Skip to content

Virtual Machine agent is not provisioned#

Operational Excellence · Virtual Machine · Rule · 2020_06 · Important

Virtual Machines (VMs) without an agent provisioned are unable to use monitoring, management, and security extensions.

Description#

The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system. This includes any VMs extensions such as Azure monitoring, management, and security features.

Extensions help reduce management overhead by providing an entry point to bootstrap VM monitoring and configuration.

By default, the VM agent is provisioned for all supported operating systems.

Recommendation#

Consider automatically provisioning the VM agent for all supported operating systems to reduce management overhead of VMs.

Examples#

Configure with Azure template#

To deploy VMs that pass this rule:

  • Set the properties.osProfile.linuxConfiguration.provisionVMAgent property to true for Linux VMs.
  • Set the properties.osProfile.windowsConfiguration.provisionVMAgent property to true for Windows VMs.

For example:

Azure Template snippet
{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_D8d_v5"
    },
    "osProfile": {
      "computerName": "[parameters('name')]",
      "adminUsername": "[parameters('adminUsername')]",
      "linuxConfiguration": {
        "provisionVMAgent": true,
        "disablePasswordAuthentication": true
      }
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "MicrosoftCblMariner",
        "offer": "Cbl-Mariner",
        "sku": "cbl-mariner-2-gen2",
        "version": "latest"
      },
      "osDisk": {
        "name": "[format('{0}-disk0', parameters('name'))]",
        "caching": "ReadWrite",
        "createOption": "FromImage",
        "managedDisk": {
          "storageAccountType": "Premium_LRS"
        }
      }
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
        }
      ]
    }
  },
  "zones": [
    "1"
  ],
  "dependsOn": [
    "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
  ]
}

Configure with Bicep#

To deploy VMs that pass this rule:

  • Set the properties.osProfile.linuxConfiguration.provisionVMAgent property to true for Linux VMs.
  • Set the properties.osProfile.windowsConfiguration.provisionVMAgent property to true for Windows VMs.

For example:

Azure Bicep snippet
resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D8d_v5'
    }
    osProfile: {
      computerName: name
      adminUsername: adminUsername
      linuxConfiguration: {
        provisionVMAgent: true
        disablePasswordAuthentication: true
      }
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftCblMariner'
        offer: 'Cbl-Mariner'
        sku: 'cbl-mariner-2-gen2'
        version: 'latest'
      }
      osDisk: {
        name: '${name}-disk0'
        caching: 'ReadWrite'
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
        }
      }
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
  zones: [
    '1'
  ]
}

Notes#

In general provisioning the VM agent is recommended for all supported operating systems. For network virtual appliances (NVAs) or specialized unsupported OS images installed from the Azure Marketplace, the VM agent may be disabled by the publisher.

Comments