This chapter covers Azure Update Management, a key service under the Azure Automation suite that helps you manage operating system updates for your Windows and Linux virtual machines (VMs) in Azure, on-premises, or in other clouds. For the AZ-900 exam, this topic falls under Domain 3: Azure Management Governance, Objective 3.3 (Manage resources with Azure tools), and carries approximately 5-10% weight. Understanding Update Management is crucial because it demonstrates how Azure simplifies compliance and security patching at scale, a common real-world task that Azure automates.
Jump to a section
Imagine you own a large office building with hundreds of rooms, each containing critical equipment like HVAC units, fire alarms, and elevators. To keep everything running smoothly, you hire a maintenance crew. Without a system, each piece of equipment might be inspected on a different schedule, some might be forgotten, and you'd have to manually check logs to see what's been done. Azure Update Management is like hiring a smart building manager who creates a master schedule, automatically sends technicians to inspect and service every piece of equipment on time, keeps a central log of all work done, and alerts you if something fails. The manager (Azure Automation) uses a control center (Update Management solution) that knows exactly which equipment (VMs) needs what service (updates), when it was last serviced, and what the manufacturer recommends. The technicians (Azure Update Management agents) report back after each job, and the manager can even enforce that certain critical equipment (mission-critical VMs) gets serviced first. If a technician finds a problem (failed update), the manager immediately notifies you and can automatically reschedule or escalate. This systematic, automated approach ensures no equipment is missed, compliance is tracked, and you have full visibility without needing to walk the building yourself.
What is Azure Update Management and What Business Problem Does It Solve?
Azure Update Management is a feature of Azure Automation that allows you to manage the installation of operating system updates for your Windows and Linux virtual machines. In any IT environment, keeping systems patched is critical for security and compliance. However, manual patching is error-prone, time-consuming, and often inconsistent. Update Management solves this by providing a centralized, automated solution to assess update compliance, schedule deployments, and report on results across all your VMs, whether they are in Azure, on-premises, or in other clouds (via Azure Arc).
How It Works – Step by Step Mechanism
Update Management works through a combination of Azure Automation, the Log Analytics agent (now called Azure Monitor Agent for newer implementations), and the Update Management solution in Azure Monitor. Here's the mechanism:
Enablement: You enable Update Management on a Log Analytics workspace and link it to an Azure Automation account. The Automation account holds the runbooks and schedules, while the Log Analytics workspace stores the assessment data.
Agent Installation: The Log Analytics agent (or Azure Monitor Agent) is installed on each VM. This agent reports the current update status to the Log Analytics workspace. For Azure VMs, you can enable Update Management directly from the VM blade; for non-Azure machines, you use Azure Arc.
Assessment: By default, Update Management performs a scan of each VM every 12 hours to check for missing updates. The scan checks against Microsoft Update or Windows Server Update Services (WSUS) for Windows, and the appropriate Linux package repository. The results are stored in the Log Analytics workspace.
Compliance View: You can see a dashboard in the Azure portal showing the number of missing updates per VM, classified by severity (Critical, Security, etc.). This is the compliance state.
Deployment Scheduling: You create an Update Deployment – a schedule that specifies which VMs to update, when to run, and what update classifications to include (e.g., Critical, Security). You can also set maintenance windows (max duration) and reboot settings.
Execution: At the scheduled time, Azure Automation runs a runbook that installs the updates on the target VMs. The runbook uses the Log Analytics agent to execute the installation. During the deployment, you can see real-time status (e.g., InProgress, Succeeded, Failed).
Reporting: After the deployment, results are available in the portal, including success/failure per VM, number of updates installed, and any errors. Historical data is retained in Log Analytics for up to 90 days.
Key Components
Azure Automation Account: The container for runbooks, schedules, and configuration. It must be in the same region as the Log Analytics workspace.
Log Analytics Workspace: Stores the update assessment data. Update Management is a solution that you add to the workspace.
Update Management Solution: A collection of runbooks and views that provide the Update Management functionality.
Log Analytics Agent (Azure Monitor Agent): The agent on each VM that collects update data and performs installations.
Azure Arc: Enables management of non-Azure machines (on-premises, other clouds) as if they were Azure resources.
Pricing Model
Update Management itself does not have a separate cost; you pay for: - Azure Automation: Charged per job runtime (in minutes) and per node (VM) for configuration management. Update Management uses the Automation account, so there is a cost for job execution. - Log Analytics: Data ingestion and retention. Update assessment data is considered custom logs and may incur ingestion charges. However, Azure provides a free tier of 5 GB/month for Log Analytics. - Azure Arc: If managing non-Azure machines, there is a cost per server per month.
Comparison to On-Premises Equivalent
On-premises, you might use Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) for patch management. These require significant infrastructure (servers, databases, network configuration) and ongoing maintenance. Update Management eliminates the need for on-premises patching servers, provides a unified view across hybrid environments, and integrates with Azure security center and compliance reporting. The key difference is that Update Management is a SaaS solution – no infrastructure to manage, automatic updates to the service, and built-in scalability.
Azure Portal and CLI Touchpoints
Azure Portal:
Navigate to your Automation Account > Update Management.
View compliance dashboard, create update deployments, and see history.
From a VM blade, you can enable Update Management directly under Operations.
Azure CLI (az vm update-management):
Enable Update Management: az vm update-management enable --resource-group myRG --name myVM
Show compliance: az vm update-management show --resource-group myRG --name myVM
Create deployment: Use Azure PowerShell or REST API; CLI does not have a direct command for creating deployments.
Azure PowerShell:
Enable: Enable-AzureRMAutomationUpdateManagement -ResourceGroupName myRG -AutomationAccountName myAA -LogAnalyticsWorkspaceResourceId $ws.Id
Create deployment: New-AzureRmAutomationUpdateDeployment -ResourceGroupName myRG -AutomationAccountName myAA -Name myDeploy -Schedule $schedule -Windows -IncludedUpdateClassifications Critical,Security
Concrete Business Scenario
A financial services company has 500 VMs across Azure and on-premises. They need to apply critical security patches within 48 hours of release to comply with PCI DSS. With Update Management, they create a schedule that runs every Tuesday at 2 AM, targeting all VMs with a maintenance window of 2 hours. They configure reboot options to 'Reboot if required' and set a post-deployment notification to the security team. The compliance dashboard shows that 98% of VMs are compliant; the 2% non-compliant VMs are offline, and they receive an alert. This would be impossible to manage manually at scale.
Create a Log Analytics Workspace
First, you need a Log Analytics workspace to store update assessment data. In the Azure portal, search for 'Log Analytics workspaces' and click 'Create'. Provide a name, subscription, resource group, and region. The region should match your Automation Account region. After creation, note the workspace ID and key – you'll need them later. This workspace will also be used for other monitoring solutions if desired.
Create an Azure Automation Account
Next, create an Automation Account in the same region as your Log Analytics workspace. Go to 'Automation Accounts' and click 'Create'. Provide a name, subscription, resource group, and region. Ensure you select 'Azure' for the 'Create Azure Run As account' option (recommended). After creation, the account will have runbooks, modules, and schedules ready for use.
Link Automation Account to Log Analytics
In the Automation Account, under 'Update Management', click 'Enable' to link it to your Log Analytics workspace. Select the workspace you created. This enables the Update Management solution on the workspace. The linking process may take a few minutes. Once linked, the Update Management dashboard will appear, showing 'Update Management' as an option.
Install Log Analytics Agent on VMs
For each VM you want to manage, install the Log Analytics agent. For Azure VMs, you can do this from the VM blade: under 'Operations', click 'Update management' and then 'Enable'. This automatically installs the agent and configures it to report to the linked workspace. For on-premises VMs, download the agent from the portal and install manually, providing the workspace ID and key. You can also use Azure Arc to enable management at scale.
Assess Compliance and Schedule Deployment
After agents are installed, wait for the first assessment (up to 12 hours) or trigger a manual scan. The compliance dashboard will show missing updates. Click 'Schedule update deployment' to create a new deployment. Define the name, target VMs (or use dynamic groups based on tags), update classifications (e.g., Critical, Security), schedule (time and frequency), maintenance window (max 3 hours), and reboot options (e.g., 'Never reboot', 'Reboot if required'). Click 'Create' to save the schedule.
Scenario 1: Compliance-Driven Patching in Healthcare A hospital network must maintain HIPAA compliance by ensuring all servers are patched within 30 days of a security update release. They have 200 VMs in Azure and 50 on-premises servers. Using Update Management, the IT team creates a monthly schedule that runs on the first Saturday of each month, targeting all VMs with a maintenance window of 4 hours. They use dynamic groups based on tags (e.g., Environment=Production) to exclude non-production VMs from the same schedule. After each deployment, the compliance report is automatically emailed to the compliance officer. This automated process saves 20 hours of manual work per month and provides audit-ready reports. Without Update Management, they would risk missing critical patches and failing audits.
Scenario 2: Hybrid Environment with Azure Arc A retail company runs 100 VMs in Azure and 300 on-premises servers across multiple stores. They need to deploy critical security patches within 24 hours of release. They use Azure Arc to project their on-premises servers as Azure resources. With Update Management, they create a single deployment schedule that includes both Azure and Arc-enabled servers. The deployment uses tags like 'Criticality=High' to ensure store servers are updated first. The Log Analytics workspace provides a unified view of compliance across all 400 machines. When a patch fails on a store server, an alert is triggered, and the local IT team is notified via SMS. This hybrid approach eliminates the need for separate on-premises patching tools.
What Goes Wrong When Misconfigured If the Log Analytics agent is not installed or misconfigured, VMs will not appear in the compliance dashboard. If the maintenance window is too short, updates may not complete, causing deployments to fail. If reboot settings are set to 'Never reboot' but updates require a reboot, the updates will not be fully applied. Overlooking dynamic groups can cause production VMs to be patched during business hours if the schedule is not correctly scoped. Also, if the Automation Account and Log Analytics workspace are in different regions, linking may fail or cause performance issues. Finally, not monitoring Log Analytics ingestion costs can lead to unexpected bills if many VMs generate large amounts of assessment data.
AZ-900 Exam Objective 3.3: Manage resources with Azure tools – This includes understanding Update Management as a tool for automating patch management. The exam expects you to know:
What Update Management is used for (assess and install OS updates)
That it is part of Azure Automation
That it requires a Log Analytics workspace and an Automation Account
That it can manage both Azure and non-Azure VMs (via Azure Arc)
Basic deployment concepts (schedules, maintenance windows, reboot options)
Common Wrong Answers and Why Candidates Choose Them 1. Wrong: Update Management is a standalone service. Many candidates think it's separate from Azure Automation. In reality, it's a feature of Azure Automation. 2. Wrong: It can only manage Azure VMs. Candidates forget about Azure Arc for hybrid management. The exam tests that it works for on-premises and other clouds. 3. Wrong: It patches applications. Update Management only handles OS updates, not application updates (like SQL Server or IIS). Candidates confuse it with Azure Update Manager (a newer service) or other tools. 4. Wrong: It requires System Center. Some candidates think you need on-premises System Center to manage hybrid environments. Actually, Azure Arc eliminates that need.
Specific Terms and Values on the Exam - Log Analytics workspace: stores assessment data. - Azure Automation Account: runs the update deployments. - Maintenance window: maximum duration for a deployment (default 2 hours, max 3 hours). - Reboot options: 'Never reboot', 'Reboot if required', 'Always reboot'. - Update classifications: Critical, Security, Update Rollups, Feature Packs, Service Packs, Definitions, Tools, Updates. - Assessment frequency: every 12 hours by default.
Edge Cases and Tricky Distinctions - The exam may ask about Azure Update Manager (a newer, simpler service) vs Update Management. Update Manager is available in the Azure portal for basic patching without Automation Account, but Update Management provides advanced scheduling and reporting. Know that both exist, but Update Management is the more feature-rich solution. - Another edge: Update Management uses the Log Analytics agent, not the Azure Monitor Agent (though Microsoft is transitioning). The exam may still reference the Log Analytics agent. - Azure Arc is required for non-Azure machines. Without it, you cannot manage on-premises VMs.
Memory Trick Think "AUL" – Automation Account, Update Management, Log Analytics. All three are needed. If a question mentions patching without mentioning an Automation Account, it's likely wrong.
Azure Update Management is a feature of Azure Automation used to assess and install OS updates on VMs.
It requires an Automation Account and a Log Analytics workspace linked together.
The Log Analytics agent must be installed on each VM to report compliance and execute updates.
Update Management supports Azure VMs, on-premises VMs (via Azure Arc), and VMs in other clouds.
Deployments are scheduled with a maintenance window (default 2 hours, max 3 hours) and reboot options.
Assessment runs automatically every 12 hours; compliance data is stored in the Log Analytics workspace.
You pay for Automation job execution, Log Analytics data ingestion, and Azure Arc (if used).
These come up on the exam all the time. Here's how to tell them apart.
Azure Update Management
Part of Azure Automation; requires Automation Account and Log Analytics workspace.
Provides advanced scheduling, maintenance windows, and reboot options.
Supports hybrid environments via Azure Arc.
Offers compliance dashboard and historical reporting.
Ideal for complex, large-scale patching with custom schedules.
Azure Update Manager
Simpler, native portal experience; no Automation Account needed.
Basic scheduling only; no maintenance window or reboot options.
Primarily for Azure VMs; limited hybrid support.
Basic compliance view, less detailed reporting.
Best for quick, manual patching of a few VMs.
Mistake
Update Management can patch both OS and applications.
Correct
Update Management only manages operating system updates (Windows/Linux). Application patching requires separate tools like Azure Automation Update Management for applications or third-party solutions.
Mistake
Update Management is a standalone service in Azure.
Correct
It is a feature of Azure Automation. You must have an Automation Account and a Log Analytics workspace to use it.
Mistake
Update Management can only manage Azure VMs.
Correct
It can manage on-premises and other cloud VMs via Azure Arc. The Log Analytics agent can be installed on any machine that can connect to Azure.
Mistake
Update Management automatically installs all updates without scheduling.
Correct
You must create a scheduled deployment. The assessment runs automatically, but installation only happens on your defined schedule.
Mistake
Update Management is free; there are no costs.
Correct
While the service itself has no separate fee, you pay for Azure Automation job execution, Log Analytics data ingestion and retention, and Azure Arc for non-Azure machines.
Azure Update Management is a feature of Azure Automation that provides advanced patching capabilities, including scheduled deployments, maintenance windows, reboot options, and hybrid support via Azure Arc. It requires an Automation Account and Log Analytics workspace. Azure Update Manager is a simplified, native portal experience that allows quick patching of Azure VMs without an Automation Account. Update Manager is easier but less flexible. For the AZ-900 exam, focus on Update Management as the more comprehensive solution.
Yes, but only if they are onboarded to Azure Arc. Azure Arc projects on-premises servers as Azure resources, allowing you to install the Log Analytics agent and manage them through Update Management. Without Azure Arc, you cannot manage on-premises servers with Update Management.
Update Management requires the Log Analytics agent (also known as Microsoft Monitoring Agent) on each VM. For newer implementations, Microsoft is transitioning to the Azure Monitor Agent, but the exam still references the Log Analytics agent. The agent reports update compliance and executes installations.
By default, the assessment runs every 12 hours. You can also trigger a manual scan from the portal or via PowerShell. The assessment checks against Microsoft Update or WSUS for Windows, and the appropriate Linux package repository.
The maximum maintenance window is 3 hours (180 minutes). The default is 2 hours. If the deployment does not complete within the window, it will stop and report any updates that were not installed. You can set the window when creating the deployment schedule.
Yes, Update Management supports both Windows and Linux VMs. For Linux, it uses the appropriate package manager (e.g., yum, apt, zypper) to install updates. The same scheduling and reporting features apply.
In the Azure portal, go to your Automation Account > Update Management. The dashboard shows the number of missing updates per VM, classified by severity. You can also run Log Analytics queries to get detailed reports. Historical data is retained for up to 90 days.
You've just covered Azure Update Management — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?