![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 99%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello **Shubham Prajapati**Your Update Manager run is failing because the update operation is trying to install/upgrade packages that the OS package manager treats as not changeable in the current transaction (you see it as “items are locked and will not be changed”). Azure Update Manager relies on the VM’s native Linux package manager and will surface those package-manager errors.
Update Manager honors the update source/settings on the machine and doesn’t publish/provide updates itself, meaning package-manager constraints on the VM can block the deployment.
Please follow below suggested Microsoft-supported workaround: Exclude the locked packages in the deployment.
Azure Update Manager supports Include/Exclude KB ID / package during deployments, and for Linux you can exclude packages by name using wildcards (exactly what you need for plymouth*).
Option A: One-time update (fastest)
- Azure portal → Azure Update Manager → Overview → One-time update
- Select the SLES VM → Next
- On the Updates pane:
- Keep the appropriate classifications (ex: Security/Critical) as needed
- Under Exclude KB ID/package, add the locked packages using wildcards, for example:
-
plymouth* - (If needed)
plymouth-branding*
- Continue → Review + install → Install
Option B: Scheduled patching / maintenance configuration (recommended for ongoing)
Use the same Exclude KB ID/package approach when creating the scheduled deployment so every run skips plymouth*.
- Update Manager runs patching through its Linux VM patch extensions and reports what the OS package manager returns.
- By excluding the problematic packages, the deployment proceeds with the remaining patches instead of failing the whole run. The Microsoft deployment guidance explicitly supports excluding packages in Update Manager.
Excluded packages may still appear in assessment results (assessment vs install are different), but they won’t be installed in that deployment. The deployment doc also notes “Selected Updates” is a preview and actual installed updates can vary based on latest assessment/repo state.
Reference: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/update-manager/deploy-updates.md
Kindly let us know if the solution provided worked for you.
If you need any further assistance, please feel free to reach out.
Thanks,
Suchitra.