Keep your Azure Connected Machine agent up-to-date on a Windows Server – Wim Matthyssen

In this blog post, you’ll learn how to keep the Azure Connected Machine agent up-to-date on Azure Arc-enabled Windows servers, ensuring secure and reliable connectivity.

Keeping your Azure Connected Machine agent up-to-date is critical for maintaining a secure, supported, well-managed Azure Arc environment. Outdated agents can lead to missed updates, broken policies, and potential security risks.

Microsoft regularly updates the Azure Connected Machine agent to introduce new features, improve performance, and address newly discovered threats. These updates ensure your environment is protected and aligned with the latest improvements.

💡 As the time of writing, the latest version of the Azure Connected Machine agent is 1.51. To stay informed about future releases, you can refer to the offical Microsoft Learn page.

In this blog post, you’ll learn how to automate Azure Connected Machine agent updates, helping ensure your Arc-enabled Windows servers remain compliant, secure, and operational with minimal manual effort.

Table of Contents

Prerequisites

• A standalone (workgroup) physical or virtual server running Windows Server 2019, 2022, or 2025, onboarded to Azure Arc and using Azure Connected Machine agent version 1.50 or later.
• A domain-joined physical or virtual server running Windows Server 2019, 2022, or 2025, onboarded to Azure Arc with Azure Connected Machine agent version 1.50 or later.
• A domain controller or member server with access to the Group Policy Management Console (GPMC) to create and configure a new Group Policy Object (GPO).
• A domain user account with permissions to create and configure Group Policy Objects (GPOs).

Manually configure Azure Connected Machine agent updates locally from the server

To update the Azure Connected Machine agent through Windows Update, make sure your system is set to receive updates for other Microsoft products.

To do this, RDP into the server and sign in with an account that has the necessary permissions. Then, open the Run dialog (Windows + R), type “ms-settings:“, and click OK.

This will open the Windows Settings app. From there, you can navigate to Windows Update (or Update 1 Security on an older server OS the Windows Server 2025).

This will open the Windows Settings app. From there, navigate to Windows Update (or Update & Security on older server OS versions, such as Windows Server 2019 or 2022).

Next, click on Advanced options and toggle the slider next to Receive updates for other Microsoft products (when you update Windows. – on older OS versions) to On.

Then click “Check for updates” to see if the Azure Connected Machine agent update is offered. You may need to check more than once, especially if you just enabled the Microsoft product updates setting.

Configure Azure Connected Machine Agent updates using a PowerShell script

Rather than configuring the settings manually, you can automate the process using PowerShell, as outlined in this section.

Here’s a brief overview of the PowerShell script I use for this process:

• Check if PowerShell is running as Administrator, otherwise exit the script.
• Enable “Receive updates for other Microsoft products”.
• Register the Microsoft Update service.
• Check for new updates.

To use the script, start by saving it as “Enable-Receive-Updates-for-Other-Microsoft-Products-WS2019-WS2022-WS2025.ps1”, or download it directly from GitHub. Customize the variables to fit your specific environment, then run the script in Windows PowerShell (as Administrator) directly on the target server.

💡 I typically save it locally in the C:\Temp folder on the server and run it from there.

<#
.SYNOPSIS

A script used to enable "Receive updates for other Microsoft products" on Windows Server 2019, 2022, or 2025.

.DESCRIPTION

A script used to enable "Receive updates for other Microsoft products" on Windows Server 2019, 2022, or 2025.
This script will do all of the following:

Check if PowerShell is running as Administrator, otherwise exit the script.
Enable "Receive updates for other Microsoft products". 
Check if "Receive updates for other Microsoft products" is enabled.
Check for new updates.

.NOTES

File Name:     Enable-Receive-updates-for-other-Microsoft-products-WS2019-WS2022-WS2025.ps1
Created:       29/04/2025
Last Modified: 29/04/2025
Author:        Wim Matthyssen
PowerShell:    Version 5.1 or later
Requires:      -RunAsAdministrator
OS Support:    Windows Server 2019, 2022, and 2025
Version:       1.0
Note:          Update variables as needed to fit your environment
Disclaimer:    This script is provided "As Is" without any warranties.

.EXAMPLE

.\Enable-Receive-updates-for-other-Microsoft-products-WS2019-WS2022-WS2025.ps1

.LINK

Azure Arc: Keep your Azure Connected Machine agent up-to-date on a Windows Server

#>

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Variables

$global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Green"
$foregroundColor2 = "Yellow"
$foregroundColor3 = "Red"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if PowerShell is running as Administrator, otherwise exit the script

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
   Write-Host ($writeEmptyLine + "# Please run PowerShell as Administrator" + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor3 $writeEmptyLine
    exit
}
 
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script started

Write-Host ($writeEmptyLine + "# Script started. Without errors, it can take up to 1 minute to complete" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolorv $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Enable "Receive updates for other Microsoft products" 

$ServiceManager = New-Object -ComObject "Microsoft.Update.ServiceManager"

# Add the Microsoft Update service
# 7 = Microsoft Update(enables updates for other Microsoft products)
$ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if "Receive updates for other Microsoft products" is enabled

# Check if the service is registered
$msUpdateService = $ServiceManager.GetServices() | Where-Object { $_.ServiceID -eq "7971f918-a847-4430-9279-4a52d1efe18d" }

if ($msUpdateService) {
   Write-Host ($writeEmptyLine + "# The setting 'Receive updates for other Microsoft products' is enabled." + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor2 $writeEmptyLine
} else {
   Write-Host ($writeEmptyLine + "# The setting 'Receive updates for other Microsoft products' is NOT enabled." + $writeSeperatorSpaces + $currentTime)`
   -foregroundcolor $foregroundColor3 $writeEmptyLine 
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check for new updates

Write-Host ($writeEmptyLine + "# Checking for new updates..." + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine

try {
    $updateSession = New-Object -ComObject "Microsoft.Update.Session"
    $updateSearcher = $updateSession.CreateUpdateSearcher()
    $searchResult = $updateSearcher.Search("IsInstalled=0")

    if ($searchResult.Updates.Count -gt 0) {
        Write-Host ($writeEmptyLine + "# New updates are available:" + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine
        foreach ($update in $searchResult.Updates) {
            Write-Host ("- " + $update.Title) -foregroundcolor $foregroundColor1
        }
    } else {
        Write-Host ($writeEmptyLine + "# No new updates are available." + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor2 $writeEmptyLine
    }
} catch {
    Write-Host ($writeEmptyLine + "# An error occurred while checking for updates: $_" + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor3 $writeEmptyLine
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script completed

Write-Host ($writeEmptyLine + "# Script completed" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

💡 If the server has pending updates ready to install, make sure to install them first before checking for new updates again. Otherwise, the system may not detect the agent update.

Automate Azure Connected Machine Agent updates using Group Policy on domain-joined servers

If your servers are part of a domain, it’s often easier and more efficient to use a Group Policy Object (GPO) to manage settings like the Receive updates for other Microsoft products option in Windows Update.

Enabling this setting also helps ensure that the Azure Connected Machine agent stays up to date. To configure it, log in to one of your management servers that has the Group Policy Management Console (GPMC) installed.

Start by using Remote Desktop (RDP) to connect to the server. Then, open Run (Windows + R), type “gpmc.msc“, and press Enter (or click OK) to launch the Group Policy Management Console.

In the Group Policy Management Console, navigate to the OU or domain level where you want to create a new GPO, or select an existing GPO where you’d like to add the new setting. Right-click the location, then choose “Create a GPO in this domain, and Link it here…” from the context menu.

Give the new GPO a clear, human-readable name, such as Computer_WindowsUpdate_EnableMicrosoftProductUpdates_v1, then press Enter or click OK to continue.

Then, right-click the newly created GPO and select “Edit“.

Then navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the central store > Windows Components > Windows Update.

💡As a best practice, it is recommended to store AMDX (Administrative Template XML) and AMDL (Administrative Template Language) files in a Central Store to ensure consistent access and version control, while also enhancing security, backup, and management.

In the Windows Update folder, find the setting called “Configure Automatic Updates” and double-click it to configure.

Start by setting the policy to “Enabled“. Then, under the Options: section, check the box for “Install updates for other Microsoft products“. Click “OK” to apply the changes.

💡 It can take some time for a GPO to be applied depending on your Group Policy settings. By default, GPO settings are refreshed every 90 minutes.

If you want to test this policy immediately, log on to a member server that is part of the OU where the GPO is applied. Open a Command Prompt and run the following command:

You can then manually check if the setting was applied correctly. If it was, the option will be grayed out and no longer editable, indicating that it is being managed by a Group Policy.

Agent updates via Azure Update Manager

If you’re using Azure Update Manager (AUM) to manage Windows and other updates on your Azure Arc-enabled servers, it will automatically detect and handle the Azure Connected Machine agent updates, regardless of the configuration method you used.

Just as you’d expect, the latest agent update will appear on both the AUM Pending Updates page and the Updates page of the Azure Arc–enabled server, as shown in the screenshots below.

Conclusion

Keeping the Azure Connected Machine agent up-to-date is essential for maintaining a secure, stable, and fully supported hybrid environment with Azure Arc. By staying current, you ensure your Windows Server machines can reliably leverage the latest features, performance improvements, and security enhancements Azure Arc has to offer.

I hope the steps and methods shared in this post make it easier for you to configure this in your own hybrid setup.

If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or drop a comment. I’ll be happy to help!