a Central Retailer to make sure constant entry and model management, whereas additionally enhancing safety, backup, and administration.

Within the Home windows Replace folder, discover the setting known as “Configure Automated Updates” and double-click it to configure.

Begin by setting the coverage to “Enabled“. Then, below the Choices: part, examine the field for “Set up updates for different Microsoft merchandise“. Click on “OK” to use the modifications.

💡 It may take a while for a GPO to be utilized relying in your Group Coverage settings. By default, GPO settings are refreshed each 90 minutes.

If you wish to take a look at this coverage instantly, go surfing to a member server that’s a part of the OU the place the GPO is utilized. Open a Command Immediate and run the next command:

You possibly can then manually examine if the setting was utilized accurately. If it was, the choice might be grayed out and not editable, indicating that it’s being managed by a Group Coverage.

Agent updates by way of Azure Replace Supervisor

In case you’re utilizing Azure Replace Supervisor (AUM) to handle Home windows and different updates in your Azure Arc-enabled servers, it is going to robotically detect and deal with the Azure Related Machine agent updates, whatever the configuration technique you used.

Simply as you’d anticipate, the newest agent replace will seem on each the AUM Pending Updates web page and the Updates web page of the Azure Arc–enabled server, as proven within the screenshots under.

Conclusion

Conserving the Azure Related Machine agent up-to-date is crucial for sustaining a safe, secure, and totally supported hybrid surroundings with Azure Arc. By staying present, you guarantee your Home windows Server machines can reliably leverage the newest options, efficiency enhancements, and safety enhancements Azure Arc has to supply.

I hope the steps and strategies shared on this submit make it simpler so that you can configure this in your individual hybrid setup.

You probably have any questions or options about this weblog submit, be at liberty to achieve out to me on X (@wmatthyssen) or drop a remark. I’ll be joyful to assist!