Microsoft has just released an updated capability for patching Windows and Linux VMs called Azure Update Manager. This new patch scheduling environment is easily integrated with your Azure deployed virtual machines as well as Arc enabled servers running outside of Azure. A few benefits of Update Manager include:

• No IaaS or PaaS services are required to run
• Moving away from agent/extension requirements being installed on VMs
• VMs can be easily onboarded and configured at scale using Azure Policy

No IaaS or PaaS services

Previous solutions for patching VMs in Azure either required Virtual Machines to be deployed or an Automation Account/Log Analytics workspace to be used. These components are no longer required as this is now a built-in capability.

No more Agents required

With the Log Analytics agent being deprecated in August of 2024, moving to Update Manager removes the dependency on the legacy agent/Log Analytics and a new extension is installed by Update Manager when systems are onboarded. The only prerequisite would be the Azure VM Agent and/or the Arc Agent be installed to allow management via the Azure portal.

Onboard VMs at scale

Azure Policy can easily be used to onboard systems at scale to enable patch scanning to send data to Update Manager as well as assigning the correct maintenance configuration. The policy that assigns the schedule around when patches will be applied can be customized to configure assignment based on subscription, name of resource or resource group, specific tag value, etc. This gives flexibility to dynamically assign schedules to VMs as they get deployed so that groups don’t need to be managed manually.

Current OS Support

While currently OS support is limited to Windows Server and Linux Server VMs that are deployed through marketplace images. Support for customized images that are generalized or specialized is currently in preview and supports most major Windows and Linux OS versions. The full list of supported images is listed here: https://learn.microsoft.com/en-us/azure/update-manager/support-matrix

Update Manager will also support deploying Windows Server 2012 Extended Security Updates (ESUs) through Azure Arc or via Windows Server 2012 marketplace VM deployments while migrated VMs is currently in preview. If you have deployed or migrated to Azure, those ESUs will be free of charge for an additional year. If you are onboarding via Azure Arc and if you have Software Assurance, you can pay for ESUs monthly as you continue to work to migrate off Windows Server 2012. For more information on how Windows Server 2012 ESUs work with Azure Arc, take a look at this blog post: ESUs, Extended Security Updates, Windows Server, SQL server, hybrid, Azure Arc (microsoft.com)

If you are interested in talking more about Azure Update Manager and/or Windows Server 2012 ESUs, please let us know as we can help migrate and modernize your workloads. Contact us today!