In my article Simplifying Hybrid Server Management with Azure Arc, I covered the key benefits of using Azure Arc in hybrid environments. One of the practical advantages I highlighted was the ability to manage patching for on-premises servers using Azure Update Manager. In this article, I’ll walk you through how to configure patch management not only for servers connected via Azure Arc, but also for native Azure virtual machines, using the same tooling and a unified approach.
To configure patching with Azure Update Manager, you first need to create a Maintenance Configuration. To do this, navigate to Maintenance configurations in the Azure portal and select Create.
During the creation process, you’ll need to specify several basic settings, including the subscription, resource group, configuration name, and region. While these options are straightforward, the choices you make in the next steps are critical for how patching will be applied.
One of the most important sections is Maintenance scope, where you define what type of resources the configuration applies to. The available options include:
- Host – updates applied to isolated VMs, VMSS instances, or Azure Dedicated Hosts
- OS image – operating system updates for Virtual Machine Scale Sets
- Guest – guest OS updates for Azure VMs and Azure Arc–enabled servers, including both Windows and Linux
- Resource – updates for platform resources such as network gateways and network security components
For patching operating systems on both Azure VMs and Arc-enabled servers, the Guest scope is the appropriate choice.
Next, you can configure reboot behavior. In most scenarios, selecting Reboot if required is recommended, ensuring that any required reboot takes place within the maintenance window. In specific cases — such as application-sensitive workloads or environments with strict operational constraints — you may choose Never reboot, allowing application owners to control reboot timing manually.
Another key element is the schedule. Here you define when patching starts, how long the maintenance window lasts, and whether the configuration runs once or on a recurring basis. Properly sizing the maintenance window is essential to allow enough time for update installation and any required reboots.
Once the schedule is defined, you can assign resources to the maintenance configuration. If you want the configuration to apply broadly, you can use Dynamic scopes instead of assigning individual resources. Dynamic scopes allow you to target specific resource types — such as Azure Arc servers or native Azure VMs — and further refine the scope using tags.
This step is particularly important, as tags become the foundation of your patching strategy. By tagging virtual machines appropriately, you can logically separate environments (for example, production, non-production, or test) and organize patching campaigns in a more structured, controlled, and efficient way.
In the next step, you can define update classifications, such as critical updates, security updates, update rollups, or specific KB IDs and packages. In most organizations, these settings are aligned with security policies and are typically defined in collaboration with the Security or Compliance teams.
Azure Update Manager also allows you to configure maintenance events, including pre-events and post-events. Pre-events run before the maintenance window begins, while post-events run after updates are installed. Post-events may be executed within the maintenance window if time remains, or after the window has ended if the update process runs longer than expected. To ensure pre-events execute reliably, it’s recommended to allocate at least 40 minutes before the scheduled maintenance start time. Common use cases include sending notifications ahead of maintenance or running custom scripts before and after patching.
Finally, once the maintenance configuration is created, you should ensure that the appropriate tags are assigned to your Azure Arc–enabled servers and Azure virtual machines. This ensures that resources are correctly picked up by the dynamic scope and included in the patching process.
By combining Azure Update Manager with Azure Arc, you can implement a consistent patching strategy across hybrid and cloud-native environments. This approach simplifies operations, improves visibility, and allows teams to manage patching at scale using a single set of tools and processes — regardless of the VMs are running.
Leave a Reply