This chapter covers Azure Update Management Center (UMC), a unified service for managing updates across Azure VMs, Arc-enabled servers, and on-premises machines. For the AZ-104 exam, this topic falls under domain 'Compute' objective 3.1, which focuses on implementing and managing virtual machine updates. Expect 10-15% of exam questions to touch on update management, including assessment, deployment, scheduling, and integration with Azure Policy and Azure Automation. This chapter provides the depth needed to answer scenario-based questions correctly.
Jump to a section
Imagine you are the fleet maintenance manager for a delivery company with 500 trucks. Your job is to ensure every truck is up-to-date on oil changes, tire rotations, brake inspections, and software updates (for onboard computers). You have a mix of trucks: some are brand new, some are 5 years old, and some are leased from third parties. Without a central system, you would have to call each driver, check paper logs, or walk the lot. Instead, you use a digital dashboard that connects to every truck's onboard diagnostic system. This dashboard can: scan all trucks to see which ones need an oil change (assessment), automatically schedule a service appointment at the nearest garage (deployment), and send a report to your boss showing that 95% of trucks are compliant (reporting). However, some older trucks do not have the diagnostic module installed — they are like machines missing the Azure Connected Machine agent. For those, you must manually check and update them. The dashboard also lets you set policies: for example, every truck must have an oil change every 5,000 miles. If a truck misses it, the dashboard flags it. If a truck is leased, the dashboard can still assess it but cannot force the update (the lessor controls that). This is exactly how Azure Update Management Center works: it provides a unified pane to assess and deploy updates across Azure VMs, Arc-enabled servers, and even on-premises machines, but it requires the appropriate agents and permissions to take action.
What is Azure Update Management Center?
Azure Update Management Center (UMC) is a Microsoft Azure service that provides a unified, cloud-based solution for managing operating system updates across your entire environment. It supersedes the older Azure Automation Update Management solution (which relied on Log Analytics and Azure Automation accounts) and is now the recommended method for update management. UMC supports:
Azure VMs (Windows and Linux)
Azure Arc-enabled servers (on-premises or multi-cloud machines)
Azure VMs in other clouds (via Arc)
Physical or virtual machines running on-premises (via Arc)
UMC is built on top of Azure Resource Graph and Azure Policy, allowing you to assess compliance, deploy updates, and enforce update policies at scale.
Why does UMC exist?
Before UMC, update management in Azure was fragmented. You had the Azure Automation Update Management solution (which required a Log Analytics workspace, an Automation account, and the Microsoft Monitoring Agent), Windows Update Service, and third-party tools. UMC simplifies this by providing a single pane of glass that does not require a separate Automation account or Log Analytics workspace (though you can still integrate with them for advanced reporting). Key drivers:
Simplified onboarding: No need to link Automation accounts or configure Log Analytics workspaces for basic assessment and deployment.
Native integration: Works directly with Azure Policy and Azure Resource Graph for compliance reporting.
Multi-platform: Supports both Windows and Linux, including third-party updates (if configured).
Scalability: Can assess and update thousands of machines simultaneously.
How UMC works internally
UMC operates through a combination of agents, Azure Resource Manager (ARM) APIs, and background assessment jobs.
1. Agents involved:
Azure VM Agent (Windows Guest Agent / Linux Agent): Required for Azure VMs. This agent communicates with the Azure fabric to enable extensions and guest-level management.
Azure Connected Machine Agent: Required for Arc-enabled servers. This agent connects non-Azure machines to Azure and enables management via Arc.
Microsoft Defender for Cloud (optional): If enabled, can provide additional vulnerability assessment.
2. Assessment process:
When you trigger an assessment (manually or via schedule), UMC sends a command to the VM agent (or Arc agent) to scan the machine for available updates. The agent uses the native update mechanism on the OS:
Windows: Uses the Windows Update Agent (WUA) API to query Windows Server Update Services (WSUS) or Microsoft Update.
Linux: Uses the platform's package manager (apt, yum, dnf, zypper) to check configured repositories.
The results are sent back to Azure Resource Graph, where they are stored as resources of type Microsoft.ResourceGraph/queries and Microsoft.Compute/virtualMachines/assessments. The assessment data includes:
Update classifications (Critical, Security, Other)
Update IDs (KB numbers for Windows, package names for Linux)
Reboot status (pending or not)
Timestamp of last assessment
3. Deployment process:
When you deploy updates, UMC creates a deployment resource (Microsoft.Compute/updateDeployments) that specifies:
Machines to update (by resource ID or dynamic query)
Updates to install (all, or specific classifications/KBs)
Maintenance window (maximum duration for the deployment)
Reboot handling (Never, IfRequired, Always)
Logging settings (to a Log Analytics workspace if desired)
The deployment is executed as a series of ARM API calls to each machine. The agent on each machine receives the update instructions and installs the updates using native OS tools. Progress is reported back to the deployment resource, which you can monitor in the portal.
4. Scheduling:
You can schedule recurring deployments using Azure Scheduler (or via Azure Automation runbooks). UMC itself does not have a built-in scheduler; instead, you can create a schedule in the portal that triggers a deployment at a specified time. This schedule is backed by an Azure Automation job (if you link an Automation account) or a simpler ARM template deployment.
Key components and defaults
Assessment frequency: Manual on-demand, or you can set a periodic assessment (default: every 24 hours) via the Azure portal or policy.
Maintenance window: Default is 3 hours 55 minutes. You can set a custom window up to 7 days.
Reboot options: Never, IfRequired (default), Always.
Update classifications: Critical, Security, Other (for Windows); for Linux, classifications are not used by default — all updates are treated equally unless you configure custom classifications.
Third-party updates: On Windows, you can include third-party updates by configuring WSUS or using the "Include third-party updates" option in deployment settings. On Linux, third-party repositories are automatically included if configured in the OS.
Configuration and verification commands
Via Azure CLI:
# Check update assessment for a VM
az vm assess-patches --resource-group myRG --name myVM
# Trigger update deployment
az vm update-patches --resource-group myRG --name myVM --install all --maximum-duration PT3H55M --reboot-setting IfRequiredVia Azure PowerShell:
# Check assessment
Invoke-AzVMPatchAssessment -ResourceGroupName myRG -VMName myVM
# Deploy updates
Invoke-AzVMInstallPatch -ResourceGroupName myRG -VMName myVM -Windows -RebootSetting IfRequired -MaximumDuration 3:55Via REST API:
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/assessPatches?api-version=2023-03-01Interaction with other Azure services
Azure Policy: You can create policies to enforce periodic assessment, require specific update configurations, or automatically deploy updates. For example, a policy can audit VMs that have not been assessed in the last 30 days.
Azure Resource Graph: Use KQL queries to find VMs missing critical updates, or to generate compliance reports.
Azure Automation: For advanced scheduling and integration with ITSM, you can still use Azure Automation runbooks to trigger UMC deployments.
Microsoft Defender for Cloud: Provides vulnerability assessments that can complement UMC assessments. Defender for Cloud can also recommend updates based on vulnerabilities.
Log Analytics: If you enable logging, deployment results are sent to a Log Analytics workspace, allowing you to create custom dashboards and alerts.
Limitations
Arc-enabled servers: The Arc agent must be installed and connected. If the agent is offline, updates cannot be assessed or deployed.
Azure VMs that are deallocated: Cannot be assessed or updated until they are started.
Linux classification: By default, Linux updates are not classified (no Critical/Security distinction). You can enable classification by using a custom script or integrating with a third-party tool.
Third-party updates: On Windows, only Microsoft Update catalog updates are included by default. Third-party updates require WSUS or manual configuration.
Reboot handling: The 'IfRequired' setting may not always detect a pending reboot correctly, especially after certain updates. Always verify after deployment.
Step-by-step assessment flow
User triggers assessment via portal, CLI, or API.
ARM receives the request and sends a command to the VM agent via the Azure fabric.
VM agent runs a local script that invokes the OS update API (WUA on Windows, apt/yum/dnf on Linux).
The OS API queries configured update sources (Microsoft Update, WSUS, repositories).
Results (list of available updates with metadata) are returned to the VM agent.
VM agent sends the results back to Azure Resource Graph.
The assessment data is stored and visible in the portal under 'Update Management Center' for that machine.
The data is also queryable via Azure Resource Graph.
Onboard machines to UMC
For Azure VMs, no additional steps are needed beyond having the VM agent installed (which is default for Azure VMs). For on-premises or multi-cloud machines, install the Azure Connected Machine agent to enable Arc. Ensure the machine has outbound internet access to Azure endpoints (e.g., *.azure.com). Once the agent is installed and connected, the machine appears in the UMC portal under 'Machines'.
Configure periodic assessment
By default, Azure VMs have periodic assessment enabled (every 24 hours). You can verify or change this setting in the VM's 'Updates' blade. For Arc-enabled servers, you must enable periodic assessment manually via the portal or by assigning a policy. The assessment scans the machine and reports missing updates to Azure Resource Graph.
Review assessment results
In the Azure portal, navigate to 'Update Management Center' and select 'Machines'. Each machine shows a summary of missing updates (critical, security, other). Click on a machine to see detailed list. Use Azure Resource Graph to query across all machines: `where type =~ 'microsoft.compute/virtualmachines' | extend assessment = properties.patchStatus`.
Create an update deployment
From the UMC portal, click 'One-time update' or 'Schedule update'. Select the machines to update (individual or dynamic query). Choose which updates to install (all, or by classification). Set the maintenance window (default 3h55m) and reboot option. Optionally, enable logging to a Log Analytics workspace. Click 'Install' to start the deployment.
Monitor deployment progress
The deployment status is shown in the portal under 'Update Management Center' > 'Update deployments'. You can see the overall progress, number of succeeded/failed machines, and detailed logs. For each machine, you can view the installation status, errors, and reboot status. If logging is enabled, data is also sent to Log Analytics for custom monitoring.
Verify compliance and report
After deployment, reassess the machines to confirm updates are installed. Use Azure Resource Graph to generate compliance reports: e.g., list all machines missing critical updates. Use Azure Policy to audit compliance (e.g., policy 'Audit VMs that do not have periodic assessment enabled'). Generate monthly reports for management.
Enterprise Scenario 1: Financial services company with hybrid infrastructure
A large bank runs 2,000 Azure VMs and 500 on-premises servers (Windows and Linux). They need to ensure all servers are patched within 7 days of patch Tuesday. They use UMC with periodic assessment enabled on all machines via Azure Policy. They schedule a deployment every Saturday at 2 AM with a 4-hour maintenance window. They use dynamic queries to include all machines in production resource groups. They log deployment results to a Log Analytics workspace and create an alert if any machine fails to patch after two attempts. The challenge is that some legacy on-premises servers cannot run the Arc agent; those are managed separately via System Center. Misconfiguration: initially, they set the maintenance window to 1 hour, causing many deployments to timeout. After increasing to 4 hours, success rate improved to 99%.
Enterprise Scenario 2: E-commerce company using Linux-only environment
A retail company runs 1,000 Ubuntu VMs on Azure. They use UMC to manage updates. They discovered that UMC does not classify Linux updates (no Critical/Security). To work around this, they created a custom script that runs before assessment to tag updates based on severity from Ubuntu's security mailing list. They also use Azure Policy to enforce that all VMs have periodic assessment enabled. They schedule weekly deployments with a 2-hour window. One issue: they initially selected 'Include third-party updates' but their custom repositories were not being scanned because they were not configured in the OS package manager sources. They resolved this by ensuring all custom repos are in /etc/apt/sources.list.
Enterprise Scenario 3: Managed service provider (MSP) with multi-tenant environment
An MSP manages 500 customer subscriptions. They use UMC with Azure Lighthouse to manage updates across tenants. They create Azure Policy assignments at the management group level to enforce periodic assessment and require a minimum of 95% compliance. They use Azure Resource Graph cross-tenant queries to generate consolidated reports. They schedule deployments using Azure Automation runbooks that iterate over all subscriptions. The main challenge is that some customers have Azure VMs that are deallocated for cost savings; those VMs cannot be assessed or updated. They now have a process to start VMs before patch windows. Another issue: they initially tried to use the 'One-time update' feature for all customers, but it does not scale to thousands of VMs. They now use ARM templates and PowerShell scripts for bulk deployments.
AZ-104 Exam Focus: Update Management Center
Objective codes: Domain 3.1 — Implement and manage virtual machine updates. Specifically, the exam tests:
Configuring update management for Azure VMs
Configuring update management for Arc-enabled servers
Scheduling update deployments
Interpreting assessment results
Integrating with Azure Policy
Common wrong answers and traps:
1. Trap: 'You must deploy Azure Automation Update Management solution' - Wrong because UMC is the newer, recommended solution. The old Automation solution is still supported but not required. Candidates choose this because they studied old materials. Correct: UMC does not require an Automation account or Log Analytics workspace for basic functionality.
2. Trap: 'UMC can update deallocated VMs' - Wrong. UMC requires the VM to be running. Deallocated VMs have no guest OS running, so the agent cannot execute updates. Candidates think Azure can somehow update a stopped VM — it cannot.
3. Trap: 'Linux updates are classified as Critical, Security, Other by default' - Wrong. Linux updates are not classified by UMC. All updates are shown as 'Other'. Candidates assume parity with Windows. The exam may ask about Linux classification limitations.
4. Trap: 'You need to install the Microsoft Monitoring Agent (MMA) for UMC' - Wrong. UMC uses the VM agent (or Arc agent), not MMA. MMA was required for the old Automation solution. Candidates confuse the two.
Specific numbers and values to memorize:
Default maintenance window: 3 hours 55 minutes (PT3H55M)
Maximum maintenance window: 7 days
Periodic assessment interval: every 24 hours (default)
Reboot settings: Never, IfRequired, Always
Supported agents: Azure VM Agent, Azure Connected Machine Agent
Edge cases:
Arc servers without internet: Cannot be assessed or updated. UMC requires outbound connectivity to Azure.
Windows VMs with WSUS configured: UMC will report updates from WSUS, not Microsoft Update. If WSUS is not approved, updates may not appear.
Linux VMs with custom repositories: UMC will scan all configured repos. If a repo is unreachable, assessment may fail.
Multiple subscriptions: UMC can manage machines across subscriptions if you have appropriate RBAC permissions (e.g., Contributor on the VM).
How to eliminate wrong answers:
If the question mentions 'Automation account' or 'Log Analytics workspace' as a requirement, it is likely a distractor. UMC does not require them.
If the question says 'deallocated VM', remember that updates require the VM to be running.
If the question asks about Linux classifications, know that they are not classified by default.
If the question involves scheduling, remember that UMC schedules are backed by Azure Automation or ARM templates, but the portal handles it.
Azure Update Management Center (UMC) is the recommended service for managing OS updates across Azure VMs and Arc-enabled servers.
UMC does not require an Automation account or Log Analytics workspace for basic assessment and deployment.
Periodic assessment is enabled by default for Azure VMs (every 24 hours) and can be configured via Azure Policy for Arc servers.
The default maintenance window for update deployments is 3 hours 55 minutes (PT3H55M).
Linux updates are not classified (Critical/Security) by default; all appear as 'Other'.
Deallocated VMs cannot be assessed or updated; they must be running.
On-premises servers must have the Azure Connected Machine agent installed and connected via Azure Arc.
UMC integrates with Azure Policy to enforce compliance (e.g., require periodic assessment).
Third-party updates on Windows require WSUS or manual configuration.
Use Azure Resource Graph to query update compliance across all machines.
These come up on the exam all the time. Here's how to tell them apart.
Azure Update Management Center (UMC)
Native Azure service, no separate Automation account required
Uses Azure Resource Graph for assessment data
Supports Arc-enabled servers natively
Simple portal experience with one-time and scheduled updates
Linux updates not classified by default
Azure Automation Update Management (Legacy)
Requires linked Automation account and Log Analytics workspace
Uses Log Analytics for data storage and querying
Requires Microsoft Monitoring Agent (MMA) on VMs
More complex setup with runbooks and schedules
Linux updates also not classified
Azure Update Management Center
Designed for servers (Azure VMs, Arc servers)
Integrates with Azure Policy and Resource Graph
Focuses on OS updates (Windows/Linux)
No client licensing required (Azure subscription)
Deployment via ARM API or portal
Microsoft Intune (for endpoints)
Designed for client devices (Windows 10/11, mobile)
Integrates with Microsoft Endpoint Manager
Manages OS updates, apps, and device configuration
Requires Intune license per user/device
Deployment via Intune policies
Mistake
Azure Update Management Center requires an Azure Automation account.
Correct
UMC does not require an Automation account. It is a native Azure service built on ARM and Resource Graph. The old Automation Update Management solution did require it, but UMC is independent.
Mistake
UMC can update Azure VMs even when they are deallocated (stopped).
Correct
Deallocated VMs have no guest OS running; the VM agent cannot execute updates. The VM must be in a running state to be assessed or updated.
Mistake
Linux updates in UMC are categorized as Critical, Security, or Other by default.
Correct
Linux updates are not classified by UMC. All updates appear as 'Other'. Classification is only available for Windows updates.
Mistake
You need to install the Microsoft Monitoring Agent (MMA) on VMs for UMC to work.
Correct
UMC uses the Azure VM Agent (for Azure VMs) or the Azure Connected Machine Agent (for Arc servers). MMA is not required.
Mistake
UMC can manage updates for on-premises servers without any agent.
Correct
On-premises servers must have the Azure Connected Machine agent installed and connected to Azure via Arc. Without the agent, they cannot be managed by UMC.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, UMC does not require a Log Analytics workspace for basic assessment and deployment. However, if you want to log deployment results to Log Analytics for advanced reporting and alerting, you can optionally enable it during deployment. The old Automation Update Management solution did require Log Analytics, but UMC is independent.
Yes, but only if those servers are enabled for Azure Arc. You must install the Azure Connected Machine agent on each server and register it with Azure. Once connected, the server appears in the UMC portal and can be assessed and updated like Azure VMs.
In the Azure portal, when you create an update deployment, you can choose 'Schedule update' to set a recurring schedule (e.g., every week on Sunday at 2 AM). This schedule is managed by Azure Automation behind the scenes, but you do not need to configure it manually. Alternatively, you can use Azure Automation runbooks or Azure Logic Apps for custom scheduling.
By default, UMC does not classify Linux updates. All updates are shown as 'Other'. This is because Linux distributions do not provide a unified classification system like Microsoft Update. If you need classification, you can implement a custom solution using scripts or integrate with a third-party vulnerability scanner.
The deployment will fail for that VM because the VM agent is not running. UMC cannot start deallocated VMs. You must ensure VMs are running before the maintenance window. Consider using Azure Automation to start VMs before the update schedule.
Yes, for Windows VMs, you can enable 'Include third-party updates' in the deployment settings. This will install updates from configured third-party sources (e.g., WSUS). For Linux, third-party repositories are automatically included if they are configured in the OS package manager sources.
Use Azure Resource Graph with cross-subscription queries. For example: `where type =~ 'microsoft.compute/virtualmachines' | extend patchStatus = properties.patchStatus | project name, resourceGroup, subscriptionId, patchStatus`. You can also create Azure Policy assignments at management group level to enforce compliance.
You've just covered Azure Update Management Center — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?