Update options and orchestration in Azure Update Manager

2025-09-19

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Important

For a seamless scheduled patching experience, we recommend that for all Azure virtual machines (VMs), you update the patch orchestration to Customer Managed Schedules.
For Arc-enabled servers, the updates and maintenance options such as Automatic VM Guest patching in Azure, Windows automatic updates and Hotpatching aren't supported.

This article provides an overview of the various update options and orchestration in Azure Update Manager.

Update Options

Automatic VM guest patching

When you enable automatic VM guest patching on your Azure VMs, patching of Security and Critical updates to your VMs will be handled by Azure, and you will not control the timing nor choose which classifications or updates to install.

Automatic VM guest patching has the following characteristics:

Patches classified as Critical or Security are automatically downloaded and applied on the VM.
Patches are applied during off-peak hours for IaaS VMs in the VM's time zone of the datacenter where they are hosted.
Patches are applied during all hours for Azure Virtual Machine Scale Sets Virtual Machine Scale Sets Flexible orchestration.
Patch orchestration is managed by Azure and patches are applied following availability-first principles.
Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
You can monitor application health through the Application Health Extension.
It works for all VM sizes.

Enable VM property

To enable the VM property, follow these steps:

On the Azure Update Manager home page, go to Update Settings.
Select Patch Orchestration as Azure Managed-Safe Deployment.

Note

We recommend the following:

Obtain an understanding how the Automatic VM guest patching works.
Check the requirements before you enable Automatic VM guest patching.
Check for supported OS images. Learn more

Hotpatching

Hotpatching allows you to install OS security updates on supported Windows Server Datacenter: Azure Edition virtual machines that don't require a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. With Hotpatching, reboots will typically be required for the installation of patches on every third month rather than every month.

Following are the features of Hotpatching:

Fewer binaries mean update install faster and consume less disk and CPU resources.
Lower workload impact with fewer reboots.
Better protection, as the hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager

Hotpatching property is available as a setting in Azure Update Manager that you can enable by using Update settings flow. For more information, see Hotpatch for virtual machines and supported platforms.

Windows automatic updates

This mode of patching allows operating system to automatically install updates on Windows VMs as soon as they're available. It uses the VM property that is enabled by setting the patch orchestration to OS orchestrated/Automatic by OS.

Note

Windows automatic updates are not an Azure Update Manager setting, but a Windows-level setting.

Update or Patch orchestration

Azure Update Manager provides the flexibility to either install updates immediately or schedule updates within a defined maintenance window. These settings allow you to orchestrate patching for your virtual machine.

Update Now/One-time update

Azure Update Manager allows you to secure your machines immediately by installing updates on demand. To perform the on-demand updates, see Check and install one time updates

Next steps

To view update assessment and deployment logs generated by Update Manager, see Query logs.
To troubleshoot Azure Update Manager issues, see Troubleshoot issues.