Patch orchestration setting "Image default" for Linux VM

Azuretech 90 Reputation points
2023-10-31T13:42:48.65+00:00

I am patching linux VM Once in a month using update management center(New ) and using "one time patch" option as per our requirement .

I dont want any auto update in the server as we have monthly activity to do the same.

current update Patch orchestration setting is "Image Default" .As per my understanding , VM will get the required patches through update management center(New ) .

will this be sufficient for the VM ? or other option "Azure Managed - Safe deployment " we need to opt ? I tried using "Azure Managed - Safe deployment " setting but updates are getting applied frequently which I want to avoid . any restriction with ""Image Default" option regarding updates?

Azure Update Manager
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
261 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,121 Reputation points
    2023-11-01T09:22:58.05+00:00

    Azuretech Thanks for your question. If you are using the "Image Default" patch orchestration setting in Azure Update Manager, your Linux VMs will receive patches through the Azure Update Manager as per your monthly activity. The "Image Default" setting means that the VMs will receive patches according to the default patching configuration of the image that the VM is based on. Please note that the "Image Default" setting does not restrict updates from being applied automatically if you have configured automatic patching in your VMs. If you want to avoid automatic updates, you should disable automatic updates in your VMs.

    The "Azure Managed - Safe Deployment" setting is designed to provide additional control and safety measures when applying patches to your VMs. This setting allows you to specify a percentage of VMs to update at a time and includes pre- and post-update checks to ensure that the update process is successful. However, if you do not want frequent updates and want to control the patching process manually, the "Image Default" setting should be sufficient for your needs.

    For your reference, here are the different patch orchestration options provided within Azure Update Manager.

    • Customer Managed Schedules—enables schedule patching on your existing VMs. The new patch orchestration option enables the two VM properties - Patch mode = Azure-orchestrated and BypassPlatformSafetyChecksOnUserSchedule = TRUE on your behalf after receiving your consent.
    • Azure Managed - Safe Deployment—for a group of virtual machines undergoing an update, the Azure platform will orchestrate updates. (not applicable for Arc-enabled server). The VM is set to automatic VM guest patching.(i.e), the patch mode is AutomaticByPlatform. There are different implications depending on whether customer schedule is attached to it or not. For more information, see the user scenarios.
    • Available Critical and Security patches are downloaded and applied automatically on the Azure VM using automatic VM guest patching. This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as required.
    • Windows Automatic Updates (AutomaticByOS) - When the workload running on the VM doesn't have to meet availability targets, the operating system updates are automatically downloaded and installed. Machines are rebooted as needed.
    • Manual updates - This mode disables Windows automatic updates on VMs. Patches are installed manually or using a different solution.
    • Image Default - Only supported for Linux Virtual Machines, this mode uses the default patching configuration in the image used to create the VM.