In today’s cybersecurity landscape, keeping virtual machines updated isn’t just good practice—it’s essential for survival. Yet many organisations continue to wrestle with manual patching processes that consume valuable IT resources, introduce human error, and create security vulnerabilities through inconsistent application. The frustration of weekend maintenance windows, unexpected application crashes following updates, and the constant fear of missing critical security patches haunts system administrators worldwide.
Enter Azure Update Manager (AUM) as Microsoft’s comprehensive solution to these challenges, offering automated patch management that dramatically reduces administrative overhead while enhancing security posture.
With its intuitive interface, organisations can schedule updates during optimal windows, prioritise critical patches, and maintain detailed compliance reports—all from a centralised dashboard. The ability to monitor update status in real-time transforms what was once an anxiety-inducing process into a predictable, manageable task.
The Engine Room – Inside the Patching Powerhouse
At its core, Azure Update Manager provides a unified command centre where cloud engineers can view available updates, categorise them by criticality, and deploy them with pre-defined schedules. The service supports both Windows and Linux VMs, allowing organisations with mixed environments to standardise their update procedures under a single management umbrella.
What truly sets Azure Update Manager apart from manual update management is its intelligence. The system automatically evaluates update dependencies, preventing the common scenario where one patch breaks functionality dependent on unpatched components. For organisations managing hundreds or thousands of VMs, this dependency mapping alone can prevent countless hours of troubleshooting and emergency patching.
The platform also introduces dynamic scopes—collections of VMs that can be updated together based on role, environment, or custom tags. This grouping capability allows for strategic update rollouts that respect application dependencies and business continuity requirements. For example, you can ensure database servers receive updates before the application servers that depend on them, maintaining service integrity throughout the update cycle.
Azure Update Manager brings cloud-scale intelligence to security patching, analysing patch effectiveness across Microsoft’s global customer base to identify and prioritise updates that address the most critical vulnerabilities first.
Navigating the WSUS-Azure Update Manager Intersection
Before we dive into how Azure Update Manger can be configured, I wanted to highlight one major pain point known as Windows Server Update Services (WSUS). This service has been the backbone of Microsoft update management for on-premises environments since the early 2000s.
Organizations traditionally deployed WSUS to download updates once from Microsoft and distribute them internally, reducing internet bandwidth consumption and enabling centralized approval workflows. WSUS offered granular control over which updates were applied to which servers, allowing IT teams to create maintenance windows and staged rollouts before cloud management solutions existed.
For many enterprises with significant on-premises footprints, WSUS became deeply embedded in their operational practices, often integrated with Configuration Manager (formerly SCCM) for comprehensive endpoint management.
Unfortunately, with WSUS in play, when migrating services to Azure and enabling Azure Update Manager, group policies may have been missed, leading to WSUS configuration on VMs running in Azure. With the WSUS server no longer working as expected, these VMs would not get updates anymore from Azure Update Manager since the WSUS configuration is honoured.
Therefore, if you are thinking about using Azure Update Manager, ensure that you have updated your Group Policy to prevent WSUS configuration to be distributed. Also, check that Configuration Manager (SCCM) will not be publishing WSUS across VMs. To check if WSUS is enabled, you can check the below registry keys in the path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
| Registry | Desired Values | Description |
| UseWUServer | 0 | If the value is set to 1 then WSUS is being used. Set to 0 to remove WSUS. |
| NoAutoUpdate | 0 | Enable Automatic Updates. |
| AUOptions | 4 | Automatically download and schedule installation. |
Configuring Azure Update Management
In this section we will go through implementing Azure Update Manager using Bicep. We will investigate creating maintenance configurations using dynamic scoping, discuss scheduling and walkthrough update classification, inclusion and exclusion.
Maintenance Configuration via Bicep
The first step is to ensure a maintenance configuration is created. This resource allows for maintenance windows to be defined and should be used to help better plan the patching of VMs. When creating maintenance configurations, consider VM dependencies, ensuring dependent resources have patches applied first.
Also, ensure that the non-prod environment is patched at least a week before the production environment to catch any issues with patches released. If you have Defender for Endpoint enabled, create a separate maintenance configuration to apply Defender Updates regularly (every 6 hours).
The below Bicep configuration will create a maintenance configuration which will install patches for both Windows and Linux operating systems.
resource deploy_maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2023-04-01 = {
location: 'AustraliaEast'
name: 'Maintenance Configuration Name'
properties: {
extensionProperties: {
InGuestPatchMode: 'User'
}
maintenanceScope: 'InGuestPatch'
maintenanceWindow: {
duration: '03:55'
recurEvery: '1Month Second Tuesday Offset1'
startDateTime: '2025-02-27 00:00'
timeZone: 'E. Australia Standard Time'
}
installPatches: {
rebootSetting: 'IfRequired'
linuxParameters: {
classificationsToInclude: [
'Critical'
'Security'
]
}
windowsParameters: {
classificationsToInclude: [
'Critical'
'Security'
]
}
}
}
}
For further information about the Maintenance Configuration resource definition refer to – https://learn.microsoft.com/en-us/azure/templates/microsoft.maintenance/maintenanceconfigurations?pivots=deployment-language-bicep
Maintenance Configuration Assignment
After your maintenance configuration is created, you will need to make sure it can be assigned. Assignment should be dynamic and resource tags can help with this. Before you assign your maintenance configuration, ensure you have planned your tagging strategy for all your VMs.
After tagging has been applied, the following Bicep configuration can be used:
resource assign_maintenanceConfiguration 'Microsoft.Maintenance/configurationAssignments@2023-04-01 = {
name: 'maintenance-config-assignment'
properties: {
filter: {
locations: [
'Australia East'
'Australia SouthEast'
]
osTypes: [
'Windows'
'Linux'
]
resourceGroups: [] // List of allowed resource groups - Keep empty to apply for all
resourceTypes: [
'Microsoft.Compute/virtualMachines'
]
tagSettings: {
filterOperator: 'All'
tags: [
{
updateRing: ['Dev'] // Apply tagging on Virtual Machines to allow dynamic assignment
}
]
}
}
maintenanceConfigurationId: deploy_maintenanceConfiguration.id
resourceId: // The Subscription ID
}
Conclusion
This first section has laid the groundwork for understanding Azure Update Manager’s role in modern cloud infrastructure maintenance. We’ve explored how this native Azure service represents an evolution beyond traditional WSUS implementations while acknowledging the potential conflicts that can arise when both systems coexist. The Bicep templates provided offer infrastructure-as-code pathways to standardise maintenance configurations across your environment, ensuring consistent application of update policies while minimising manual configuration errors.
In the next instalment, we’ll dive into the monitoring and reporting capabilities that truly elevate Azure Update Manager beyond its predecessors. We’ll explore how to gain visibility into update compliance, different alerts which can help monitor VMs proactively and the use of pre/post update processes.
