Configure Windows Update settings for Azure Automation Update Management

Important

Automation Update Management has retired on 31 August 2024 and we recommend that you use Azure Update Manager. Follow the guidelines for migration from Automation Update Management to Azure Update Manager.

Azure Automation Update Management relies on the Windows Update client to download and install Windows updates. There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. Many of these settings can be managed with:

  • Local Group Policy Editor
  • Group Policy
  • PowerShell
  • Directly editing the Registry

Update Management respects many of the settings specified to control the Windows Update client. If you use settings to enable non-Windows updates, Update Management will also manage those updates. If you want to enable downloading of updates before an update deployment occurs, update deployment can be faster, more efficient, and less likely to exceed the maintenance window.

For other recommendations on setting up WSUS in your Azure subscription and securely keep your Windows virtual machines up to date, review Plan your deployment for updating Windows virtual machines in Azure using WSUS.

Pre-download updates

To configure the automatic downloading of updates without automatically installing them, you can use Group Policy to configure the Automatic Updates setting. There are two recommended values depending on the version of the operating system:

  • Windows Server 2016 and later, set to a value of 7.
  • Windows Server 2012 R2 and earlier, set to a value of 3.

This setting enables downloads of the required updates in the background, and notifies you that the updates are ready to install. In this way, Update Management remains in control of schedules, but allows downloading of updates outside the Update Management maintenance window. Learn more. This behavior prevents Maintenance window exceeded errors in Update Management.

You can enable this setting in PowerShell:

$WUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
$WUSettings.NotificationLevel = <3 or 7>
$WUSettings.Save()

Configure reboot settings

The registry keys listed in Configuring Automatic Updates by editing the registry and Registry keys used to manage restart can cause your machines to reboot, even if you specify Never Reboot in the Update Deployment settings. Configure these registry keys to best suit your environment.

Enable updates for other Microsoft products

By default, the Windows Update client is configured to provide updates only for Windows. If you enable the Give me updates for other Microsoft products when I update Windows setting, you also receive updates for other products, including security patches for Microsoft SQL Server and other Microsoft software. You can configure this option if you have downloaded and copied the latest Administrative template files available for Windows 2016 and later.

If you have machines running Windows Server 2012 R2, you can't configure this setting through Group Policy. Run the following PowerShell command on these machines:

$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceManager.Services
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.AddService2($ServiceId,7,"")

Make WSUS configuration settings

Update Management supports WSUS settings. Learn more. You can specify sources for scanning and downloading updates using instructions in Specify intranet Microsoft Update service location. By default, the Windows Update client is configured to download updates from Windows Update. When you specify a WSUS server as a source for your machines, if the updates aren't approved in WSUS, update deployment fails.

To restrict machines to the internal update service, set Do not connect to any Windows Update Internet locations.

Next steps

Schedule an update deployment by following instructions in Manage updates and patches for your VMs.