Customers managing large fleets of Azure Arc servers need a scalable way to ensure the Azure Arc agent stays up to date without manual intervention. Per server configuration does not scale, and gaps in upgrade coverage can lead to operational drift, missed features, and delayed security updates.

To address this, we’re introducing two new options to help customers enable Automatic Agent Upgrade at scale: applied as a built-in Azure Policy and a new onboarding CLI flag.

The built-in policy makes it easy to check whether Automatic Agent Upgrade is enabled across a given scope and automatically remediates servers that are not compliant.

For servers being newly onboarded, customers can enable the feature at onboarding by adding the --enable-automatic-upgrade flag to the azcmagent connect command, ensuring the agent is configured correctly from the start.

What is Automatic Agent Upgrade?

Automatic Agent Upgrade is a feature, in public preview, that automatically keeps the Azure Connected Machine agent (Arc agent) up to date. Updates are managed by Microsoft, so once enabled, customers no longer need to manually manage agent upgrades.

By always running the latest agent version, customers receive all the newest capabilities, security updates, and bug fixes as soon as they’re released. Learn more: What's new with Azure Connected Machine agent - Azure Arc | Microsoft Learn.

Getting Started

Apply automatic agent upgrade policy

1. Navigate to the ‘Policy’ blade in the Azure Portal

2. Navigate to the ‘Compliance’ section and click ‘Assign Policy’

3. Fill out the required sections
   • Scope: Subscription and resource group (optional) that policy will apply to
   • Policy definition: Configure Azure Arc-enabled Servers to enable automatic upgrades

4. Navigate to the ‘Remediation’ tab and check the box next to ‘Create a remediation task’

5. Navigate to the ‘Review + create’ tab and press ‘Create’. The Policy has been successfully applied to the scope.

For more information on this process, please visit this article Quickstart: Create policy assignment using Azure portal - Azure Policy | Microsoft Learn.

Apply automatic agent upgrade CLI Flag

Adding the following flag enables automatic agent upgrade during onboarding

--enable-automatic-upgrade

While this flag can be used on a single server, it can also be applied at scale using one of the existing Azure Arc at scale onboarding methods and adding the flag Connect hybrid machines to Azure at scale - Azure Arc | Microsoft Learn.

Here is an at scale onboarding sample using a basic script.

azcmagent connect --resource-group {rg} --location {location} --subscription-id {subid} --service-principal-id {service principal id} --service-principal-secret {service principal secret} --tenant-id {tenant id} --enable-automatic-upgrade

To get started with this feature or learn more, please refer to this article Manage and maintain the Azure Connected Machine agent - Azure Arc | Microsoft Learn.