Deploy Azure Monitor Agent vm extension with auto-update enabled (Completed)

Alex Kramer

April 29, 2024 13:29

Description: Nerdio's current Azure Monitor Insights integration disables Azure Monitor Agent VM extension auto-updates and does not expose any product-native options for managing Azure Monitor Agent VM extension version updates on Nerdio-deployed session hosts post-deployment.

Problem: Nerdio's current Azure Monitor Insights integration defaults do not install the Azure Monitor Agent VM extension with extension auto updates enabled (the VM extension properly enableAutomaticUpgrade is not set), nor does it offer a native option within the Nerdio Manager product to enable that functionality on already-deployed AVD session hosts. Nerdio's current orchestration involving this Azure VM extension only sets the property autoUpgradeMinorVersion=True, which is only relevant at time of VM extension deployment and has no effect on ongoing VM extension version updates post-deployment.

This behavior is inconsistent with current Microsoft best practice recommendations to enable automatic update of this agent ( https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal#update ) and disabling Azure Monitor Agent extension updates is arguably an insecure default for longer-lived, persistent session hosts as Nerdio-deployed Azure Monitor Agent extensions will not automatically ingest Microsoft security patches post deployment (ex see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-29989 for a recent vulnerability on this component).

For both organizations that want to opt into Microsoft platform-managed / automatic Azure Monitor Agent deployments and for organizations that need to ad-hoc upgrade Azure Monitor Agent versions across existing session hosts (for security or other reasons), additional custom scripting (or manual action via Az portal) is currently required. This functionality is not currently built into the Nerdio product.

Vision: Nerdio Manager's Azure Monitor Insights settings include a settings option that will result in Nerdio deploying Microsoft's Azure Monitor Agent VM extension with automatic version upgrades enabled (VM extension property enableAutomaticUpgrade=True ).

Comments (3 comments)

Werner Smith

April 24, 2025 20:01

Any further updates on this feature request?

Tuan Dinh

July 09, 2025 13:02

Any further updates on this feature request? This issue is causing our vulnerability scan issue with OpenSSL due to outdated AMA version. We are talking about 1K+ Person Pool AVDs, so it is very time consuming to update all. At the same time, new AVD are being deployed daily. It is not feasible to run script daily to update. It is best to set AMA to auto upgrade at the deployment.

Raul Morales

July 10, 2025 10:42

Hi everyone, thank you for bringing this to our attention.

We have captured this request and will investigate the ability to enable Azure Monitor Agent auto-upgrades at deployment as well as for existing workloads.

Please sign in to leave a comment.