Azure Update Manger - .net framework updates missing from windows update?

Question

Azure Update Manger - .net framework updates missing from windows update?

Eccup Reservoir 66

I have many Server 2008 r2 virtual machines in azure using Azure Update Manager - where I notice they haven't received any other classification of updates than Critial and Definitions.

I know this OS is out of support now, but we should still be able to get historic .net framework updates through Windows Updates according all documentation availalble.

These virtual machines were migrated from on-prem into Azure, to take advantage of ESU when that was available. So i believe are 'custom images' now, which is supported;
https://learn.microsoft.com/en-us/azure/update-manager/support-matrix?tabs=azurevm%2Cazurevm-os#custom-images
Thanks

AnuragSingh-MSFT 21,491 Reputation points

2024-02-20T07:40:12.3+00:00
Eccup Reservoir, Based on the description shared in your question, it seems that the patch orchestration option is set to "Azure Managed - Safe Deployment" which causes only critical and security updates to be downloaded and installed. For more details, see the details under "Patch orchestration option provides:" in Configure settings on a single VM.

For ESU, only Windows Server 2012/R2 machines are supported, ref: Extended Security Updates (ESU) for Windows Server.

However, as you mentioned in the question, it does seem that the AUM is also working for Windows 2008/R2 OS because you are seeing other types of updates being installed on the machine (the critical and definition updates). You can also verify that by using Update Manager operations such as Check for updates, One-time update, Schedule updates, or Periodic assessment. For more details, see Asynchronous check to validate customized image support.

In case the information shared above does not help answer your question, could you please answer the question below to help me understand the scenario better:

When "Check for updates" operation is performed on this machine, do you see .NET updates listed under available updates for the machines, pending installation?

How were these machines onboarded to Azure, was it via Azure Arc?

What is the "Patch orchestration" set for these machines? You can get it in Azure portal by searching for "Azure Update Manager" --> Machines. In this view, you can review the table containing the machine names which also lists "Patch orchestration" as one of the columns.

Please let me know if you have any questions.
Eccup Reservoir 66 Reputation points

2024-02-20T08:40:29.44+00:00
Hello AnuragSingh, thanks for the reply.

No it is not showing .net framework updates anywhere, either logged directly onto the target server, or through Azure Update Manager doing a 'check for updates'.
However there are definitely Internet Explorer and .net Framework patches outstanding.

The servers were onboarding to azure using the Azure Migrate tool, so they were lifted from on-premise into Azure to take advantage of the ESU benefit.

Patch orchestration is set to 'Customer Manager Schedules' - and the maintenance configuration (i.e. the associated patch schedule) is set for all classifications of updates.
AnuragSingh-MSFT 21,491 Reputation points

2024-02-23T09:39:52.12+00:00

Eccup Reservoir, Following-up to check if you had a chance to review the reply provided. Please let us know if you have any questions.

2 answers

Your answer

AnuragSingh-MSFT 21,491 Reputation points

2024-02-20T07:40:12.3+00:00

Eccup Reservoir, Based on the description shared in your question, it seems that the patch orchestration option is set to "Azure Managed - Safe Deployment" which causes only critical and security updates to be downloaded and installed. For more details, see the details under "Patch orchestration option provides:" in Configure settings on a single VM.

For ESU, only Windows Server 2012/R2 machines are supported, ref: Extended Security Updates (ESU) for Windows Server.

However, as you mentioned in the question, it does seem that the AUM is also working for Windows 2008/R2 OS because you are seeing other types of updates being installed on the machine (the critical and definition updates). You can also verify that by using Update Manager operations such as Check for updates, One-time update, Schedule updates, or Periodic assessment. For more details, see Asynchronous check to validate customized image support.

In case the information shared above does not help answer your question, could you please answer the question below to help me understand the scenario better:

When "Check for updates" operation is performed on this machine, do you see .NET updates listed under available updates for the machines, pending installation?

How were these machines onboarded to Azure, was it via Azure Arc?

What is the "Patch orchestration" set for these machines? You can get it in Azure portal by searching for "Azure Update Manager" --> Machines. In this view, you can review the table containing the machine names which also lists "Patch orchestration" as one of the columns.

Please let me know if you have any questions.
Eccup Reservoir 66 Reputation points

2024-02-20T08:40:29.44+00:00

Hello AnuragSingh, thanks for the reply.

No it is not showing .net framework updates anywhere, either logged directly onto the target server, or through Azure Update Manager doing a 'check for updates'.
However there are definitely Internet Explorer and .net Framework patches outstanding.

The servers were onboarding to azure using the Azure Migrate tool, so they were lifted from on-premise into Azure to take advantage of the ESU benefit.

Patch orchestration is set to 'Customer Manager Schedules' - and the maintenance configuration (i.e. the associated patch schedule) is set for all classifications of updates.
AnuragSingh-MSFT 21,491 Reputation points

2024-02-23T09:39:52.12+00:00

Eccup Reservoir, Following-up to check if you had a chance to review the reply provided. Please let us know if you have any questions.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Eccup Reservoir, thank you for the reply.

Based on the documents below, only security and important/critical updates are delivered using the ESU update program. Also, delivery, download, and application of ESUs for Windows Server is no different than other Windows Updates - so nothing extra needs to be done.

Download and installation of Extended Security Updates What is the Extended Security Update (ESU) program?

Furthermore, for .NET also, there are support available for Windows Server 2008 R2 ESU and Windows 7 ESU which include .NET Framework 4.6.2 thru .NET Framework 4.8 and .NET Framework 3.5 SP1 only.Azure Update Manager retrieves the assessment information about status of system updates for it specified by the Windows Update client. For more details, see the information available here. If you do not see newer updates getting listed as available, it would mean that there are no applicable updates as recognized by Windows. You have also confirmed the same by stating that you don't see pending updates even when logged directly onto the target server.

I would suggest reviewing some of the target servers to verify that they indeed miss the critical .NET framework updates as per the supported scenarios. These can be installed directly on the machines as well, if identified, as only security and critical updates are delivered by AUM. Hope this helps.

Share via

Azure Update Manger - .net framework updates missing from windows update?

2 answers

Your answer