Back to Blog
AzureAZ-104UpdatesAdminTutorial

Patch at Scale for Azure and Arc-enabled Servers

Complete AZ-104 tutorial on Azure Update Manager. Learn update classifications, maintenance windows, dynamic groups, compliance reporting.

Daniel Urbano
November 10, 2025
9 min read
Patch at Scale for Azure and Arc-enabled Servers

Patch at Scale for Azure and Arc-enabled Servers: Azure Update Manager Tutorial

Introduction

Azure Update Manager is a vital service for managing and governing updates across both Azure and Azure Arc-enabled servers. This service enables administrators to maintain compliance and security by automatically or manually applying updates to Windows and Linux virtual machines (VMs), whether they reside in Azure, on-premises, or in other cloud environments. For the AZ-104 exam, understanding Azure Update Manager is crucial, as it encompasses key functionalities like update classifications, maintenance windows, dynamic groups, and compliance reporting.

Effective patch management is essential to ensure the security and performance of your infrastructure. By automating updates, organizations can minimize downtime, reduce operational overhead, and maintain compliance with industry standards. This tutorial will guide you through the core concepts, syntax, and practical use cases of Azure Update Manager, providing you with the knowledge needed to excel in the AZ-104 examination.

Prerequisites

Before diving into Azure Update Manager, ensure you have the following:

  1. Azure Subscription: You need an active Azure subscription to access the Azure portal and use Azure Update Manager.
  2. RBAC/Permissions: Ensure you have the necessary role-based access control (RBAC) permissions, such as Owner or Contributor, to manage updates.
  3. Tools: Familiarity with Azure CLI, PowerShell, and the Azure Portal is essential.
  4. Services Enabled: Ensure Azure Update Manager is enabled and configured in your Azure subscription. Azure Arc must also be set up if managing non-Azure machines.

Core Concepts

Definitions

  • Azure Update Manager: A unified service for managing updates across all machines, including those in Azure and Azure Arc-enabled servers.
  • Update Classifications: Different types of updates such as Critical, Security, and Other, that define the nature of the updates to be applied.
  • Maintenance Windows: Pre-defined time frames during which updates are applied to ensure minimal disruption.
  • Dynamic Groups: Mechanisms for grouping machines based on specific criteria to apply updates at scale.
  • Compliance Reporting: The ability to monitor update statuses and ensure that systems are compliant with organizational policies.

Architecture

Azure Update Manager operates by assessing and applying updates through agents installed on each machine. For Azure VMs, this is managed by the Azure VM agent, while Arc-enabled servers use the Azure Arc agent. The architecture supports hybrid environments, allowing for centralized management from the Azure portal.

When to Use

Use Azure Update Manager when:

  • You need to automate updates across a large number of machines.
  • You want to ensure compliance with security policies.
  • You need to minimize downtime during update processes.

Limitations

  • Not all update types may be supported for all operating systems.
  • Certain features may be limited based on the region where Azure services are deployed.

Pricing Notes

Azure Update Manager is generally included within your Azure subscription, but certain features may incur additional costs depending on usage patterns and the number of VMs managed.

Syntax/Configuration

Azure CLI Commands

Here are some core commands for managing updates using Azure CLI:

Command Description
az vm install-patches Install updates on a specified VM
az update-manager maintenance-config create Create a new maintenance configuration for updates
az update-manager dynamic-scope create Create a dynamic scope for scheduled patching
az update-manager compliance report Generate compliance reports for the managed machines

PowerShell Commands

PowerShell can also be used for managing updates:

Command Description
Invoke-AzVMInstallPatch Installs patches on specified Azure VMs
New-AzUpdateManagerMaintenanceConfiguration Creates a new maintenance configuration
New-AzUpdateManagerDynamicScope Creates a dynamic scope for VM scheduling

Azure Portal Steps

  1. Navigate to Azure Update Manager in the Azure Portal.
  2. To create a maintenance configuration, select Machines, then Maintenance configurations and follow the prompts.
  3. For compliance reporting, go to Compliance to view the update status of your VMs.

Practical Examples

Example 1: Install Updates on a Single VM

az vm install-patches -g MyResourceGroup -n MyVM --maximum-duration PT4H --reboot-setting IfRequired --classifications-to-include Critical

This command installs critical updates on a specified VM, allowing for a maximum duration of 4 hours.

Example 2: Create a Maintenance Configuration

az update-manager maintenance-config create --name MyMaintenanceConfig --resource-group MyResourceGroup --frequency Weekly --start-time "2023-09-01T02:00:00Z"

This command creates a maintenance configuration that runs weekly.

Example 3: Check for Updates on Multiple VMs

az vm list --query "[].{Name:name, ResourceGroup:resourceGroup}" -o table

Use this command to list all VMs and their resource groups before checking for updates.

Example 4: Enable Automatic Updates

Set-AzVM -ResourceGroupName 'MyResourceGroup' -Name 'MyVM' -AutomaticUpdatesEnabled $true

This command enables automatic updates for a specified VM.

Example 5: Dynamic Group Creation

az update-manager dynamic-scope create --name MyDynamicScope --resource-group MyResourceGroup --criteria "tag:Environment=Production"

This creates a dynamic scope that groups all machines with the tag "Environment=Production."

Example 6: Compliance Reporting

az update-manager compliance report --resource-group MyResourceGroup

This command generates a compliance report for all machines in the specified resource group.

Example 7: Schedule Updates Using Azure Portal

  1. Go to Azure Update Manager.
  2. Select Machines.
  3. Click on Scheduled updates, then create a new maintenance configuration.

Example 8: Hotpatching Configuration

Set-AzUpdateManagerHotpatch -ResourceGroupName 'MyResourceGroup' -VMName 'MyVM' -Enabled $true

This command enables hotpatching to minimize downtime during critical updates.

Real-World Scenarios

Scenario 1: Automating Updates for a Hybrid Environment

You have multiple Azure VMs and on-premises servers connected through Azure Arc. You can create a dynamic group to manage these servers and apply updates during off-peak hours to minimize disruption.

Scenario 2: Compliance Reporting for an Organization

A company needs to ensure all servers are compliant with industry regulations. By using Azure Update Manager, the organization can generate compliance reports and automatically apply security updates.

Scenario 3: Scheduled Updates for Development and Production Environments

You can create separate maintenance configurations for your development and production environments, ensuring that updates are applied appropriately based on the business needs of each environment.

Best Practices

  1. Use Maintenance Windows: Schedule updates during off-peak hours to minimize disruptions.
  2. Regular Compliance Checks: Monitor update compliance regularly to ensure all machines are secure.
  3. Dynamic Grouping: Utilize dynamic groups to automate update processes across multiple machines.
  4. Enable Hotpatching: Where applicable, enable hotpatching to reduce downtime during critical updates.
  5. Leverage Alerts: Set up alerts to notify administrators of update failures or compliance issues.

Common Errors

  1. Error: "ShutdownOrUnresponsive"
    Cause: Machine scheduled for updates was shut down.
    Fix: Ensure machines are powered on before scheduled updates.

  2. Error: "Maintenance window exceeded"
    Cause: Updates could not be completed within the defined maintenance window.
    Fix: Review and adjust maintenance window durations.

  3. Error: "No updates available"
    Cause: No updates meeting the classification criteria were found.
    Fix: Check update classifications and ensure they are set correctly.

  4. Error: "Dynamic group processing error"
    Cause: Issues with the dynamic group rules.
    Fix: Review the membership processing status and correct any rule errors.

Related Services/Commands

Service/Command Description
Azure Automation Automate update processes without manual intervention.
Azure Monitor Monitor the performance and health of updates.
Azure Policy Enforce compliance policies across resources.

Automation Script

Here's a sample PowerShell script to automate the update process for Azure VMs:

# Automate Updates for Azure VMs
$resourceGroupName = "MyResourceGroup"
$vms = Get-AzVM -ResourceGroupName $resourceGroupName

foreach ($vm in $vms) {
    Invoke-AzVMInstallPatch -ResourceGroupName $resourceGroupName -VMName $vm.Name -Windows -RebootSetting 'IfRequired'
    Write-Host "Updates applied to $($vm.Name)"
}

Conclusion

This tutorial provided an in-depth overview of Azure Update Manager, its core concepts, practical examples, and best practices to effectively manage updates at scale for Azure and Arc-enabled servers. For further learning, consider exploring Microsoft Learn resources and hands-on labs specific to Azure Update Manager and patch management.

References