Azure Site Recovery Updates with Private endpoint.

L, Tony 0 Reputation points
2026-06-24T20:33:18.3866667+00:00

Does anyone know how we're expected to actually update the ASR/Mobility Service agent when a private endpoint is in use these days?

Used to be the Github (https://github.com/Azure/Azure-SiteRecovery/tree/main/MobilityAgent/OnPremiseToAzure) would have the windows installers but they haven't included any new windows installers in the last 3 versions.

This thread https://learn.microsoft.com/en-us/answers/questions/5809455/roll-up-83-v9-66-7691-1-of-the-mobility-service-ag

mentions finding it in both the Microsoft download center or the azure tenant under prepare infrastructure but that isn't accurate either. Prepare Infrastructure just gives you a new OVA template for the appliance (no mobility service options) and the Microsoft download center has nothing for "Azure Site Recovery Update Rollup 83" All of the documentation just loops back to itself.

Azure Site Recovery
Azure Site Recovery

An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.


1 answer

Sort by: Most helpful
  1. Jerald Felix 15,370 Reputation points Volunteer Moderator
    2026-06-25T02:03:51.8533333+00:00

    Hello L, Tony,

    Greetings! Thanks for raising this question in the Q&A forum.

    The confusion here comes from mixing up two different delivery paths for the Mobility Service agent. The GitHub repo and the Microsoft Download Center are meant for manual installs on machines that are not yet protected or for air gapped environments where you need to push the MSI yourself. Neither of those channels is the supported path once a private endpoint is involved, and Microsoft has not been consistently publishing standalone MSIs there for every recent rollup, which is why you are hitting dead ends.

    For machines that are already protected through Azure Site Recovery, including those connected through a private endpoint, the agent update is pushed through the existing replication channel rather than through a public download.

    1. Use the in-portal Update Agent action

    In the Azure portal, open your Recovery Services vault, then go to Protected items then Replicated items, and select the VM you want to update. On the VM overview page, the Agent status field shows Update available or Critical Upgrade when a newer Mobility Service version exists. Selecting it and choosing Update Agent pushes the new agent binaries to that machine through the same secured channel used for replication traffic, which already works correctly over the private endpoint since it does not need a separate public internet path to a download server.

    1. Confirm the private endpoint covers the right sub resources

    For the push update to succeed, the private endpoint on your Recovery Services vault needs the siterecovery sub resource enabled in addition to the usual blob, queue, and table ones. If only storage related sub resources were configured, the agent push can silently fail and look like there is no update path at all.

    az network private-endpoint-connection list --resource-group <YourResourceGroup> --name <YourPrivateEndpointName>
    

    Check that the connection list includes the Site Recovery sub resource for your vault.

    1. For configuration server or scale out process servers

    If you are running the classic VMware/physical to Azure scenario rather than Azure to Azure, the configuration server and process server still need the Unified Setup installer for major version jumps, this one is documented and versioned per rollup, but the protected source machines underneath them get updated automatically once the configuration server itself is current, you do not need to manually push an MSI to each source server.

    1. If Update Agent does not appear or fails

    If the Update Agent button is missing or the job fails specifically in a private endpoint setup, this points to either a DNS resolution issue for the privatelink zone used by Site Recovery or an access restriction on the vault that is blocking the push channel itself rather than a missing download. At that point this needs vault side telemetry that is only visible to Microsoft, so please open a support request under Azure Support, choose Site Recovery as the service, and include the vault resource ID, the private endpoint resource ID, and the job ID of the failed Update Agent attempt.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.