Use Azure Automanage to create a management baseline for the connected machines, enabling update management and inventory.



The operational compliance for Azure virtual machines recommends leveraging the services shown below, which historically have all been individually configured.

Azure Automanage

The good news is that Azure Automanage simplifies management by bringing these various services together under best practice configurations covering both Production and Test/Dev scenarios.

Once your on prem machines are Azure Arc-enabled then you can also take advantage of Automanage as you go beyond monitoring, alerting and security. For Azure-Arc VMs it has the benefit of installing the older MMA and Dependency agents. This hack does not use them for logs and metrics (preferring to use the AMA agents), but they are currently used for other functionality such as change and update management.

Please note that this is currently a preview service, and it does not yet cover all of the services in the diagram for Azure Arc VMs, but it is the fastest and simplest way to install the agents and benefit from:

  • configuration management
  • update management
  • change tracking and inventory
  • automation accounts


Note that everything we have done with Azure Arc so far has been free, if you ignore the costs relating to other Azure services such as additional Azure Monitor workspace usage.

Be aware that using Azure Policy guest configuration (including Azure Automation change tracking, inventory, state configuration) has a monthly per server Azure Arc price.

Azure Automanage


  • Enable Automanage on the 6 Azure Arc-enabled VMs

    • create a new Automation Account called arc-pilot-automanage
  • What is the difference between Prod and Test/Dev configurations?

  • Which services are not yet available for Azure Arc-enabled servers?

  • Which services can be customised?

It will take a little while for the servers to become configured and the associated services to propgate and send data. Once complete then explore one of the Windows Azure Arc-enabled VMs.

  • Which additional Azure Policies have been applied?
  • Which additional extensions have been installed?
  • Explore the Insights in the Monitoring blade
  • Explore the Inventory on the Operations blade

Update Management

  • Schedule update deployments
    • arc-windows-security-weekly
    • arc-windows-full-monthly
    • arc-linux-security-weekly
    • arc-linux-full-monthly
  • Report update compliance
  • Trigger an update deployment and measure its success
  • Write a Log Analytics query (optional) to report on
    • the installed Windows Updates
    • the required Windows Updates

Inventory and Change Tracking

The change tracking is more interesting once the servers have been configured for a longer period of time, but we can force a change through

  • Review the Inventory on a linux VM
  • Install the tree package on one of the linux VMs
    • For Ubuntu: sudo apt update && sudo apt install tree
  • Review the change tracking
    • Explore the settings
  • Write a Log Analytics query (optional) to report on
    • the Python software versions on the linux Azure Arc-enabled servers

Azure Monitor Workbooks

  • Create an update assessment Workbook to visualize update compliance and detail missing updates

Success criteria

Screen share with your proctor to show that you achieved:

  1. Successfully Automanaged Azure Arc VMs
  2. Deployment schedules are in place for both security and full updates
  3. Report on the current update compliance state for all Azure Arc virtual machines
  4. Show the inventory and update history
    • software and services on Windows
    • software and linux daemons , Windows Services and Linux Daemons display in the inventory
    • show the change in installed software
  5. Show update compliance with an Azure Monitor Workbook


Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

Make a change