Azure Update Management provides centralized patch management for Windows and Linux virtual machines across Azure, on-premises, and other cloud environments. This guide covers setting up automated patching, configuring maintenance schedules, and ensuring compliance across your infrastructure.
This article is part of our comprehensive guide on Cloud Security Tips for 2026, which covers essential security practices across all major cloud platforms.
Overview
Azure offers two update management solutions:
- Azure Update Manager: Native Azure service (recommended for new deployments)
- Azure Automation Update Management: Legacy solution with Log Analytics integration
This guide focuses primarily on Azure Update Manager, with references to the legacy solution where applicable.
Prerequisites
Before configuring update management, ensure you have:
- Azure subscription with Contributor role on target resources
- Virtual machines running supported Windows or Linux versions
- Azure CLI installed (version 2.50 or later)
- Network connectivity to Windows Update or configured update sources
- Understanding of maintenance windows appropriate for your workloads
Step 1: Enable Azure Update Manager
Enable via Azure Portal
- Sign in to the Azure Portal
- Search for Update Manager and select it
- Click Get started to view your machines
- Select the VMs you want to manage
- Click Enable Update Manager
Enable via Azure CLI
# Register the Update Management resource provider
az provider register --namespace Microsoft.Maintenance
# Verify registration
az provider show --namespace Microsoft.Maintenance --query registrationState -o tsv
# Enable periodic assessment for a VM (checks for updates daily)
az vm update \
--resource-group "rg-production" \
--name "vm-web-01" \
--set osProfile.linuxConfiguration.patchSettings.assessmentMode=AutomaticByPlatform
# For Windows VMs
az vm update \
--resource-group "rg-production" \
--name "vm-app-01" \
--set osProfile.windowsConfiguration.patchSettings.assessmentMode=AutomaticByPlatform
# Enable for multiple VMs using a loop
for vm in vm-web-01 vm-web-02 vm-app-01; do
az vm update \
--resource-group "rg-production" \
--name "$vm" \
--set osProfile.windowsConfiguration.patchSettings.assessmentMode=AutomaticByPlatform
done
Enable for Azure Arc-Enabled Servers
# For on-premises or multi-cloud servers connected via Azure Arc
az connectedmachine update \
--resource-group "rg-hybrid" \
--name "server-onprem-01" \
--patch-settings '{"assessmentMode": "AutomaticByPlatform"}'
Step 2: Assess Update Status
Check Update Status via Portal
- In Update Manager, go to Overview
- Review the compliance summary:
- Compliant: All updates installed
- Pending: Updates available
- Not assessed: Assessment not completed
- Click on a VM to see detailed update inventory
Check Update Status via Azure CLI
# Get update assessment for a single VM
az vm assess-patches \
--resource-group "rg-production" \
--name "vm-web-01" \
--query '{CriticalCount:criticalAndSecurityPatchCount, OtherCount:otherPatchCount, Status:status}' \
-o table
# List available updates for a VM
az vm assess-patches \
--resource-group "rg-production" \
--name "vm-web-01" \
--query 'availablePatches[].{Name:name, Classification:classifications[0], RebootRequired:rebootRequired}' \
-o table
# Get assessment results across multiple VMs
for vm in vm-web-01 vm-web-02 vm-app-01; do
echo "=== $vm ==="
az vm assess-patches \
--resource-group "rg-production" \
--name "$vm" \
--query '{Critical:criticalAndSecurityPatchCount, Other:otherPatchCount}' \
-o table
done
PowerShell Assessment Script
# Get update status for all VMs in a resource group
$resourceGroup = "rg-production"
$vms = Get-AzVM -ResourceGroupName $resourceGroup
foreach ($vm in $vms) {
$assessment = Invoke-AzVmAssessPatch -ResourceGroupName $resourceGroup -VMName $vm.Name
Write-Host "VM: $($vm.Name)"
Write-Host " Critical Updates: $($assessment.CriticalAndSecurityPatchCount)"
Write-Host " Other Updates: $($assessment.OtherPatchCount)"
Write-Host " Assessment Time: $($assessment.AssessmentActivityId)"
Write-Host ""
}
Step 3: Create Maintenance Configuration
Create Schedule via Azure Portal
- In Update Manager, go to Maintenance configurations
- Click + Create
- Configure basics:
- Subscription: Select your subscription
- Resource group: Create or select existing
- Configuration name:
mc-production-weekly - Region: Select region matching your VMs
- Configure schedule:
- Maintenance scope: Guest (OS updates)
- Reboot setting: Reboot if required
- Schedule: Weekly, specify day and time
- Time zone: Select appropriate time zone
- Duration: 2-4 hours recommended
- Configure updates:
- Update classifications: Security, Critical, Update Rollup
- KB numbers to include/exclude: As needed
- Assign resources:
- Select VMs or resource groups
- Click Create
Create Schedule via Azure CLI
# Create a maintenance configuration
az maintenance configuration create \
--resource-group "rg-management" \
--name "mc-production-weekly" \
--location "eastus" \
--maintenance-scope "InGuestPatch" \
--maintenance-window-duration "03:00" \
--maintenance-window-recur-every "Week Saturday" \
--maintenance-window-start-date-time "2026-01-18 02:00" \
--maintenance-window-time-zone "Eastern Standard Time" \
--reboot-setting "IfRequired" \
--extension-properties '{
"InGuestPatchMode": "User",
"windowsParameters": {
"classificationsToInclude": ["Critical", "Security", "UpdateRollUp"],
"kbNumbersToExclude": []
}
}'
# Assign the maintenance configuration to a VM
MAINTENANCE_CONFIG_ID=$(az maintenance configuration show \
--resource-group "rg-management" \
--name "mc-production-weekly" \
--query id -o tsv)
az maintenance assignment create \
--resource-group "rg-production" \
--maintenance-configuration-id "$MAINTENANCE_CONFIG_ID" \
--name "vm-web-01-assignment" \
--provider-name "Microsoft.Compute" \
--resource-name "vm-web-01" \
--resource-type "virtualMachines"
Create Configuration for Linux VMs
# Create maintenance configuration for Linux
az maintenance configuration create \
--resource-group "rg-management" \
--name "mc-linux-weekly" \
--location "eastus" \
--maintenance-scope "InGuestPatch" \
--maintenance-window-duration "02:00" \
--maintenance-window-recur-every "Week Sunday" \
--maintenance-window-start-date-time "2026-01-19 03:00" \
--maintenance-window-time-zone "UTC" \
--reboot-setting "IfRequired" \
--extension-properties '{
"InGuestPatchMode": "User",
"linuxParameters": {
"classificationsToInclude": ["Critical", "Security"],
"packageNameMasksToExclude": [],
"packageNameMasksToInclude": ["*"]
}
}'
Step 4: Deploy Updates On-Demand
Install Updates via Portal
- In Update Manager, select Machines
- Check the VMs to update
- Click One-time update
- Configure update options:
- Classifications to include
- KB exclusions
- Reboot options
- Click Install
Install Updates via Azure CLI
# Install all available updates on a VM
az vm install-patches \
--resource-group "rg-production" \
--name "vm-web-01" \
--maximum-duration "PT2H" \
--reboot-setting "IfRequired" \
--classifications-to-include-win "Critical" "Security"
# Install specific KB updates
az vm install-patches \
--resource-group "rg-production" \
--name "vm-web-01" \
--maximum-duration "PT2H" \
--reboot-setting "IfRequired" \
--kb-numbers-to-include "KB5034441" "KB5034467"
# Install updates on Linux VM
az vm install-patches \
--resource-group "rg-production" \
--name "vm-linux-01" \
--maximum-duration "PT2H" \
--reboot-setting "IfRequired" \
--classifications-to-include-linux "Critical" "Security"
Bulk Update Deployment with PowerShell
# Install updates on multiple VMs
$resourceGroup = "rg-production"
$vmNames = @("vm-web-01", "vm-web-02", "vm-app-01")
foreach ($vmName in $vmNames) {
Write-Host "Starting update installation on $vmName..."
$params = @{
ResourceGroupName = $resourceGroup
VMName = $vmName
MaximumDuration = "PT2H"
RebootSetting = "IfRequired"
WindowsClassification = @("Critical", "Security")
}
$result = Invoke-AzVmInstallPatch @params -AsJob
Write-Host "Update job started for $vmName with Job ID: $($result.Id)"
}
# Monitor job status
Get-Job | Where-Object { $_.State -eq "Running" } | Wait-Job
Get-Job | Receive-Job
Step 5: Monitor Compliance
View Compliance Dashboard
- In Update Manager, go to Overview
- Review compliance metrics:
- Machines assessed
- Machines with pending updates
- Update history
- Click Compliance for detailed reports
Query Compliance via Azure Resource Graph
# Query VMs with pending critical updates
az graph query -q "
patchassessmentresources
| where type == 'microsoft.compute/virtualmachines/patchassessmentresults'
| extend vmId = tostring(split(id, '/providers/Microsoft.Compute/virtualMachines/')[0])
| extend criticalCount = properties.criticalAndSecurityPatchCount
| where criticalCount > 0
| project vmId, criticalCount, lastAssessmentTime=properties.lastModifiedDateTime
| order by criticalCount desc
"
# Get update compliance summary
az graph query -q "
resources
| where type == 'microsoft.compute/virtualmachines'
| extend osType = properties.storageProfile.osDisk.osType
| extend patchMode = properties.osProfile.windowsConfiguration.patchSettings.assessmentMode
| project name, resourceGroup, osType, patchMode, location
| order by resourceGroup
"
Set Up Compliance Alerts
# Create action group for notifications
az monitor action-group create \
--resource-group "rg-monitoring" \
--name "ag-patching-alerts" \
--short-name "Patching" \
--email-receivers name="OpsTeam" email-address="[email protected]"
# Create alert for VMs with critical updates pending > 7 days
az monitor scheduled-query create \
--resource-group "rg-monitoring" \
--name "alert-pending-critical-updates" \
--scopes "/subscriptions/$SUBSCRIPTION_ID" \
--condition "count > 0" \
--condition-query "
patchassessmentresources
| where type == 'microsoft.compute/virtualmachines/patchassessmentresults'
| where properties.criticalAndSecurityPatchCount > 0
| where todatetime(properties.lastModifiedDateTime) < ago(7d)
" \
--action-groups "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/rg-monitoring/providers/Microsoft.Insights/actionGroups/ag-patching-alerts" \
--severity 2 \
--evaluation-frequency "1h" \
--window-size "1h"
Best Practices
- Stagger maintenance windows: Don't patch all servers simultaneously
- Test in non-production first: Apply updates to dev/staging before production
- Enable automatic assessment: Keep update inventory current with daily scans
- Document exclusions: Track why specific updates are excluded and review regularly
- Monitor patch success: Review update history and address failed installations
- Plan for reboots: Schedule maintenance during low-traffic periods
- Use tags for grouping: Organize VMs by update ring (Ring 0, Ring 1, etc.)
- Integrate with change management: Log patching activities in ITSM tools
Troubleshooting
Assessment shows no updates but Windows Update shows pending:
- Ensure the VM has connectivity to Windows Update or WSUS
- Verify the Assessment Mode is set to
AutomaticByPlatform - Wait 24 hours for the next assessment cycle
Update installation fails:
- Check VM guest agent is running and current
- Verify sufficient disk space (minimum 2GB free)
- Review Azure activity log for detailed error messages
Maintenance window exceeds duration:
- Increase maintenance window duration
- Reduce number of updates per window
- Check for updates requiring multiple reboots
VMs not appearing in Update Manager:
- Verify VM is in a supported region
- Confirm guest agent is installed and running
- Check VM power state (must be running)
Next Steps
After setting up Update Management, enhance your patching strategy:
- Configure pre/post scripts for application-aware patching
- Implement update rings for staged rollouts
- Enable Microsoft Defender vulnerability scanning for comprehensive coverage
- Review Cloud Security Tips for 2026 for comprehensive cloud security guidance