All code for this blog can be found here.

Azure Update Manager promises to make patching easier. The idea is simple: assess your VMs, install updates, and report on compliance without you logging into each system manually. That is the vision. The reality can sometimes look different.

When I first tested Update Manager on a new Ubuntu 22.04 VM, I clicked Check for updates in the portal and was greeted with this message:

Assessment failed due to this reason: The VM guest patch operation failed. 
Error: 'Sudo status check failed. Please ensure the computer is configured correctly for sudo invocation. 
Please refer to the extension logs for more details.'

This looks like a problem with sudo itself, but the message is not very actionable. After working through it, I discovered that the fix is straightforward once you know what Update Manager expects.

Step 1: Confirm the Azure Linux Agent

Update Manager extensions use the Azure Linux Agent (WALinuxAgent) to communicate with the VM. If the agent is missing or stopped, patching cannot run.

On Ubuntu 22.04, the service name is walinuxagent.service. Older distributions may use waagent.service.

Check the status and version:

systemctl status walinuxagent
waagent --version

If you do not see it running, install or repair it:

sudo apt-get update
sudo apt-get install walinuxagent -y
sudo systemctl enable walinuxagent
sudo systemctl start walinuxagent

You should see output like this when it is working:

WALinuxAgent-2.2.46 running on ubuntu 22.04

Step 2: Test sudo in non-interactive mode

Update Manager cannot type passwords. It calls sudo with the -n flag, which means non-interactive mode. If sudo requires a password, the assessment fails immediately.

Run this test:

sudo -n true

• If it exits silently with no error, sudo is configured correctly.

• If you see a password is required, then you need to adjust sudoers.

  
  

Step 3: Add a NOPASSWD rule

The fix is to give your service account passwordless sudo rights. In Azure, this is usually the azureuser account. Do this safely with visudo:

sudo visudo -f /etc/sudoers.d/azureuser

Add this line:

azureuser ALL=(ALL) NOPASSWD:ALL

Validate the syntax:

sudo visudo -c

Finally, test again:

sudo -n true && echo "NOPASSWD works!"

At this point, Update Manager can use sudo without any password prompts.

Step 4: Retry Update Manager

Return to the Azure portal and run Check for updates again. This time, the operation should succeed and show you the list of available patches.

A Handy Script

To make this repeatable, I put the steps into a script. Save this as fix-azure-update-manager.sh and run it on any VM that gives you the sudo error.

#!/bin/bash
# fix-azure-update-manager.sh
# Ensures WALinuxAgent is installed and sudo works for Update Manager

set -e

echo "=== Checking WALinuxAgent ==="
if ! command -v waagent &>/dev/null; then
  echo "Installing WALinuxAgent..."
  sudo apt-get update -y
  sudo apt-get install walinuxagent -y
fi

echo "Enabling WALinuxAgent service..."
sudo systemctl enable walinuxagent || true
sudo systemctl start walinuxagent || true
systemctl status walinuxagent --no-pager || true
waagent --version || true

echo "=== Configuring sudoers for NOPASSWD ==="
SUDOERS_FILE="/etc/sudoers.d/azureuser"
if [ ! -f "$SUDOERS_FILE" ]; then
  echo "azureuser ALL=(ALL) NOPASSWD:ALL" | sudo tee $SUDOERS_FILE
  sudo chmod 440 $SUDOERS_FILE
fi

echo "Validating sudoers config..."
sudo visudo -c

echo "Testing sudo..."
if sudo -n true; then
  echo "NOPASSWD sudo works."
else
  echo "ERROR: sudo still requires a password!"
  exit 1
fi

echo "=== Done! Retry Azure Update Manager assessment. ==="

Run it like this:

chmod +x fix-azure-update-manager.sh
./fix-azure-update-manager.sh

Lessons Learned

• On Ubuntu 22.04 the service name is walinuxagent.service. Do not expect waagent.service to exist.

• Update Manager requires non-interactive sudo. If your account requires a password, the operation fails.

• Always use visudo when editing sudoers to avoid locking yourself out.

• The error message is technically accurate but not clear. Once you know the real issue, the fix is simple.

  
  

If you run into “Sudo status check failed” in Azure Update Manager, it almost always comes down to the agent not running or sudo not allowing passwordless access. Address those two areas and Update Manager will work as expected.