Schedule recurring updates for machines by using the Azure portal and Azure Policy

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Important

  • For a seamless scheduled patching experience, we recommend that for all Azure virtual machines (VMs), you update the patch orchestration to Customer Managed Schedules by June 30, 2023. If you fail to update the patch orchestration by June 30, 2023, you can experience a disruption in business continuity because the schedules will fail to patch the VMs. Learn more.

You can use Azure Update Manager to create and save recurring deployment schedules. You can create a schedule on a daily, weekly, or hourly cadence. You can specify the machines that must be updated as part of the schedule and the updates to be installed.

This schedule then automatically installs the updates according to the created schedule for a single VM and at scale.

Update Manager uses a maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see Maintenance control documentation.

Prerequisites for scheduled patching

  1. See Prerequisites for Update Manager.

  2. Patch orchestration of the Azure machines should be set to Customer Managed Schedules. For more information, see Enable schedule patching on existing VMs. For Azure Arc-enabled machines, it isn't a requirement.

    Note

    If you set the patch mode to Azure orchestrated (AutomaticByPlatform) but do not enable the BypassPlatformSafetyChecksOnUserSchedule flag and do not attach a maintenance configuration to an Azure machine, it's treated as an automatic guest patching-enabled machine. The Azure platform automatically installs updates according to its own schedule. Learn more.

Schedule patching in an availability set

All VMs in a common availability set aren't updated concurrently.

VMs in a common availability set are updated within Update Domain boundaries. VMs across multiple Update Domains aren't updated concurrently.

In scenarios where machines from the same availability set are being patched at the same time in different schedules, it is likely that they might not get patched or could potentially fail if the maintenance window exceeds. To avoid this, we recommend that you either increase the maintenance window or split the machines belonging to the same availability set across multiple schedules at different times.

Configure reboot settings

The registry keys listed in Configure Automatic Updates by editing the registry and Registry keys used to manage restart can cause your machines to reboot. A reboot can occur even if you specify Never Reboot in the Schedule settings. Configure these registry keys to best suit your environment.

Service limits

We recommend the following limits for the indicators.

Indicator Public Cloud Limit Mooncake/Fairfax Limit
Number of schedules per subscription per region 250 250
Total number of resource associations to a schedule 3,000 3,000
Resource associations on each dynamic scope 1,000 1,000
Number of dynamic scopes per resource group or subscription per region 250 250
Number of dynamic scopes per schedule 200 30
Total number of subscriptions attached to all dynamic scopes per schedule 200 30

For more information, see the service limits for Dynamic scope.

Schedule recurring updates on a single VM

You can schedule updates from the Overview or Machines pane on the Update Manager page or from the selected VM.

To schedule recurring updates on a single VM:

  1. Sign in to the Azure portal.

  2. On the Azure Update Manager | Overview page, select your subscription, and then select Schedule updates.

  3. On the Create new maintenance configuration page, you can create a schedule for a single VM.

    Currently, VMs and maintenance configuration in the same subscription are supported.

  4. On the Basics page, select Subscription, Resource Group, and all options in Instance details.

    • Select Maintenance scope as Guest (Azure VM, Azure Arc-enabled VMs/servers).

    • Select Add a schedule. In Add/Modify schedule, specify the schedule details, such as:

      • Start on
      • Maintenance window (in hours). The upper maintenance window is 3 hours 55 minutes.
      • Repeats (monthly, daily, or weekly)
      • Add end date
      • Schedule summary

    The hourly option isn't supported in the portal but can be used through the API.

    Screenshot that shows the Scheduled patching basics page.

    For Repeats monthly, there are two options:

    • Repeat on a calendar date (optionally run on the last date of the month).
    • Repeat on nth (first, second, etc.) x day (for example, Monday, Tuesday) of the month. You can also specify an offset from the day set. It could be +6/-6. For example, if you want to patch on the first Saturday after a patch on Tuesday, set the recurrence as the second Tuesday of the month with a +4 day offset. Optionally, you can also specify an end date when you want the schedule to expire.
  5. On the Machines tab, select your machine, and then select Next.

    Update Manager doesn't support driver updates.

  6. On the Tags tab, assign tags to maintenance configurations.

  7. On the Review + create tab, verify your update deployment options, and then select Create.

  1. Sign in to the Azure portal.

  2. On the Azure Update Manager | Machines page, select your subscription, select your machine, and then select Schedule updates.

  3. In Create new maintenance configuration, you can create a schedule for a single VM and assign a machine and tags. Follow the procedure from step 3 listed in From the Overview pane of Schedule recurring updates on a single VM to create a maintenance configuration and assign a schedule.

A notification confirms that the deployment was created.

Schedule recurring updates at scale

To schedule recurring updates at scale, follow these steps.

You can schedule updates from the Overview or Machines pane.

  1. Sign in to the Azure portal.

  2. On the Azure Update Manager | Overview page, select your subscription, and then select Schedule updates.

  3. On the Create new maintenance configuration page, you can create a schedule for multiple machines.

    Currently, VMs and maintenance configuration in the same subscription are supported.

  4. On the Basics tab, select Subscription, Resource Group, and all options in Instance details.

    • Select Add a schedule. In Add/Modify schedule, specify the schedule details, such as:

      • Start on
      • Maintenance window (in hours)
      • Repeats (monthly, daily, or weekly)
      • Add end date
      • Schedule summary

    The hourly option isn't supported in the portal but can be used through the API.

  5. On the Machines tab, verify if the selected machines are listed. You can add or remove machines from the list. Select Next.

  6. On the Updates tab, specify the updates to include in the deployment, such as update classifications or KB ID/packages that must be installed when you trigger your schedule.

    Update Manager doesn't support driver updates.

  7. On the Tags tab, assign tags to maintenance configurations.

  8. On the Review + create tab, verify your update deployment options, and then select Create.

A notification confirms that the deployment was created.

Attach a maintenance configuration

A maintenance configuration can be attached to multiple machines. It can be attached to machines at the time of creating a new maintenance configuration or even after you create one.

  1. On the Azure Update Manager page, select Machines, and then select your subscription.

  2. Select your machine, and on the Updates pane, select Scheduled updates to create a maintenance configuration or attach an existing maintenance configuration to the scheduled recurring updates.

  3. On the Scheduling tab, select Attach maintenance configuration.

  4. Select the maintenance configuration that you want to attach, and then select Attach.

  5. On the Updates pane, select Scheduling > Attach maintenance configuration.

  6. On the Attach existing maintenance configuration page, select the maintenance configuration that you want to attach, and then select Attach.

    Screenshot that shows Scheduled patching attach maintenance configuration.

Schedule recurring updates from maintenance configuration

You can browse and manage all your maintenance configurations from a single place.

  1. Search Maintenance configurations in the Azure portal. It shows a list of all maintenance configurations along with the maintenance scope, resource group, location, and the subscription to which it belongs.

  2. You can filter maintenance configurations by using filters at the top. Maintenance configurations related to guest OS updates are the ones that have maintenance scope as InGuestPatch.

You can create a new guest OS update maintenance configuration or modify an existing configuration.

Screenshot that shows maintenance configuration.

Create a new maintenance configuration

  1. Go to Machines and select machines from the list.

  2. On the Updates pane, select Scheduled updates.

  3. On the Create a maintenance configuration pane, follow step 3 in this procedure to create a maintenance configuration.

  4. On the Basics tab, select the Maintenance scope as Guest (Azure VM, Arc-enabled VMs/servers).

    Screenshot that shows creating a maintenance configuration.

Add or remove machines from maintenance configuration

  1. Go to Machines and select the machines from the list.

  2. On the Updates page, select One-time updates.

  3. On the Install one-time updates pane, select Machines > Add machine.

    Screenshot that shows adding or removing machines from maintenance configuration.

Change update selection criteria

  1. On the Install one-time updates pane, select the resources and machines to install the updates.

  2. On the Machines tab, select Add machine to add machines that weren't previously selected, and then select Add.

  3. On the Updates tab, specify the updates to include in the deployment.

  4. Select Include KB ID/package and Exclude KB ID/package, respectively, to select updates like Critical, Security, and Feature updates.

    Screenshot that shows changing update selection criteria of Maintenance configuration.

Onboard to schedule by using Azure Policy

Update Manager allows you to target a group of Azure or non-Azure VMs for update deployment via Azure Policy. The grouping using a policy keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags, or regions to define the scope. You can use this feature for the built-in policies, which you can customize according to your use case.

Note

This policy also ensures that the patch orchestration property for Azure machines is set to Customer Managed Schedules because it's a prerequisite for scheduled patching.

Assign a policy

Azure Policy allows you to assign standards and assess compliance at scale. For more information, see Overview of Azure Policy. To assign a policy to scope:

  1. Sign in to the Azure portal and select Policy.

  2. Under Assignments, select Assign policy.

  3. On the Assign policy page, on the Basics tab:

    • For Scope, choose your subscription and resource group and choose Select.

    • Select Policy definition to view a list of policies.

    • On the Available Definitions pane, select Built in for Type. In Search, enter Schedule recurring updates using Azure Update Manager and click Select.

      Screenshot that shows how to select the definition.

    • Ensure that Policy enforcement is set to Enabled, and then select Next.

  4. On the Parameters tab, by default, only the Maintenance configuration ARM ID is visible.

    If you don't specify any other parameters, all machines in the subscription and resource group that you selected on the Basics tab are covered under scope. If you want to scope further based on resource group, location, OS, tags, and so on, clear Only show parameters that need input or review to view all parameters:

    • Maintenance Configuration ARM ID: A mandatory parameter to be provided. It denotes the Azure Resource Manager (ARM) ID of the schedule that you want to assign to the machines.
    • Resource groups: You can optionally specify a resource group if you want to scope it down to a resource group. By default, all resource groups within the subscription are selected.
    • Operating System types: You can select Windows or Linux. By default, both are preselected.
    • Machine locations: You can optionally specify the regions that you want to select. By default, all are selected.
    • Tags on machines: You can use tags to scope down further. By default, all are selected.
    • Tags operator: If you select multiple tags, you can specify if you want the scope to be machines that have all the tags or machines that have any of those tags.

    Screenshot that shows how to assign a policy.

  5. On the Remediation tab, in Managed Identity > Type of Managed Identity, select System assigned managed identity. Permissions is already set as Contributor according to the policy definition.

    If you select Remediation, the policy is in effect on all the existing machines in the scope or else it's assigned to any new machine that's added to the scope.

  6. On the Review + create tab, verify your selections, and then select Create to identify the noncompliant resources to understand the compliance state of your environment.

View compliance

To view the current compliance state of your existing resources:

  1. In Policy Assignments, select Scope to select your subscription and resource group.

  2. In Definition type, select the policy. In the list, select the assignment name.

  3. Select View compliance. Resource compliance lists the machines and reasons for failure.

    Screenshot that shows policy compliance.

Check your scheduled patching run

You can check the deployment status and history of your maintenance configuration runs from the Update Manager portal. For more information, see Update deployment history by maintenance run ID.

Timeline of Maintenance Window

The maintenance window controls the number of updates that can be installed on your virtual machine and Arc-enabled servers. We recommend that you go through the following table to understand the timeline for a maintenance window while installing an update:

For example, if a maintenance window is of 3 hours and starts at 3:00 PM, the following are the details on how the updates are installed:

Update Type Details
Service Pack If you are installing a Service Pack, you need 20 mins left in the maintenance window for the updates to be successfully installed, else the update is skipped.
In this example, you must finish installing the service pack by 5:40 PM.
Other updates If you are installing any other update besides Service Pack, you need to have 15 mins left in the maintenance window, else it is skipped.
In this example, you must finish installing the other updates by 5:45 PM.
Reboot If the machine(s) needs a reboot, you need to have 10 minutes left in the maintenance window, else the reboot is skipped.
In this example, you must start the reboot by 5:50 PM.
Note: For Azure virtual machines and Arc-enabled servers, Azure Update Manager waits for a maximum of 15 minutes for Azure VMs and 25 minutes for Arc servers after a reboot to complete the reboot operation before marking it as failed.

Note

  • Azure Update Manager doesn't stop installing the new updates if it's approaching the end of the maintenance window.
  • Azure Update Manger doesn't terminate in-progress updates if the maintenance window is exceeded and only the remaining updates that must be installed aren't attempted. We recommend that you re-evaluate the duration of your maintenance window to ensure all the updates are installed .
  • If the maintenance window is exceeded on Windows, it's often because a service pack update is taking a long time to install.

Next steps