Issue with Installing Azure Monitor Agent (AMA) on VMs Using OS Disk Images Despite Policy Configuration using this policy - "Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity"

Question

Issue with Installing Azure Monitor Agent (AMA) on VMs Using OS Disk Images Despite Policy Configuration using this policy - "Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity"

Pardeep 100

Hello Team,

I’ve configured the Azure Policy “Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity” to ensure AMA is installed across all Windows VMs in our environment.

Here’s what I’ve observed in testing scenarios:

VMs with standard images: AMA was successfully installed.
VMs using custom images: I included the relevant image IDs in the policy parameters, and AMA was installed correctly.
VMs using OS disk images: These VMs did not get the AMA installed, even though they are compliant with the policy in other aspects. Especially these VMs using their OS disk images.

Could you please let me know, Why AMA is not being installed on VMs created from OS disk images, What are the possible ways to ensure AMA installation on these VMs?

Thanks in advance!

Siva shunmugam Nadessin 1,990 Reputation points Microsoft External Staff Moderator

2025-08-20T01:49:20.4233333+00:00
Hello Pardeep,

Kindly check the below and see if it works.

Policy Enforcement: Ensure that the policy you have configured is indeed applying to all relevant VMs, including those created from OS disk images. Sometimes the policy may not be correctly scoped.

Managed Identity Configuration: Since you're using system-assigned managed identity, confirm that the VMs created from OS disk images have a managed identity enabled. If the identity isn’t set up correctly, the AMA might not install.

Remediation Tasks: If the VMs were created before the policy was applied, you may need to create a remediation task to enforce the policy on existing VMs. This could help force the installation of the AMA.

Check for Errors: Review the installation logs to see if there are any specific errors being reported that might explain why the AMA is not installing. This can often provide valuable insight.

VM State: Ensure that the VMs are running and fully booted. Sometimes, installation issues occur if the VM is not in a coherent state when the policy attempts to apply.

Data Collection Rule (DCR): Verify that at least one DCR is associated with those VMs. The AMA installs alongside a DCR, so lacking this association could prevent installation.

Known Issues: Check if any known issues exist that might affect your scenario. For example, if there’s a race condition related to identity assignment, you may encounter similar problems.

Reference documents:

Troubleshoot known issues with Azure Update Manager | Microsoft Learn

https://free.blessedness.top/en-us/azure/azure-monitor/agents/azure-monitor-agent-policy?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#known-issues

https://free.blessedness.top/en-us/troubleshoot/azure/azure-monitor/azure-monitor-agent/ama-windows-installation-issues-detailed-troubleshooting-steps?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider

Troubleshoot known issues with Azure Update Manager | Microsoft Learn

If the comment was helpful, please click "Upvote".

Thanks,

Siva shunmugam.
Pardeep 100 Reputation points

2025-08-20T08:30:39.06+00:00
Hi @Siva shunmugam Nadessin ,Thank you for the detailed response and suggestions.

I’ve already verified and implemented all the recommended steps, and here’s what I’ve observed across different VM scenarios:

VMs with standard images: AMA was successfully installed via policy.

VMs using custom images (AVD): I included the image IDs in the policy parameters, and AMA was installed successfully via remediation task, as these were existing VMs.

VMs created using OS disk images: These VMs did not get AMA installed, even though: (This step is something which is not installing the AMA)

The policy is correctly scoped and applied.

System-assigned managed identity is enabled.

The OS disk resource ID was tested in the policy parameters.

VM state is healthy and running.

DCR association is verified and correct.

Despite all above pre-checks being validated, AMA is still not installing on these VMs. I suspect this might be due to how the policy interprets OS disk-based deployments versus image-based ones.

Could you please confirm:

Is there a known limitation or behavior with AMA installation on VMs created from OS disk images?

Is there an alternative method to enforce AMA installation on such VMs (e.g., via script, CLI, or manual remediation)?

Would a custom policy or different parameter format help in this scenario?

Any insights or workarounds would be greatly appreciated.

Answer accepted by question author

0 additional answers

Your answer

Pardeep 100 Reputation points

2025-08-20T08:30:39.06+00:00

Hi @Siva shunmugam Nadessin ,Thank you for the detailed response and suggestions.

I’ve already verified and implemented all the recommended steps, and here’s what I’ve observed across different VM scenarios:

VMs with standard images: AMA was successfully installed via policy.

VMs using custom images (AVD): I included the image IDs in the policy parameters, and AMA was installed successfully via remediation task, as these were existing VMs.

VMs created using OS disk images: These VMs did not get AMA installed, even though: (This step is something which is not installing the AMA)

The policy is correctly scoped and applied.

System-assigned managed identity is enabled.

The OS disk resource ID was tested in the policy parameters.

VM state is healthy and running.

DCR association is verified and correct.

Despite all above pre-checks being validated, AMA is still not installing on these VMs. I suspect this might be due to how the policy interprets OS disk-based deployments versus image-based ones.

Could you please confirm:

Is there a known limitation or behavior with AMA installation on VMs created from OS disk images?

Is there an alternative method to enforce AMA installation on such VMs (e.g., via script, CLI, or manual remediation)?

Would a custom policy or different parameter format help in this scenario?

Any insights or workarounds would be greatly appreciated.

Answer 1

Hello Pardeep,

After investigation here are some things to consider, along with possible next steps:

1.Policy Limitations: It may be that the policy behaves differently for OS disk images compared to standard or custom images. There could be intrinsic limitations concerning installations via images versus using OS disks.

2.Manual Installation: If the policy isn’t applying as expected to the OS disk-based VMs, you might consider installing the AMA manually via PowerShell or using the Azure CLI. This would bypass the policy application:

You can use the PowerShell command to install the agent:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Then proceed with the installation command for AMA.

3. Custom Script: If manual installation isn't feasible for all VMs, you might create a custom script that you can run on these VMs, ensuring they get the AMA installed without relying solely on the policy.

4.Using PowerShell for Compliance Check: You can check if the extensions are installed and their status by running:

Get-AzVM -ResourceGroupName <ResourceGroupName> -Name <VMName> -Status

5.Review Installation and Application Logs: Analyzing the installation logs might reveal any errors or warnings specifically related to the AMA installation process on these images. Ensure that DCRs are properly associated with the VMs as well.

6.Known Issues: Check for known issues documented by Microsoft about AMA installations on virtual machines, particularly concerning different image types.

Look into reference document:

https://free.blessedness.top/en-us/troubleshoot/azure/azure-monitor/azure-monitor-agent/ama-windows-installation-issues-prepare-troubleshooting?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#verify-that-at-least-one-dcr-is-associated-with-the-vm

Troubleshoot known issues with Azure Update Manager | Microsoft Learn

https://free.blessedness.top/en-us/troubleshoot/azure/azure-monitor/azure-monitor-agent/ama-windows-installation-issues-detailed-troubleshooting-steps?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider

https://free.blessedness.top/en-us/azure/azure-monitor/agents/azure-monitor-agent-policy?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#known-issues

Please click Accept Answer if the answer was helpful.

Thanks,

Siva shunmugam.

Siva shunmugam Nadessin 1,990 Reputation points Microsoft External Staff Moderator

2025-09-11T01:11:34.5766667+00:00

Hello Pardeep,

Since you have upvoted could you please click Accept Answer if the answer was helpful.

Share via

Issue with Installing Azure Monitor Agent (AMA) on VMs Using OS Disk Images Despite Policy Configuration using this policy - "Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity"

0 additional answers

Your answer