This might interest some of you. I found an inconsistency with the policies available when browsing from within the Azure portal and the policies available from the Microsoft KB.

I am going round in circles with Microsoft documentation at the moment so thought I was going to need Microsoft support soon.

All I am trying to do is configure Windows updates on servers.

However, Windows updates requires that an Azure Automation Account is created.  This is done.

Then the update conformance reports require that an Azure Log Analytics workspace is created.  This is done.

However, Analytics workspace requires that I deploy a Log analytics agent to all azure Arc managed servers.  This is where I am encountering trouble.

I have about four options but two of them are preferable:

•  DSC
• Policy

Using policy, I can validate that the agent is not installed. However, based on the documentation the “effect” of the  Configure Log Analytics extension on Azure Arc enabled Windows servers policy should be “Install if not exists”. However, it only supports two “effects” “Disabled” and “Audit if not exists”.  So there doesn’t seem to be a remediate function within this policy contrary to the documentation.

The other way of doing this would be to install the DSC agent onto all Azure Arc servers.  This seems like overkill and I would prefer not to go down this rabbit hole if possible.  However, I have explored this in length. I have written a script, compiled it and it’s ready to go. However, again, I would need to deploy the DSC agent. So I’m back to step one again. deploying MSI’s through Azure Arc using policy.

I finally found that when I looked for the “Configure Log Analytics extension on Azure Arc enabled Windows servers “” policy from within the Azure portal, it had the “Deploy if missing” effect. Not just the “Audit if missing” effect. This has caused me four hours of messing around. I wish I just poked around and didn’t bother with the bad documentation.