An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
Hello L, Tony,
Greetings! Thanks for raising this question in the Q&A forum.
The confusion here comes from mixing up two different delivery paths for the Mobility Service agent. The GitHub repo and the Microsoft Download Center are meant for manual installs on machines that are not yet protected or for air gapped environments where you need to push the MSI yourself. Neither of those channels is the supported path once a private endpoint is involved, and Microsoft has not been consistently publishing standalone MSIs there for every recent rollup, which is why you are hitting dead ends.
For machines that are already protected through Azure Site Recovery, including those connected through a private endpoint, the agent update is pushed through the existing replication channel rather than through a public download.
- Use the in-portal Update Agent action
In the Azure portal, open your Recovery Services vault, then go to Protected items then Replicated items, and select the VM you want to update. On the VM overview page, the Agent status field shows Update available or Critical Upgrade when a newer Mobility Service version exists. Selecting it and choosing Update Agent pushes the new agent binaries to that machine through the same secured channel used for replication traffic, which already works correctly over the private endpoint since it does not need a separate public internet path to a download server.
- Confirm the private endpoint covers the right sub resources
For the push update to succeed, the private endpoint on your Recovery Services vault needs the siterecovery sub resource enabled in addition to the usual blob, queue, and table ones. If only storage related sub resources were configured, the agent push can silently fail and look like there is no update path at all.
az network private-endpoint-connection list --resource-group <YourResourceGroup> --name <YourPrivateEndpointName>
Check that the connection list includes the Site Recovery sub resource for your vault.
- For configuration server or scale out process servers
If you are running the classic VMware/physical to Azure scenario rather than Azure to Azure, the configuration server and process server still need the Unified Setup installer for major version jumps, this one is documented and versioned per rollup, but the protected source machines underneath them get updated automatically once the configuration server itself is current, you do not need to manually push an MSI to each source server.
- If Update Agent does not appear or fails
If the Update Agent button is missing or the job fails specifically in a private endpoint setup, this points to either a DNS resolution issue for the privatelink zone used by Site Recovery or an access restriction on the vault that is blocking the push channel itself rather than a missing download. At that point this needs vault side telemetry that is only visible to Microsoft, so please open a support request under Azure Support, choose Site Recovery as the service, and include the vault resource ID, the private endpoint resource ID, and the job ID of the failed Update Agent attempt.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.