This chapter provides a comprehensive exploration of Azure Automanage for virtual machines, a service that automates the application of best-practice configurations for VM management. For the AZ-104 exam, understanding Automanage is essential as it appears in the Compute domain (Objective 3.1) and integrates with Azure Policy, Azure Backup, and Azure Update Management. Approximately 5-10% of exam questions may touch on Automanage or its related concepts, focusing on its capabilities, limitations, and how it differs from manual management and Azure Policy alone.
Jump to a section
Imagine you run a large taxi company with 500 vehicles. Each taxi needs regular maintenance, oil changes, tire rotations, and software updates for the GPS and payment systems. Without a fleet manager, each driver would have to remember to do these tasks themselves—some would skip them, some would do them wrong, and some would use incompatible parts. Automanage is like hiring a central fleet manager who automatically schedules every taxi for the correct maintenance based on its model and usage, installs only manufacturer-approved parts, and ensures every vehicle meets safety standards. The manager also monitors each taxi's health and, if a tire is low, automatically schedules a rotation. Drivers (you) don't need to know the details—they just drive. Similarly, Azure Automanage automatically applies best-practice configurations to your VMs, including backup policies, update management, security settings, and compliance controls. It uses Azure Policy to enforce these configurations and Azure Automation to handle updates. Just as the fleet manager uses a central database to track each taxi's service history, Automanage uses Azure Resource Manager to track and enforce configurations. If a new taxi joins the fleet, the manager immediately schedules its first service; if a VM is created, Automanage automatically enrolls it and applies the baseline configuration. This eliminates manual configuration drift and ensures a consistent, secure environment across all VMs.
What is Azure Automanage for VMs?
Azure Automanage for VMs is a service that automatically applies a curated set of best-practice configurations to your Azure virtual machines. It is designed to simplify VM management by handling tasks such as backup, update management, security baseline enforcement, and monitoring. Automanage is not a separate resource; rather, it is a management layer that uses Azure services like Azure Backup, Azure Update Management, Azure Security Center (now Microsoft Defender for Cloud), and Azure Policy to enforce configurations.
Why Automanage Exists
Managing VMs at scale is complex. Administrators must ensure consistent backup policies, apply security updates, configure monitoring, and maintain compliance. Manual configuration leads to drift, where VMs deviate from desired state over time. Automanage eliminates this by continuously monitoring and reapplying configurations if they change. It also reduces operational overhead by automating the initial setup and ongoing management.
How Automanage Works Internally
When you enable Automanage on a VM, the following occurs:
Enrollment: The VM is enrolled in an Automanage profile. A profile defines which services to enable and their configurations. Azure provides two default profiles: Dev/Test and Production. The Production profile includes backup, update management, security, and monitoring; the Dev/Test profile is a subset.
Policy Assignment: Automanage creates Azure Policy assignments that enforce the desired state. These policies are auto-generated and applied to the VM's resource group. For example, a policy ensures that backup is configured for the VM.
Resource Deployment: Automanage deploys necessary Azure resources if they don't exist. For backup, it creates a Recovery Services vault. For update management, it creates a Log Analytics workspace and links it to Azure Automation. For monitoring, it enables Azure Monitor for VMs.
Configuration Application: Automanage applies the configurations using VM extensions. For example, it installs the Azure Backup extension, the Dependency Agent for monitoring, and the Microsoft Monitoring Agent for log collection.
Continuous Compliance: Automanage continuously monitors the VM and reapplies configurations if they drift. It uses Azure Policy's modify effect to remediate non-compliant settings. The interval for re-evaluation is approximately every 30 minutes, but this is not user-configurable.
Key Components, Values, Defaults, and Timers
Automanage Profile: Defines the set of services. Default profiles: Production (backup, update management, security, monitoring) and Dev/Test (backup only, with less frequent backups). Custom profiles are supported.
Backup Policy: For Production profile, default backup schedule is daily at 23:00 UTC, retention 7 days for daily, 4 weeks for weekly, 52 weeks for yearly. For Dev/Test, daily at 23:00 UTC, retention 1 day.
Update Management: Uses Azure Update Management (now part of Azure Automation) to assess and install updates. Default schedule: daily assessment at 2:00 AM UTC, installation window of 2 hours.
Security Baseline: Applies Azure Security Benchmark recommendations via Guest Configuration extension. Policies are evaluated every 24 hours.
Monitoring: Enables Azure Monitor for VMs, which collects performance and dependency data. Data retention is 30 days by default.
Log Analytics Workspace: Created in the same region as the VM, with a default pricing tier of Pay-as-you-go (Per GB 2018).
Recovery Services Vault: Created in the same region, with geo-redundant storage (GRS) by default.
Configuration and Verification Commands
To enable Automanage via CLI:
az vm automanage enable --vm-name <vm-name> --resource-group <rg> --profile-name ProductionTo verify the configuration:
az vm automanage show --vm-name <vm-name> --resource-group <rg>To list all Automanage-managed VMs:
az vm automanage list --resource-group <rg>To disable Automanage:
az vm automanage disable --vm-name <vm-name> --resource-group <rg>Using PowerShell:
Enable-AzAutomanageVM -VMName <vm-name> -ResourceGroupName <rg> -ProfileName ProductionInteraction with Related Technologies
Azure Policy: Automanage uses Azure Policy to enforce configurations. The policies are auto-created and assigned to the VM's resource group. You can view these policies in the Azure Policy blade. Automanage uses the deployIfNotExists and modify effects to remediate non-compliance.
Azure Backup: Automanage configures Azure Backup with a default policy. You can modify the backup policy after Automanage is enabled, but Automanage will not revert your changes—it only ensures that backup is enabled.
Azure Update Management: Automanage enables update management using Azure Automation. It creates an Automation account and links it to a Log Analytics workspace. Update assessments run daily, and you can configure installation schedules.
Microsoft Defender for Cloud: Automanage enables Defender for Cloud's free tier by default. For enhanced security, you can upgrade to the paid tier, but Automanage does not enforce this.
Azure Monitor for VMs: Automanage enables the service, which installs the Dependency Agent and Log Analytics agent. It collects performance counters and dependency mapping.
Limitations and Considerations
Not supported for all VM types: Automanage supports Azure VMs and Azure Arc-enabled servers. It does not support VMs created via Azure Virtual Desktop (AVD) or VMs in a scale set.
Region availability: Automanage is available in most Azure regions. Check the latest documentation for specific region support.
Profile changes: You can change the profile after enrollment, but the change triggers a re-application of all configurations.
Custom profiles: You can create custom profiles using Azure Policy definitions. However, you must define the exact services and configurations.
Cost: Automanage itself is free, but the underlying services (Backup, Log Analytics, Automation, etc.) incur costs based on usage.
Common Exam Scenarios
- Question: A company wants to ensure all new VMs automatically get backup and update management. Which solution should you recommend? - Answer: Azure Automanage with the Production profile. Automanage automatically applies configurations to new VMs when they are enrolled. - Question: An administrator enables Automanage on a VM but later manually changes the backup schedule. What happens? - Answer: Automanage does not revert manual changes. It only ensures that backup is enabled, not the specific schedule. The modified schedule remains. - Question: Which services does Automanage configure by default in the Production profile? - Answer: Backup, Update Management, Security Baseline, and Monitoring (Azure Monitor for VMs).
Enable Automanage on a VM
In the Azure portal, navigate to the VM and select 'Automanage' under 'Operations'. Click 'Enable' and choose a profile (Dev/Test or Production). Alternatively, use CLI or PowerShell. During enablement, Automanage creates or links a Recovery Services vault, Log Analytics workspace, and Automation account in the same region. It also assigns Azure Policy definitions to the VM's resource group. This process takes approximately 5-10 minutes. The VM must be running and have a managed identity enabled (Automanage creates one if missing). After enablement, the VM is marked as 'Managed' in the Automanage blade.
Automatic deployment of extensions
Automanage installs required VM extensions: Azure Backup extension for backup, Microsoft Monitoring Agent (MMA) for log collection, Dependency Agent for Azure Monitor for VMs, and Guest Configuration extension for security baseline. Extensions are installed via Azure Resource Manager and may cause a brief reboot if required (e.g., for MMA). The installation status can be viewed in the VM's 'Extensions' blade. If an extension fails, Automanage retries up to 3 times with a 5-minute interval. After successful installation, the VM is compliant with the profile.
Applying backup policy
Automanage creates a backup policy in the Recovery Services vault. For the Production profile, the default policy backs up daily at 23:00 UTC with retention of 7 days for daily points, 4 weeks for weekly, and 52 weeks for yearly. The backup is configured for the VM's disks (premium or standard). Automanage does not configure file-level or application-consistent backups (it uses crash-consistent by default). If the VM already had a backup policy, Automanage does not override it; it only ensures a policy exists. The first backup occurs within 24 hours of enablement.
Configuring update management
Automanage enables Azure Update Management by linking the VM to an Automation account. It creates a schedule for update assessments: daily at 2:00 AM UTC. For patch installation, a default schedule runs at 2:00 AM UTC on the first day of the month with a 2-hour window. Updates are installed automatically for the Production profile; for Dev/Test, only assessments are done (no automatic installation). The update compliance data is stored in the Log Analytics workspace. Automanage does not configure reboot settings; it uses the default 'Never reboot' unless overridden.
Enforcing security baseline
Automanage applies the Azure Security Benchmark via Guest Configuration extension. The baseline includes policies like 'Require encryption at rest', 'Disable local authentication', and 'Ensure secure boot is enabled'. Policies are evaluated every 24 hours. If a VM is non-compliant, Automanage uses Azure Policy's 'modify' effect to remediate (e.g., enabling encryption). However, some settings may require manual intervention (e.g., if the OS does not support a feature). Compliance status is visible in the Azure Policy blade under 'Guest Configuration'.
Continuous monitoring and remediation
After initial configuration, Automanage continuously monitors the VM for drift. It uses Azure Policy to evaluate compliance every ~30 minutes. If a configuration is changed (e.g., backup is disabled), Automanage re-applies the policy to restore the desired state. This is done via the 'deployIfNotExists' effect, which triggers a remediation task. Automanage also monitors the health of extensions; if an extension is removed, it is reinstalled. The service does not monitor or remediate changes to the VM's OS (e.g., user accounts) unless covered by the security baseline.
Enterprise Scenario 1: Consistent Backup and Patch Management for 500 VMs
A financial services company deploys 500 Windows VMs across multiple regions for their trading platform. Previously, each team manually configured backup and patch schedules, leading to inconsistent retention policies and missed updates. They enable Automanage with the Production profile on all VMs. Automanage automatically creates Recovery Services vaults in each region, configures daily backups at 23:00 UTC with 7-day retention, and sets up daily patch assessments. The operations team now has a single dashboard to monitor compliance. Issues arise when a VM is moved to a different resource group—Automanage policies are tied to the original resource group, so the VM becomes unmanaged. They must re-enable Automanage after the move. Also, backup costs increase because each VM has its own vault; they later consolidate vaults manually.
Enterprise Scenario 2: Security Baseline Enforcement for Hybrid VMs
A healthcare organization uses Azure Arc-enabled servers on-premises and wants to enforce security baselines across all servers. They enable Automanage for Arc machines. Automanage applies the Azure Security Benchmark, which includes policies like 'Disable local admin accounts' and 'Enable encryption'. However, some on-premises servers have legacy OS versions that don't support certain policies, causing compliance failures. Automanage cannot remediate these; the organization must update the OS or exclude those servers. They also find that Automanage's default backup policy uses Azure Backup, which is not suitable for on-premises data (they use a third-party backup). They create a custom profile that excludes backup. This scenario highlights that Automanage is best for cloud-native or hybrid environments where Azure services are acceptable.
Common Pitfalls in Production
Overlapping policies: If you have existing Azure Policy assignments that conflict with Automanage policies, the VM may become non-compliant. Automanage policies have a higher priority if explicitly assigned, but conflicts can cause remediation loops.
Cost management: Automanage creates separate Log Analytics workspaces per region. For large deployments, this can be expensive. Plan to use a central workspace by configuring Automanage to use an existing workspace (via custom profile).
Reboot during patch installation: Automanage's default patch schedule may reboot VMs without warning. In production, you should customize the schedule to maintenance windows. Automanage does not prevent reboots; it uses the VM's built-in reboot behavior.
Unsupported VM sizes: Automanage does not support VMs with ephemeral OS disks or VMs that are part of a scale set. Attempting to enable Automanage on such VMs fails with an error.
What AZ-104 Tests on Automanage
AZ-104 objective 3.1 (Configure virtual machines) includes 'Implement Azure Automanage for VMs'. The exam focuses on:
Understanding the purpose and benefits of Automanage.
Knowing the default profiles (Dev/Test vs Production) and their included services.
Recognizing that Automanage uses Azure Policy to enforce configurations.
Identifying which services are configured (Backup, Update Management, Security Baseline, Monitoring).
Understanding that Automanage does not manage the VM's OS (e.g., installing applications).
Knowing that Automanage can be enabled via portal, CLI, or PowerShell.
Recognizing that Automanage is free but underlying services incur costs.
Common Wrong Answers and Traps
Trap 1: Automanage replaces Azure Policy. Wrong: Candidates think Automanage is a separate policy engine. Reality: Automanage *uses* Azure Policy to enforce configurations. It does not replace Policy; it leverages it.
Trap 2: Automanage can manage any VM. Wrong: Candidates assume all VMs are supported. Reality: Automanage does not support VMs with ephemeral disks, VMs in scale sets, or AVD session hosts.
Trap 3: Automanage automatically installs security updates. Wrong: Candidates confuse 'update management' with automatic patching. Reality: Automanage enables update *assessment* and *installation* only if configured in the profile. The Production profile installs updates automatically; Dev/Test does not.
Trap 4: Automanage reverts manual configuration changes. Wrong: Candidates think Automanage overwrites any manual change. Reality: Automanage only ensures that a service is *enabled* (e.g., backup is on), but it does not revert changes to settings like backup schedule or retention. It uses Policy to enforce 'deployIfNotExists' but not 'modify' for all settings.
Specific Numbers and Terms on the Exam
Default backup retention: 7 days daily, 4 weeks weekly, 52 weeks yearly.
Default backup time: 23:00 UTC.
Update assessment frequency: Daily at 2:00 AM UTC.
Patch installation window: 2 hours.
Compliance evaluation interval: ~30 minutes.
Profiles: Dev/Test (backup only) and Production (backup, update, security, monitoring).
Unsupported: Ephemeral OS disks, scale sets, AVD.
Edge Cases and Exceptions
Azure Arc-enabled servers: Supported for Automanage, but backup uses Azure Backup which may not be desired for on-premises data.
Custom profiles: You can create custom profiles but must define all services; partial profiles are not allowed.
Multiple regions: Automanage creates separate resources per region; you cannot force a single vault/workspace across regions via the default profile.
Managed identity: Automanage requires a system-assigned managed identity; if the VM already has one, it uses it.
How to Eliminate Wrong Answers
If a question asks about 'automatic patch installation', look for keywords like 'Production profile' or 'update management schedule'. If the scenario mentions 'Dev/Test', patches are not installed automatically.
If a question asks about 'reverting changes', remember that Automanage does not revert manual changes to backup schedules or retention; it only ensures the service is enabled.
If a question lists services, remember the four: Backup, Update Management, Security Baseline, Monitoring. Do not include services like 'Azure Site Recovery' or 'Azure AD'.
Azure Automanage is a free service that automates the application of best-practice configurations for VMs using Azure Policy.
Two default profiles: Dev/Test (backup only) and Production (backup, update management, security baseline, monitoring).
Automanage does not support VMs with ephemeral OS disks, scale sets, or Azure Virtual Desktop session hosts.
Automanage uses Azure Policy to enforce configurations and continuously monitors for drift (~30 minute evaluation interval).
Default backup schedule: daily at 23:00 UTC with retention of 7 days (daily), 4 weeks (weekly), 52 weeks (yearly) for Production.
Update management assesses updates daily at 2:00 AM UTC; Production profile installs patches automatically on the first day of the month with a 2-hour window.
Automanage does not revert manual changes to backup schedules or retention policies; it only ensures the service is enabled.
Underlying services (Backup, Log Analytics, Automation) incur costs; Automanage itself is free.
You can enable Automanage via Azure portal, CLI (`az vm automanage enable`), or PowerShell.
Automanage can be enabled on Azure Arc-enabled servers for hybrid management.
These come up on the exam all the time. Here's how to tell them apart.
Azure Automanage for VMs
Automatically applies best-practice configurations using Azure Policy.
Reduces operational overhead by automating backup, update, security, and monitoring setup.
Continuously monitors and remediates configuration drift.
Supports only Azure VMs and Azure Arc-enabled servers; limited to supported regions.
Free service; underlying services incur costs.
Manual VM Management
Requires manual configuration of each service (Backup, Update Management, etc.).
Higher risk of configuration drift and inconsistent policies across VMs.
No automatic drift remediation; changes must be tracked manually.
Works with any VM type, including unsupported Automanage scenarios (ephemeral disks, scale sets).
No additional service cost, but manual effort is higher.
Azure Automanage (Production Profile)
Includes Backup, Update Management (with automatic patching), Security Baseline, and Monitoring.
Default backup retention: 7 days daily, 4 weeks weekly, 52 weeks yearly.
Update Management installs patches automatically on a monthly schedule.
Security baseline enforces Azure Security Benchmark.
Recommended for production workloads.
Azure Automanage (Dev/Test Profile)
Includes only Backup (no Update Management, Security, or Monitoring).
Default backup retention: 1 day only.
No automatic patching; only update assessments are performed.
No security baseline enforcement.
Designed for non-critical or development VMs.
Mistake
Azure Automanage automatically installs all Windows updates immediately.
Correct
Automanage configures Azure Update Management to assess updates daily and install them according to a schedule (default: first day of month at 2 AM UTC). It does not install updates immediately. The Production profile includes automatic installation; Dev/Test does not.
Mistake
Automanage can manage any Azure VM, including those with ephemeral disks.
Correct
Automanage does not support VMs with ephemeral OS disks, VMs in scale sets, or Azure Virtual Desktop session hosts. Attempting to enable Automanage on such VMs fails.
Mistake
Automanage replaces the need for Azure Policy.
Correct
Automanage uses Azure Policy to enforce configurations. It does not replace Policy; it leverages Policy definitions to apply and remediate settings. You can still use custom policies alongside Automanage.
Mistake
Automanage continuously reverts any manual changes to VM settings.
Correct
Automanage only ensures that certain services (e.g., backup, update management) are enabled and that security baselines are applied. It does not revert changes to backup schedules, retention policies, or other configuration details. It uses Policy's 'deployIfNotExists' effect, not 'modify' for all settings.
Mistake
Automanage is a paid service with its own pricing tier.
Correct
Automanage itself is free. However, the underlying services it configures (Azure Backup, Log Analytics, Azure Automation, etc.) incur costs based on usage. The exam may test that Automanage has no additional cost.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Automanage for VMs is a service that automatically applies best-practice configurations to Azure virtual machines. It handles backup, update management, security baseline enforcement, and monitoring. Automanage uses Azure Policy to enforce these configurations and continuously monitors for drift. It is free, but the underlying services (Backup, Log Analytics, etc.) incur costs. For the exam, remember that Automanage simplifies VM management by automating the setup and maintenance of these core services.
The Dev/Test profile includes only backup with a retention of 1 day. The Production profile includes backup (7-day daily retention, 4-week weekly, 52-week yearly), update management (with automatic patching), security baseline (Azure Security Benchmark), and monitoring (Azure Monitor for VMs). The Dev/Test profile does not enable automatic patching or security baseline. For the exam, know that Production is for critical workloads and Dev/Test is for non-critical or development VMs.
Yes, Azure Automanage supports Azure Arc-enabled servers. This allows you to manage on-premises or multi-cloud servers with the same best-practice configurations. However, note that backup uses Azure Backup, which may not be suitable for all on-premises scenarios. Also, some security baseline policies may not be applicable to non-Windows or legacy OS versions. For the exam, remember that Automanage extends to hybrid environments via Azure Arc.
Only if you use the Production profile. The Production profile configures Azure Update Management to assess updates daily and install them automatically on a monthly schedule (first day of month at 2 AM UTC). The Dev/Test profile only performs assessments without automatic installation. If you need immediate patching, you must manually trigger an update deployment. For the exam, note that automatic patching is a feature of the Production profile.
Automanage uses Azure Policy to ensure that certain services are enabled. If you disable a service (e.g., turn off backup), Automanage will re-enable it via Policy remediation. However, if you change a configuration detail (e.g., backup schedule), Automanage does not revert it because the policy only checks for existence, not specific values. For the exam, understand that Automanage enforces 'deployIfNotExists' but not 'modify' for all settings.
Automanage does not support VMs with ephemeral OS disks, VMs in scale sets, or Azure Virtual Desktop session hosts. Additionally, it is not available in all Azure regions (check documentation for current list). For the exam, remember these unsupported scenarios to avoid incorrect answers.
You can enable Automanage via the Azure portal (VM > Automanage > Enable), Azure CLI (`az vm automanage enable --vm-name <vm> --resource-group <rg> --profile-name Production`), or PowerShell (`Enable-AzAutomanageVM`). The VM must be running and have a managed identity. Automanage will create necessary resources (vault, workspace, automation account) in the same region. For the exam, know the CLI command syntax.
You've just covered Azure Automanage for VMs — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?