Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
368 questions
Updates installed via Azure Update Manager not reflecting in Windows Update settings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Anant Bera
211
Reputation points
Hi Team,
I have a Windows Server VM onboarded to Azure Arc. I used Update Manager to push updates through a maintenance configuration (1 hour 30 minutes window). The machine shows compliant in Azure.
After patching, I ran Get-HotFix and confirmed that updates were installed successfully. I also waited 1–2 hours, but the Windows Update settings page in the server still shows pending updates, and update history there does not reflect the changes.
Here are some of the updates I pushed from Update Manager:
Windows Malicious Software Removal Tool x64 - v5.132 (KB890830)
2025-04 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 (KB5055688)
Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.427.353.0)
Questions:
Why are these updates not visible in the Windows Update settings or history?
Is this expected behavior when patching via Azure Arc?
If I have 100+ servers, what’s the best way to verify patches are truly applied if Windows UI still shows pending?
Thanks,
Anant
Azure Update Manager
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Ashok Gandhi Kotnana 7,160 Reputation points Microsoft External Staff Moderator2025-04-21T09:45:05.3+00:00 Hi @Anant Bera ,
As you mentioned,
Get-HotFixconfirmed that the updates were installed successfully. The 2025-04 Cumulative Update for .NET Framework 3.5, 4.8, and 4.8.1 (KB5055688) requires a reboot, as indicated in the Azure Update Manager. Please restart the server and check if the issue still persists. Sometimes, the Windows Update GUI displays stale or pending statuses due to cached data, even if the updates were successfully installed. To investigate further, you can check the Windows Update log using the following command:Get-WindowsUpdateLogThis will generate a readable log at
C:\Users\YourUser\Desktop\WindowsUpdate.log, where you can verify whether the updates were acknowledged or if there's a reason they are still appearing as pending.Additionally, try resetting the Windows Update components to force a resync:
net stop wuauserv net stop bits Rename-Item "C:\Windows\SoftwareDistribution" "C:\Windows\SoftwareDistribution.old" net start wuauserv net start bitsSince this behavior is related to the Windows Update GUI, open Settings > Update & Security > Windows Update, click Troubleshoot, then go to Additional troubleshooters and run the Windows Update troubleshooter.
If the comment is helpful, please click "Upvote it"
Please let me know if you face any challenge here, I can help you to resolve this issue further
Please provide your valuable comments
Thankyou
-
Anant Bera 211 Reputation points
2025-04-22T06:05:49.0733333+00:00 Hi Ashok, I tried the configuration you mentioned, but it’s still not working.
Is there any registry key or policy setting I can check to confirm whether Azure Update Manager is functioning correctly and patching as expected?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 2,145 Reputation points Microsoft External Staff Moderator2025-04-22T07:19:51.16+00:00 Hello Anant Bera,
Apologies for the inconvenience this may have caused to you. here are steps you can try to resolve this issue and accurately view your Windows Update history.
1. Reset Windows Update Components:
i. Open the command Prompt (Admin) and execute the following commands to stop Windows Update services:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ii. Rename the Windows Update folders by running:
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
iii. Restart the services with:
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
2. Perform an In-Place Upgrade:
Consider an in-place upgrade of Windows. This process reinstalls Windows without removing your files but can help rectify any issues with the OS, including update visibility.
Note: Its always recommend that if you have important data, you should back it up before making large system changes.
Please try the above steps and let us know if it resolves your issue or if you need further assistance.
Thanks
-
Alex Burlachenko 5,430 Reputation points2025-04-22T07:40:00.6533333+00:00 Dear Anant,
Thank you very much for your thoughtful questions regarding update management through Azure Arc. I truly appreciate the opportunity to clarify these important points for you, and I’ll do my best to provide a thorough yet easy-to-follow response.
- Why Updates Are Not Visible in Windows Update Settings or History?
Please allow me to explain why you're observing this behavior
Centralized Management Takes Precedence: When using Azure Update Manager (or similar enterprise tools like WSUS or SCCM), updates are deployed through a controlled channel that intentionally bypasses the local Windows Update interface. This is by design to ensure consistent enterprise management.
Policy Enforcement: The message you see ("Some settings are managed by your organization") confirms that update policies are being applied centrally. In such cases, the local Windows Update UI may not always reflect the latest status.
Cache Behavior Differences: The local Windows Update cache operates independently from Azure Update Manager's process. While updates are fully installed (as confirmed by Get-HotFix), the local UI might not refresh this information, especially if servers are configured to receive updates solely from Azure.
- Is This Expected Behavior with Azure Arc?
Yes, absolutely. This is completely normal and expected when patching through Azure Arc and Update Manager. Here’s why this isn’t cause for concern:
Azure Update Manager operates at a different level than the local Windows Update interface. Its primary focus is ensuring compliance at the enterprise level rather than updating local UI elements.
The most authoritative sources for verification are:
The Azure Portal compliance status (which you’ve confirmed shows the machine as compliant)
PowerShell cmdlets like Get-HotFix (which you’ve already used successfully)
Windows Update logs (%windir%\WindowsUpdate.log)
- Best Practices for Verifying Patches Across 100+ Servers
I completely understand your need for reliable verification across your server estate. Here are the most effective methods I’d recommend:
Azure Native Tools
Update Manager Compliance Dashboard: This provides a single pane of glass showing patch status across all servers.
Azure Resource Graph Queries: You can run KQL queries to check update status across all machines at once.
Script-Based Verification (Scalable Approach)
# Example: Verify multiple KBs across all servers $KBIDs = @("KB5055688", "KB890830", "KB2267602") $servers = Get-Content -Path "C:\ServerList.txt" $results = Invoke-Command -ComputerName $servers -ScriptBlock { param($KBIDs) Get-HotFix | Where-Object { $_.HotFixID -in $KBIDs } } -ArgumentList $KBIDs $results | Select-Object PSComputerName, HotFixID, InstalledOn | Format-Tableand
Invoke-Command -ComputerName $servers -ScriptBlock { Get-MpComputerStatus | Select-Object AntivirusSignatureVersion }Stop-Service wuauserv -Force Remove-Item "$env:windir\SoftwareDistribution\*" -Recurse -Force Start-Service wuauservThis should only be done if strictly required, as the cache will rebuild naturally over time.
I hope this information helps clarify the situation.
Best regards,
Alex
If my answer help to you, please Accept my answer
-
Ashok Gandhi Kotnana 7,160 Reputation points Microsoft External Staff Moderator
2025-04-24T12:02:16.0133333+00:00 Hello Anant Bera,
To maintain update compliance and verify everything is functioning as expected with Azure Update Manager, we suggest the following best practices:
Enable Periodic Assessment in Update Manager
- Make sure the Periodic Assessment is enabled in Azure Update Manager.
- This ensures your machines are regularly scanned for missing updates and eligible updates are deployed automatically during the scheduled maintenance window.
Monitor the History Page for Any Errors
- Navigate to the "History" tab in Update Manager (via Azure Portal).
- Review past update deployments and check for any failures or skipped updates during the scheduled maintenance periods.
Verify Installed Updates Using PowerShell:
For added confirmation, you can check directly on the VM whether updates have been installed using:
Get-HotFixJust want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
-
Ashok Gandhi Kotnana 7,160 Reputation points Microsoft External Staff Moderator
2025-04-25T12:13:34.74+00:00 -
Anant Bera 211 Reputation points
2025-04-28T05:42:33.1433333+00:00 Hi Ashok
Get-HotFix is not working, but I can see the updates and patches in the server
-
Ashok Gandhi Kotnana 7,160 Reputation points Microsoft External Staff Moderator
2025-04-28T07:47:25.6333333+00:00 Hi @Anonymous ,
Can you confirm whether your issue has been resolved?
Your contribution is highly appreciated.Thankyou
-
Ashok Gandhi Kotnana 7,160 Reputation points Microsoft External Staff Moderator
2025-04-28T08:48:54.0566667+00:00 Hello Anant Bera,
Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
-
Anant Bera 211 Reputation points
2025-04-28T08:57:20.79+00:00 Hi @Ashok Gandhi Kotnana The answer doesn't work still i am unable to see any logs or event in the End server. Does it require any other setup as well
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Venkat V 2,065 Reputation points Microsoft External Staff Moderator2025-04-28T12:17:32.9733333+00:00 Hi @Anant Bera
If updates are installed but no logs or events are appearing on the end server, you can try the following troubleshooting steps:
- Verify the Azure Connected Machine agent (Arc agent) health status.
- Ensure that the machine has the Update Management policies properly assigned and is in a compliant state.
- Confirm that necessary Windows Update services, such as Windows Update (WUAUSERV), are running on the server. Check the below path, It includes the following two log files of interest: WindowsUpdateExtension.log
CommandExecution.logC:\WindowsAzure\Logs\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension<version> path
https://learn.microsoft.com/en-us/azure/update-manager/deploy-updates?tabs=install-single-overview%2Cinstall-scale-overview If the above is unclear and/or you are unsure about something, add a comment below**Reference**: [https://learn.microsoft.com/en-us/azure/update-manager/troubleshoot?tabs=azure-machines#azure-windows-vm](https://learn.microsoft.com/en-us/azure/update-manager/troubleshoot?tabs=azure-machines#azure-windows-vm)
-
SadiqhAhmed-MSFT 48,906 Reputation points Microsoft Employee Moderator2025-05-02T07:09:46.7833333+00:00 @Anant Bera Just wanted to confirm, are you facing similar issue as discussed here - https://learn.microsoft.com/en-us/answers/questions/2180752/errors-reported-a-system-shutdown-is-in-progress ?
Sign in to comment
Sign in to answer