Apologies for the late reply @Mick Collins.
If I understand you correctly, you want to confirm that an update won't be applied to a virtual machine is attached to the configuration defined in the dynamic scope.
Rather than using the term attached, meet would be a better term. Updates won't get be applied until your Azure VM meets the following prerequisites,
- Patch Orchestration must be set to Customer Managed Schedules. This sets patch mode to AutomaticByPlatform and the BypassPlatformSafetyChecksOnUserSchedule = True.
- Associate a Schedule with the VM.
and the VM meets the criteria set forth in your dynamic scope. The dynamic scope gets evaluated at the scheduled runtime of the maintenance window. Meaning, it is possible to adjust the VM resource, so it doesn't meet the criteria and therefore patches not be applied and vice versa.See Manage various operations of Dynamic Scoping. | Microsoft Learn for additional information.