Schedule recurring updates for machines using Azure portal and Azure Policy

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Important

• For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch orchestration to Customer Managed Schedules (Preview). If you fail to update the patch orchestration, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.Learn more.

You can use update management center (preview) in Azure to create and save recurring deployment schedules. You can create a schedule on a daily, weekly or hourly cadence, specify the machines that must be updated as part of the schedule, and the updates to be installed. This schedule will then automatically install the updates as per the created schedule for single VM and at scale.

Update management center (preview) uses maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see Maintenance control documentation.

Prerequisites for scheduled patching

1. See Prerequisites for Update management center (preview)

2. Patch orchestration of the Azure machines should be set to Customer Managed Schedules (Preview). For more information, see how to enable schedule patching on existing VMs. For Azure Arc-enabled machines, it isn't a requirement.

   Note

   If you set the patch mode to Azure orchestrated (AutomaticByPlatform) but do not enable the BypassPlatformSafetyChecksOnUserSchedule flag and do not attach a maintenance configuration to an Azure machine, it is treated as Automatic Guest patching enabled machine and Azure platform will automatically install updates as per its own schedule. Learn more.

Schedule recurring updates on single VM

Note

You can schedule updates from the Overview or Machines blade in update management center (preview) page or from the selected VM.

From Overview blade

To schedule recurring updates on a single VM, follow these steps:

1. Sign in to the Azure portal.

2. In Update management center (preview), Overview, select your Subscription, and select Schedule updates.

3. In Create new maintenance configuration, you can create a schedule for a single VM.

   Note

   Currently, VMs and maintenance configuration in the same subscription are supported.

4. In the Basics page, select Subscription, Resource Group and all options in Instance details.

   • Select the Maintenance scope as Guest (Azure VM, Arc-enabled VMs/servers).

   • Select Add a schedule and in Add/Modify schedule, specify the schedule details such as:

     • Start on
     • Maintenance window (in hours)
     • Repeats (monthly, daily or weekly)
     • Add end date
     • Schedule summary

   Note

   The hourly option is currently not supported in the portal, but can be used through the API.

   

   For the Repeats-monthly, there are two options:

   • Repeat on a calendar date (optionally run on last date of the month)
   • Repeat on nth (first, second, etc.) x day (for example, Monday, Tuesday) of the month. You can also specify an offset from the day set. It could be +6/-6. For example, for customers who want to patch on the first Saturday after a patch on Tuesday, they would set the recurrence as the second Tuesday of the month with a +4 day offset. Optionally you can also specify an end date when you want the schedule to expire.

5. In the Machines page, select your machine and select Next to continue.

6. In the Updates page, specify the updates to include in the deployment such as update classification(s) or KB ID/ packages that must be installed when you trigger your schedule.

   Note

   Update management center (preview) doesn't support driver updates.

7. In the Tags page, assign tags to maintenance configurations.

8. In the Review + Create page, verify your update deployment options and select Create.

From Machines blade

1. Sign in to the Azure portal.

2. In Update management center (Preview), Machines, select your Subscription, select your machine and select Schedule updates.

3. In Create new maintenance configuration, you can create a schedule for a single VM, assign machine and tags. Follow the procedure from step 3 listed in From Overview blade of Schedule recurring updates on single VM to create a maintenance configuration and assign a schedule.

From a selected VM

1. Select your virtual machine and the virtual machines | Updates page opens.
2. Under Operations, select Updates.
3. In Updates, select Go to Updates using Update Center.
4. In Updates preview, select Schedule updates and in Create new maintenance configuration, you can create a schedule for a single VM. Follow the procedure from step 3 listed in From Overview blade of Schedule recurring updates on single VM to create a maintenance configuration and assign a schedule.

A notification appears that the deployment has been created.

Schedule recurring updates at scale

To schedule recurring updates at scale, follow these steps:

Note

You can schedule updates from the Overview or Machines blade.

From Overview blade

1. Sign in to the Azure portal.

2. In Update management center (Preview), Overview, select your Subscription and select Schedule updates.

3. In the Create new maintenance configuration page, you can create a schedule for multiple machines.

   Note

   Currently, VMs and maintenance configuration in the same subscription are supported.

4. In the Basics page, select Subscription, Resource Group and all options in Instance details.

   • Select Add a schedule and in Add/Modify schedule, specify the schedule details such as:

     • Start on
     • Maintenance window (in hours)
     • Repeats(monthly, daily or weekly)
     • Add end date
     • Schedule summary

   Note

   The hourly option is currently not supported in the portal, but can be used through the API.

5. In the Machines page, verify if the selected machines are listed. You can add or remove machines from the list. Select Next to continue.

6. In the Updates page, specify the updates to include in the deployment such as update classification(s) or KB ID/ packages that must be installed when you trigger your schedule.

   Note

   Update management center (preview) doesn't support driver updates.

7. In the Tags page, assign tags to maintenance configurations.

8. In the Review + Create page, verify your update deployment options and select Create.

From Machines blade

1. Sign in to the Azure portal.

2. In Update management center (Preview), Machines, select your Subscription, select your machines and select Schedule updates.

In Create new maintenance configuration, you can create a schedule for a single VM. Follow the procedure from step 3 listed in From Overview blade of Schedule recurring updates on single VM to create a maintenance configuration and assign a schedule.

A notification appears that the deployment is created.

Attach a maintenance configuration

A maintenance configuration can be attached to multiple machines. It can be attached to machines at the time of creating a new maintenance configuration or even after you've created one.

1. In Update management center, select Machines and select your Subscription.

2. Select your machine and in Updates (Preview), select Scheduled updates to create a maintenance configuration or attach existing maintenance configuration to the scheduled recurring updates.

3. In Scheduling, select Attach maintenance configuration.

4. Select the maintenance configuration that you would want to attach and select Attach.

5. In Updates (Preview), select Scheduling and +Attach maintenance configuration.

6. In the Attach existing maintenance configuration page, select the maintenance configuration that you want to attach and select Attach.

   

Schedule recurring updates from maintenance configuration

You can browse and manage all your maintenance configurations from a single place.

1. Search Maintenance configurations in the Azure portal. It shows a list of all maintenance configurations along with the maintenance scope, resource group, location, and the subscription to which it belongs.

2. You can filter maintenance configurations using filters at the top. Maintenance configurations related to Guest OS updates are the ones that have Maintenance scope as InGuestPatch.

You can create a new Guest OS update maintenance configuration or modify an existing configuration:

Create a new maintenance configuration

1. Go to Machines and select machines from the list.

2. In the Updates (Preview), select Scheduled updates.

3. In Create a maintenance configuration, follow step 3 in this procedure to create a maintenance configuration.

4. In Basics tab, select the Maintenance scope as Guest (Azure VM, Arc-enabled VMs/servers).

   

Add/remove machines from maintenance configuration

1. Go to Machines and select the machines from the list.

2. In Updates (Preview) page, select One-time updates.

3. In Install one-time updates, Machines, select +Add machine.

   

Change update selection criteria

1. In Install one-time updates, select the resources and machines to install the updates.

2. In Machines, select +Add machine to add machines that were previously not selected and click Add.

3. In Updates, specify the updates to include in the deployment.

4. Select Include KB ID/package and Exclude KB ID/package respectively to select category of updates like Critical, Security, Feature updates etc.

   

Onboarding to Schedule using Policy

The update management center (preview) allows you to target a group of Azure or non-Azure VMs for update deployment via Azure Policy. The grouping using policy, keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags or regions to define the scope and use this feature for the built-in policies which you can customize as per your use-case.

Note

This policy also ensures that the patch orchestration property for Azure machines is set to Customer Managed Schedules (Preview) as it is a prerequisite for scheduled patching.

Assign a policy

Policy allows you to assign standards and assess compliance at scale. Learn more. To assign a policy to scope, follow these steps:

1. Sign in to the Azure portal and select Policy.

2. In Assignments, select Assign policy.

3. Under Basics, in the Assign policy page:

   • In Scope, choose your subscription, resource group, and choose Select.
   • Select Policy definition to view a list of policies.
   • In Available Definitions, select Built in for Type and in search, enter - [Preview] Schedule recurring updates using Update Management Center and click Select.

   

   • Ensure that Policy enforcement is set to Enabled and select Next.

4. In Parameters, by default, only the Maintenance configuration ARM ID is visible.

   Note

   If you do not specify any other parameters, all machines in the subscription and resource group that you selected in Basics will be covered under scope. However, if you want to scope further based on resource group, location, OS, tags and so on, deselect Only show parameters that need input or review to view all parameters.

   • Maintenance Configuration ARM ID: A mandatory parameter to be provided. It denotes the ARM ID of the schedule that you want to assign to the machines.
   • Resource groups: You can specify a resource group optionally if you want to scope it down to a resource group. By default, all resource groups within the subscription are selected.
   • Operating System types: You can select Windows or Linux. By default, both are preselected.
   • Machine locations: You can optionally specify the regions that you want to select. By default, all are selected.
   • Tags on machines: You can use tags to scope down further. By default, all are selected.
   • Tags operator: In case you have selected multiple tags, you can specify if you want the scope to be machines that have all the tags or machines which have any of those tags.

   

5. In Remediation, Managed Identity, Type of Managed Identity, select System assigned managed identity and Permissions is already set as Contributor according to the policy definition.

   Note

   If you select Remediation, the policy would be effective on all the existing machines in the scope else, it is assigned to any new machine which is added to the scope.

6. In Review + Create, verify your selections, and select Create to identify the non-compliant resources to understand the compliance state of your environment.

View Compliance

To view the current compliance state of your existing resources:

1. In Policy Assignments, select Scope to select your subscription and resource group.

2. In Definition type, select policy and in the list, select the assignment name.

3. Select View compliance. The Resource Compliance lists the machines and reasons for failure.

   

Check your scheduled patching run

You can check the deployment status and history of your maintenance configuration runs from the Update management center portal. Follow Update deployment history by maintenance run ID.

Limitations and known issues

The known issues and limitations of scheduled patching are:

1. For concurrent/conflicting schedule, only one schedule will be triggered. The other schedule will be triggered once a schedule is finished.
2. If a machine is newly created, the schedule might have 15 minutes of schedule trigger delay in case of Azure VMs.

Next steps

• To view update assessment and deployment logs generated by update management center (preview), see query logs.
• To troubleshoot issues, see the Troubleshoot update management center (preview).