This blog walks through a practical, enterprise‑ready approach to enabling automatic upgrades for the Azure Arc Connected Machine agent at scale. Instead of a blanket enablement, it demonstrates how to use Azure PowerShell and ARM PATCH operations to selectively turn on agent auto‑upgrade for tag‑scoped Azure Arc machines, enabling controlled rollout via pilot rings. The post explains the rationale, script design, and operational safeguards, such as explicit user consent, tag‑based targeting, and per‑machine result reporting, making it a safe and repeatable pattern for managing Arc agent hygiene across large hybrid server estates.
Overview
Keeping the Azure Arc Connected Machine agent current is a foundational hygiene task for any hybrid server estate, especially when you’re operating at scale and onboarding hundreds (or thousands) of machines into Arc.
The good news: Azure Arc supports an automatic agent upgrade (preview) capability that can be enabled per Arc machine by setting the agentUpgrade.enableAutomaticUpgrade property via Azure Resource Manager (ARM). Microsoft’s public guidance shows enabling this using a PATCH call (via Invoke-AzRestMethod) against the Arc machine resource with the 2024-05-20-preview API version. Manage and maintain the Azure Connected Machine agent - Azure Arc | Microsoft Learn
In real environments, you rarely want to enable this across every Arc-enabled server in one shot. Instead, you typically:
- start with a pilot ring (e.g., Dev/Test or low‑risk servers),
- validate results, and then
- expand coverage gradually.
The Script: Abhishek-Sharan/ExtensionManagement: Install & Manage Extensions
The script implements exactly that approach by:
- prompting an explicit disclaimer acknowledgement (safety gate),
- selecting Arc machines by tag (a controlled blast-radius technique),
- enabling automatic upgrade using ARM PATCH through Invoke-AzRestMethod,
- producing a final summary report of success/failure per machine.
This post walks through what the script does, why each section exists, and what to consider before using it in production.
Why Tag‑Scoped Enablement?
In many enterprise deployments, tags are the simplest way to define a “ring” of servers:
- Ring=Pilot
- Environment=NonProd
- Workload=LowRisk
This script discovers resources of type Microsoft.HybridCompute machines in a given resource group and filters them by a tag/value pair. That makes it easy to:
- onboard machines first,
- apply tags as part of provisioning,
- then flip on agent auto-upgrade only for the right cohort.
Script Details (Walkthrough)
1) Safety Gate: Disclaimer + Explicit User Consent
This script prints a disclaimer block and requires the operator to type Y to proceed. If the user types anything else, the script exits.
Why it matters:
- It prevents accidental execution (especially in shared shells or jump boxes).
- It reinforces that this is a potentially impactful change across multiple machines.
2) Configuration: Subscription, Resource Group, and Tag Scope
The script sets the active Azure context:
Set-AzContext -Subscription "YOUR SUBSCRIPTION"
Then defines:
- $resourceGroup
- $tagName, $tagValue
3) Discovery: Find Azure Arc Machines with a Target Tag
Discovery uses:
- Get-AzResource -ResourceType "Microsoft.HybridCompute/machines"
- filters by tag match on the returned resource object.
This ensures you are only targeting Arc-enabled servers represented as Microsoft.HybridCompute machines resources.
If no machines are found, the script exits cleanly, which avoids the “silent no-op” problem and helps operators quickly validate that scope selection is correct.
4) Update: Enable Automatic Upgrade via ARM PATCH
For each machine, the script uses Invoke-AzRestMethod with:
- ResourceProviderName = "Microsoft.HybridCompute"
- ResourceType = "Machines"
- ApiVersion = "2024-05-20-preview"
- Method = "PATCH"
- payload:
{"properties":{"agentUpgrade":{"enableAutomaticUpgrade":true}}}
5) Output: Per‑Machine Result + Final Summary Table
The script records results into an array of PSCustomObject entries with:
- MachineName
- EnableAutomaticUpgrade
- Result (Success/Failed)
Then prints a formatted table.
This is useful for:
- quick operator confirmation,
- change records,
- attaching output to internal work items / change tickets.
Conclusion
This script is a solid operational accelerant for teams managing Arc-enabled servers at scale. It combines:
- safety (explicit disclaimer + opt-in),
- control (tag-based targeting),
- automation (bulk enabling via ARM PATCH),
- observability (clear per-server results and a final summary).
If you’re trying to standardize operational hygiene across hundreds of Arc machines, tag-scoped enablement like this is one of the cleanest ways to start small, learn safely, and then scale.
Microsoft