Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Update Manager (AUM) uses the native Windows Update client to manage patching. However, the behavior differs depending on whether the machine is an Azure VM or an Azure Arc-enabled server. This guide outlines how to configure update settings, what AUM modifies, and how to avoid conflicts with Group Policy.
Key Differences: Azure VMs vs. Arc Machines
| Feature | Azure VMs | Azure Arc Machines |
|---|---|---|
| Patch orchestration | Azure-orchestrated or OS-orchestrated | OS-orchestrated only |
| Registry changes by AUM | Yes (when Azure-orchestrated) | No (AUM does not modify registry) |
| Group Policy interaction | Can override AUM settings | Fully controls update behavior |
| WSUS support | Supported | Supported |
| Pre-download support | Not supported | Not supported |
What AUM Configures Automatically (Azure VMs Only)
When Azure-orchestrated patching is enabled on an Azure VM, AUM may configure the following registry keys:
Registry Keys Modified by AUM
| Registry Path | Key | Purpose |
|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | AUOptions | Sets automatic update behavior |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update | RebootRequired | Tracks reboot status |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services | ServiceID | Registers Microsoft Update service |
These changes are applied only when the VM is configured for Azure-orchestrated patching (AutomaticByPlatform = Azure-Orchestrated). Arc machines are not affected.
Group Policy Conflicts
Group Policy can override or conflict with AUM settings. This is especially important for:
Automatic Updates: If Group Policy enforces a different AUOptions value, AUM might not be able to control update timing. Reboot Behavior: Even if AUM is set to "Never Reboot" Group Policy or registry keys can still trigger reboots. Microsoft Update Source: Group Policy might restrict updates to WSUS or block Microsoft Update, which can cause AUM deployments to fail.
Best Practice
If you use Group Policy:
Ensure it aligns with AUM’s intended behavior. Avoid setting conflicting values in Configure Automatic Updates or No auto-restart with logged on users.
How to Enable Microsoft Updates
To receive updates for products like SQL Server or Office:
For Azure VMs (Azure-orchestrated patching)
Run this PowerShell script:
$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.AddService2($ServiceId,7,"")
For Arc Machines or OS-orchestrated VMs
Use Group Policy:
- Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience
- Enable Install updates for other Microsoft products
WSUS Configuration
AUM supports WSUS. To configure:
- Use Group Policy to set the WSUS server location.
- Ensure updates are approved in WSUS, or AUM deployments will fail.
- To restrict internet access, enable Do not connect to any Windows Update Internet locations.
Verify Patch Source
Check these registry keys to confirm update source:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services
Not Supported
- Pre-download of updates is not supported by AUM.
- To change the patch source (for example, from WSUS to Microsoft Update), use Windows settings or Group Policy. Do not use AUM for this configuration.
Next Steps
After configuring your update settings, proceed to Deploy updates using Azure Update Manager.