Edit

Support matrix for Azure Update Manager

  • Article

Caution

This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and plan accordingly.

This article details the Windows and Linux operating systems supported and system requirements for machines or servers managed by Azure Update Manager. The article includes the supported regions and specific versions of the Windows Server and Linux operating systems running on Azure virtual machines (VMs) or machines managed by Azure Arc-enabled servers.

Supported update sources

Windows: Windows Update Agent (WUA) reports to Microsoft Update by default, but you can configure it to report to Windows Server Update Services (WSUS). If you configure WUA to report to WSUS, based on the last synchronization from WSUS with Microsoft Update, the results in Update Manager might differ from what Microsoft Update shows.

To specify sources for scanning and downloading updates, see Specify intranet Microsoft Update service location. To restrict machines to the internal update service, see Don't connect to any Windows Update internet locations.

Linux: You can configure Linux machines to report to a local or public YUM or APT package repository. The results shown in Update Manager depend on where the machines are configured to report.

Supported update types

The following types of updates are supported.

Operating system updates

Update Manager supports operating system updates for both Windows and Linux.

Update Manager doesn't support driver updates.

Extended Security Updates (ESU) for Windows Server

Using Azure Update Manager, you can deploy Extended Security Updates for your Azure Arc-enabled Windows Server 2012 / R2 machines. To enroll in Windows Server 2012 Extended Security Updates, follow the guidance on How to get Extended Security Updates (ESU) for Windows Server 2012 and 2012 R2.

First-party updates on Windows

By default, the Windows Update client is configured to provide updates only for the Windows operating system. If you enable the Give me updates for other Microsoft products when I update Windows setting, you also receive updates for other Microsoft products. Updates include security patches for Microsoft SQL Server and other Microsoft software.

Use one of the following options to perform the settings change at scale:

  • For servers configured to patch on a schedule from Update Manager (with virtual machine PatchSettings set to AutomaticByPlatform = Azure-Orchestrated), and for all Windows Servers running on an earlier operating system than Windows Server 2016, run the following PowerShell script on the server you want to change:

    $ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceManager.Services
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.AddService2($ServiceId,7,"")

  • For servers running Windows Server 2016 or later that aren't using Update Manager scheduled patching (with virtual machine PatchSettings set to AutomaticByOS = Azure-Orchestrated), you can use Group Policy to control this process by downloading and using the latest Group Policy Administrative template files.

Note

Run the following PowerShell script on the server to disable first-party updates:

$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceManager.Services
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.RemoveService($ServiceId)

Third party updates

Windows: Update Manager relies on the locally configured update repository to update supported Windows systems, either WSUS or Windows Update. Tools such as System Center Updates Publisher allow you to import and publish custom updates with WSUS. This scenario allows Update Manager to update machines that use Configuration Manager as their update repository with third party software. To learn how to configure Updates Publisher, see Install Updates Publisher.

Linux: If you include a specific third party software repository in the Linux package manager repository location, it's scanned when it performs software update operations. The package isn't available for assessment and installation if you remove it.

Update Manager doesn't support managing the Configuration Manager client.

Supported regions

Update Manager scales to all regions for both Azure VMs and Azure Arc-enabled servers. The following table lists the Azure public cloud where you can use Update Manager.

Azure VMs

Azure Update Manager is available in all Azure public regions where compute virtual machines are available.

Azure Arc-enabled servers

Azure Update Manager is currently supported in the following regions. It implies that VMs must be in the following regions.

Geography Supported regions
Africa South Africa North
Asia Pacific East Asia
South East Asia
Australia Australia East
Australia Southeast
Brazil Brazil South
Canada Canada Central
Canada East
Europe North Europe
West Europe
France France Central
Germany Germany West Central
India Central India
Japan Japan East
Korea Korea Central
Norway Norway East
Sweden Sweden Central
Switzerland Switzerland North
UAE UAE North
United Kingdom UK South
UK West
United States Central US
East US
East US 2
North Central US
South Central US
West Central US
West US
West US 2
West US 3

Supported operating systems

Note

  • All operating systems are assumed to be x64. For this reason, x86 isn't supported for any operating system.
  • Update Manager doesn't support virtual machines created from CIS-hardened images.

Support for Azure Update Manager operations

Support for automatic VM Guest patching

If automatic VM guest patching is enabled on a VM, then the available Critical and Security patches are downloaded and applied automatically on the VM.

  • For marketplace images, see the list of supported OS images.
  • For VMs created from customized images even if the Patch orchestration mode is set to Azure Orchestrated/AutomaticByPlatform, automatic VM guest patching doesn't work. We recommend that you use scheduled patching to patch the machines by defining your own schedules or install updates on-demand.

Support for all other Azure Update Manager operations

Azure Update Manager supports the following operations:

Azure Marketplace/PIR images

The Azure Marketplace image has the following attributes:

  • Publisher: The organization that creates the image. Examples are Canonical and MicrosoftWindowsServer.
  • Offer: The name of the group of related images created by the publisher. Examples are UbuntuServer and WindowsServer.
  • SKU: An instance of an offer, such as a major release of a distribution. Examples are 18.04LTS and 2019-Datacenter.
  • Version: The version number of an image SKU.

Update Manager supports the following operating system versions on VMs for all operations except automatic VM guest patching. You might experience failures if there are any configuration changes on the VMs, such as package or repository.

Following is the list of supported images and no other marketplace images released by any other publisher are supported for use with Azure Update Manager.

Supported Windows OS versions

Publisher Offer SKU Unsupported image(s)
microsoftwindowsserver windows server * windowsserver 2008
microsoftbiztalkserver biztalk-server *
microsoftdynamicsax dynamics *
microsoftpowerbi * *
microsoftsharepoint microsoftsharepointserver *
microsoftvisualstudio Visualstudio* *-ws2012r2
*-ws2016-ws2019
*-ws2022
microsoftwindowsserver windows-cvm *
microsoftwindowsserver windowsserverdotnet *
microsoftwindowsserver windowsserver-gen2preview *
microsoftwindowsserver windowsserverupgrade *
microsoftwindowsserver windowsserverhotpatch-previews windows-server-2022-azure-edition-hotpatch
microsoftserveroperatingsystems-previews windows-server-vnext-azure-edition-core
microsoftwindowsserverhpcpack windowsserverhpcpack *
microsoftsqlserver sql2016sp1-ws2016 standard
sql2016sp2-ws2016 standard
sql2017-ws2016 standard
sql2017-ws2016 enterprise
sql2019-ws2019 enterprise
sql2019-ws2019 sqldev
sql2019-ws2019 standard
sql2019-ws2019 standard-gen2
microsoftazuresiterecovery process-server windows-2012-r2-datacenter

Supported Linux OS versions

Publisher Offer SKU Unsupported image(s)
canonical * *
microsoftsqlserver * * Offers: sql2019-sles*
sql2019-rhel7
sql2017-rhel 7

Example
Publisher:
microsoftsqlserver
Offer: sql2019-sles12sp5
sku:webARM

Publisher: microsoftsqlserver
Offer: sql2019-rhel7
sku: web-ARM
microsoftsqlserver * * Offers: sql2019-sles*
sql2019-rhel7
sql2017-rhel7
microsoftcblmariner cbl-mariner cbl-mariner-1
1-gen2
cbl-mariner-2
cbl-mariner-2-gen2.
microsoft-aks aks aks-engine-ubuntu-1804-202112
microsoft-dsvm aml-workstation ubuntu-20, ubuntu-20-gen2
redhat rhel 7*,8*,9* 74-gen2
redhat rhel-ha 8* 8.1, 81_gen2
redhat rhel-raw 7*,8*,9*
redhat rhel-sap 7* 7.4, 7.5, 7.7
redhat sap-apps 7*, 8*
redhat rhel-sap* 9_0
redhat rhel-sap-ha 7*, 8* 7.5
redhat rhel-sap-apps 90sapapps-gen2
redhat rhel-sap-ha 90sapha-gen2
suse opensuse-leap-15-* gen*
suse sles-12-sp5-* gen*
suse sles-sap-12-sp5* gen*
suse sles-sap-15-* gen* Offer: sles-sap-15-*-byos

Sku: gen*
Example
Publisher: suse
Offer: sles-sap-15-sp3-byos
sku: gen1-ARM
suse sles-12-sp5 gen1, gen2
suse sles-15-sp2 gen1, gen2
sle-hpc-15-sp4 gen1, gen2
sles 12-sp4-gen2
sles-15-sp1-sapcal gen1, gen2
sles-15-sp2-basic gen2
sles-15-sp2-hpc gen2
sles-15-sp3-sapcal gen1, gen2
sles-15-sp4 gen1, gen2
sles-byos 12-sp4, 12-sp4-gen2
sles-sap 12-sp4, 12-sp4-gen2
sles-sap-byos 12-sp4, 12-sp4-gen2, gen2-12-sp4
sles-sapcal 12-sp3
sles-standard 12-sp4-gen2
oracle oracle-linux 7*, ol7*, ol8*, ol9*, ol9-lvm*, 8, 8-ci, 81, 81-ci, 81-gen2
oracle-database oracle_db_21
oracle-database-19-3 oracle-database-19-0904
microsoftcblmariner cbl-mariner cbl-mariner-1,1-gen2, cbl-mariner-2, cbl-mariner-2-gen2
openlogic centos 7.2, 7.3, 7.4, 7.5, 7.6, 7_8, 7_9, 7_9-gen2, 8.0, 8_1, 8_2,8_3, 8_4, 8_5
centos-hpc 7.1, 7.3, 7.4
centos-lvm 7-lvm, 8-lvm
centos-ci 7-ci
centos-lvm 7-lvm-gen2

Custom images

We support VMs created from customized images (including images) uploaded to Azure Compute gallery and the following table lists the operating systems that we support for all Azure Update Manager operations except automatic VM guest patching. For instructions on how to use Update Manager to manage updates on VMs created from custom images, see Manage updates for custom images.

Windows operating system
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Linux operating system
CentOS 7, 8
Oracle Linux 7.x, 8x
Red Hat Enterprise 7, 8, 9
SUSE Linux Enterprise Server 12.x, 15.0-15.4
Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS

Unsupported workloads

The following table lists the workloads that aren't supported.

Workloads Notes
Windows client For client operating systems such as Windows 10 and Windows 11, we recommend Microsoft Intune to manage updates.
Virtual Machine Scale Sets We recommend that you use Automatic upgrades to patch the Virtual Machine Scale Sets.
Azure Kubernetes Service nodes We recommend the patching described in Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS).

As Update Manager depends on your machine's OS package manager or update service, ensure that the Linux package manager or Windows Update client is enabled and can connect with an update source or repository. If you're running a Windows Server OS on your machine, see Configure Windows Update settings.

Next steps