Azure Update Manager frequently asked questions
This FAQ is a list of commonly asked questions about Azure Update Manager. If you have any other questions about its capabilities, go to the discussion forum and post your questions. When a question is frequently asked, we add it to this article so that it's found quickly and easily.
Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multicloud environments. Following are the benefits of using Azure Update Manager:
- Oversee update compliance for your entire fleet of machines in Azure (Azure VMs), on premises, and multicloud environments (Arc-enabled Servers).
- View and deploy pending updates to secure your machines instantly.
- Manage extended security updates (ESUs) for your Azure Arc-enabled Windows Server 2012/2012 R2 machines. Get consistent experience for deployment of ESUs and other updates.
- Define recurring time windows during which your machines receive updates and might undergo reboots using scheduled patching. Enforce machines grouped together based on standard Azure constructs (Subscriptions, Location, Resource Group, Tags etc.) to have common patch schedules using dynamic scoping. Sync patch schedules for Windows machines in relation to patch Tuesday, the unofficial term for month.
- Enable incremental rollout of updates to Azure VMs in off-peak hours using automatic VM guest patching and reduce reboots by enabling hotpatching.
- Automatically assess machines for pending updates every 24 hours, and flag machines that are out of compliance. Enforce enabling periodic assessments on multiple machines at scale using Azure Policy.
- Create custom reports for deeper understanding of the updates data of the environment.
- Granular access management to Azure resources with Azure roles and identity, to control who can perform update operations and edit schedules.
Whenever you trigger any Azure Update Manager operation on your machine, it pushes an extension on your machine that interacts with the VM agent (for Azure machine) or Arc agent (for Arc-enabled machines) to fetch and install updates.
Yes, machines that aren't running on Azure must be enabled for Arc, for management using Update Manager.
No, it's a native capability on a virtual machine.
All Azure Update Manager data is stored in Azure Resource Graph (ARG). Custom reports can be generated on the updates data for deeper understanding and patterns using Azure Workbooks Learn more
Yes, Azure Update Manager supports REST API, CLI and PowerShell for Azure machines and Arc-enabled machines.
No, it's a native capability on a virtual machine and doesn't rely either on MMA or AMA.
For more information, see Azure Update Manager OS support.
Automation Update Management didn't provide support for patching Windows 10 and 11. The same is true for Azure Update Manager. We recommend that you use Microsoft Intune as the solution for keeping Windows 10 and 11 devices up to date.
Follow the guidance to move from Automation Update Management to Azure Update Manager.
LA agent (also known as MMA) is retiring and will be replaced with AMA. Is it necessary to move to Update Manager or can I continue to use Automation Update Management with AMA?
The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be retired in August 2024. Azure Automation Update management solution relies on this agent and might encounter issues once the agent is retired. It doesn't work with Azure Monitoring Agent (AMA) either.
Therefore, if you're using Azure Automation Update management solution, you're encouraged to move to Azure Update Manager for their software update needs. All capabilities of Azure Automation Update Management Solution will be available on Azure Update Manager before the retirement date. Follow the guidance to move update management for your machines to Azure Update Manager.
Yes. Automation Update Management isn't compatible with AMA. We recommend that you move the machine to Azure Update Manager before removing MMA from the machine. Update Manager doesn't rely either on MMA or AMA.
Automation Update Management uses Log Analytics workspace for storing updates data. Azure Update Manager uses Azure Resource Graph for data storage. You can continue using the historical data in Log Analytics workspace for old data and use Azure Resource Graph for new data.
You can rebuild custom dashboards/reports on updates data from Azure Resource Graph (ARG). For more information, see how to query ARG data and sample queries. These are a few built-in workbooks that you can modify as per your needs to get started. For more information, see how to create reports using workbooks.
I have been using saved searches in Automation Update Management for schedules. How do I migrate to Azure Update Manager?
Arc-enabling of machines is a prerequisite for management with Update Manager. To move the saved searches. You can Arc-enable them and then use dynamic scoping feature to define the same scope of machines. Learn more.
If I have been using pre and post-script or alerting capability in Automation Update management, how can I move to Azure Update Manager?
These capabilities will be added to Azure Update Manager. For more information, see guidance for moving from Automation Update management to Azure Update Manager.
I'm using Automation Update Management on sovereign clouds; will I get region support in the new Azure Update Manager?
Yes, you can, as Azure Update Manager is available in sovereign clouds.
Azure Update Manager is available at no extra charge for managing Azure VMs and Arc-enabled Azure Local VMs (must be created through Arc Resource Bridge on Azure Local). For all other Arc-enabled Servers, the price is $5 per server per month (assuming 31 days of usage).
For Arc-enabled servers, Azure Update Manager is charged $5/server/month (assuming 31 days of connected usage). It's charged at a daily prorated value of 0.16/server/day. An Arc-enabled machine would only be charged for the days when it's connected and managed by Azure Update Manager.
An Arc-enabled server is considered managed by Azure Update Manager for days on which the machine fulfills both the following conditions:
- Connected status for Arc at any time during the day.
- An update operation (patched on demand or through a scheduled job, assessed on demand or through periodic assessment) is triggered on it, or it's associated with a schedule.
An Arc-enabled server managed with Azure Update Manager is not charged in following scenarios:
- If the machine is enabled for delivery of Extended Security Updates (ESUs) enabled by Azure Arc.
- Microsoft Defender for Servers Plan 2 is enabled for the subscription hosting the Arc-enabled server. However, if customer is using Defender using Security connector, they will be charged.
Customers will not be charged for already existing Arc-enabled servers which were using Automation Update Management for free as of Sep 1, 2023. Any new Arc-enabled machines which will be onboarded to Azure Update Manager in the same subscription will also be exempted from charge. This exception will be provided till LA agent retires. Post that date, these customers will be charged.
I'm a Defender for Server customer and use update recommendations powered by Azure Update Manager namely "periodic assessment should be enabled on your machines" and "system updates should be installed on your machines". Would I be charged for Azure Update Manager?
If you have purchased a Defender for Servers Plan 2, then you won't have to pay to remediate the unhealthy resources for the above two recommendations. But if you're using any other Defender for server plan for your Arc machines, then you would be charged for those machines at the daily prorated $0.16/server by Azure Update Manager.
Azure Update Manager is not charged for:
- Management of Azure Local instance(s) via Azure Local and Azure Update Manager on Azure Local
- Arc-enabled Azure Local VMs created via the Arc Resource Bridge. For example Machine-Azure Arc (Azure Local) resource.
All other resources including, but not limited to the following will be charged.
- Management of individual Azure Local machines. For example, Machine - Azure Arc resource or Azure Update Manager - Machines.
- All VMs on Azure Local that are not created by Arc resource bridge - VMs projected as Arc-enabled servers and/or VMs on Azure Local managed by Azure Arc-enabled SCVMM.
Azure Update Manager doesn't currently support Azure Lighthouse integration.
Yes, Azure Update Manager supports update features via policies. For more information, see how to enable periodic assessment at scale using policy and how to enable schedules on your machines at scale using Azure Policy.
I have machines across multiple subscriptions in Automation Update Management. Is this scenario supported in Azure Update Manager?
Yes, Azure Update Manager supports multi-subscription scenarios.
Customers can follow this guide to move update configurations from SCCM to Azure Update Manager.
By default, Azure Update Manager relies on Windows Update (WU) client running on your machine to fetch updates. You can configure WU client to fetch updates from Microsoft Update/WSUS repository and manage patch schedules using Azure Update Manager.
Similarly for Linux, you can fetch updates by pointing your machine to a public repository or clone a private repository that regularly pulls updates from the upstream.
Azure Update Manager honors machine settings and installs updates accordingly.
Azure Update manager doesn't move or store customer data out of the region it's deployed in.