Configure updates using Azure Update Manager

Hi there,

One of the most important things when running virtual machines in Azure is making sure that they have the most recent updates installed.

There are a lot of different systems that you can use to install these updates. There is Intune, Azure hotpatching, SCCM or Azure Update Manager.

With Azure Update Manager you have a single pane of glass for your Azure systems, On-premise systems or even another cloud provider to configure, monitor and schedule your patches.

You have the option to install immediately or to create patching schedules. In this blog post I’m going to show how to create a patching schedule and assign it to you virtual machines.

A difference compared to Azure Update Management is that for this solution you don’t need the Log Analytics of Azure Monitor Agent. It’s enough for the VM agent to be provisioned on the virtual machine.

For more info about Azure Update Manager see here

Lets go Azure Update Manager and select Schedule Updates

In the first screen, we need to select a resource group and give the schedule a name. I prefer to put the settings in the name of the schedule. This way you can easily identify the settings.

When selecting “Add a schedule” we can set when the patching window begins and how often it happens. In this example as mentioned in the name it’s the 3rth sunday of each month.

The next part is to create a “Dynamic scope”. 

First we select the correct subscription and than we will use the filter.

Because this is a schedule for Windows, I only select that OS type. The most important setting here is the “tag”. Here I say that each virtual machine that has this specific tag, automatically get’s assigned to this patching schedule. 

This means that you can create Patching Schedule tags for your different environment and workloads making it much easier to manage your patching. The tag also matches the name of the schedule.

In this case it’s a schedule for production, windows servers, monthly schedule, on the 3rth sunday and the server may reboot if required. 

After saving the filter we see that it already discovered my domain controller who has that tag assigned.

The next part is to select the updates that we want to manage with this schedule. Since this is a Windows schedule, I don’t select anything for Linux. For this schedule I select the “Critical updates, Security updates and Updates”

Final step is to add some tags to your schedule.

In Azure Update Manager we have a nice tabbed view on the total machines, machines that have pending updates and we can also see the machines that are not supported by this service. We can see al the schedules that we have created when selecting maintenance configurations

There you go, now we can create multiple schedules for our entire environment. Don’t forget to add the tags to the virtual machines so that they are associated with the schedule. 


  • Johan Vanneuville

    Johan Vanneuville is a Microsoft MVP for Microsoft Enterprise Mobility from Belgium and he is one of the first expert contributors in this community. Make sure to follow him as he guides us in the world of Azure Virtual Desktop, Infrastructure-as-Code and Terraform!

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *