Update options and orchestration in Azure Update Manager

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Important

  • For a seamless scheduled patching experience, we recommend that for all Azure virtual machines (VMs), you update the patch orchestration to Customer Managed Schedules.
  • For Arc-enabled servers, the updates and maintenance options such as Automatic VM Guest patching in Azure, Windows automatic updates and Hotpatching aren't supported.

This article provides an overview of the various update options and orchestration in Azure Update Manager.

Update Options

Automatic OS image upgrade

When you enable the automatic OS image upgrades on your Azure Virtual Machine Scale Set, it helps ease update management by safely and automatically upgrade the OS disk for all instances in the scale set.

Automatic OS upgrade has the following characteristics:

  • After you configure, the latest OS image published by the image publishers is automatically applied to the scale set without any user intervention.
  • It upgrades batches of instances in a rolling manner every time a new image is published by the publisher.
  • Integrates with application health probes and Application Health extension.
  • Works for all VM sizes, for both Windows and Linux images including the custom images through the Azure Compute Gallery.
  • Flexibility to opt out of automatic upgrades at any time. (OS upgrades can be initiated manually as well).
  • The OS Disk of a VM is replaced with the new OS Disk created with the latest image version. Configured extensions and custom data scripts are run while persisted data disks are retained.
  • Supports Extension sequencing.
  • You can enable on a scale set of any size.

Note

We recommend that you check on the following:

  • Requirements before you enable automatic OS image upgrades
  • Supported OS images
  • Requirements to support custom images. Learn more

Automatic VM guest patching

When you enable automatic VM guest patching on your Azure VMs, patching of Security and Critical updates to your VMs will be handled by Azure, and you will not control the timing nor choose which classifications or updates to install.

Automatic VM guest patching has the following characteristics:

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours for IaaS VMs in the VM's time zone of the datacenter where they are hosted.
  • Patches are applied during all hours for Azure Virtual Machine Scale Sets Virtual Machine Scale Sets Flexible orchestration.
  • Patch orchestration is managed by Azure and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
  • You can monitor application health through the Application Health Extension.
  • It works for all VM sizes.

Enable VM property

To enable the VM property, follow these steps:

  1. On the Azure Update Manager home page, go to Update Settings.
  2. Select Patch Orchestration as Azure Managed-Safe Deployment.

Note

We recommend the following:

  • Obtain an understanding how the Automatic VM guest patching works.
  • Check the requirements before you enable Automatic VM guest patching.
  • Check for supported OS images. Learn more

Hotpatching

Hotpatching allows you to install OS security updates on supported Windows Server Datacenter: Azure Edition virtual machines that don't require a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. With Hotpatching, reboots will typically be required for the installation of patches on every third month rather than every month.

Following are the features of Hotpatching:

  • Fewer binaries mean update install faster and consume less disk and CPU resources.
  • Lower workload impact with fewer reboots.
  • Better protection, as the hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
  • Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager

Screenshot that shows the Hotpatch option.

Hotpatching property is available as a setting in Azure Update Manager that you can enable by using Update settings flow. For more information, see Hotpatch for virtual machines and supported platforms.

Windows automatic updates

This mode of patching allows operating system to automatically install updates on Windows VMs as soon as they're available. It uses the VM property that is enabled by setting the patch orchestration to OS orchestrated/Automatic by OS.

Note

  • Windows automatic updates are not an Azure Update Manager setting, but a Windows-level setting.

Update or Patch orchestration

Azure Update Manager provides the flexibility to either install updates immediately or schedule updates within a defined maintenance window. These settings allow you to orchestrate patching for your virtual machine.

Update Now/One-time update

Azure Update Manager allows you to secure your machines immediately by installing updates on demand. To perform the on-demand updates, see Check and install one time updates

Next steps

  • To view update assessment and deployment logs generated by Update Manager, see Query logs.
  • To troubleshoot Azure Update Manager issues, see Troubleshoot issues.