Manage Windows updates with Azure Automation

Update management allows you to manage updates and patches for your virtual machines. In this tutorial, you learn how to assess the status of available updates quickly, schedule installation of required updates, review deployment results, and create an alert to verify updates apply successfully.

For pricing information, see Automation pricing for Update management

In this tutorial, you learn how to:

  • Onboard a VM for update management
  • View an update assessment
  • Configure alerting
  • Schedule an update deployment
  • View the results of a deployment


To complete this tutorial, you need:

Log in to Azure

Log in to the Azure portal at

Enable Update management

First you need to enable Update management on your VM for this tutorial.

  1. From the Azure portal, on the left menu, select Virtual machines and select a VM from the list
  2. From the VM page, click Update management under the Operations section. The Enable Update Management page opens.

Validation is performed to determine if Update management is enabled for this VM. This validation includes checks for a Log Analytics workspace and linked Automation account, and if the Update management solution is in the workspace.

A Log Analytics workspace is used to collect data that is generated by features and services such as Update management. The workspace provides a single location to review and analyze data from multiple sources.

The validation process also checks to see if the VM is provisioned with the Microsoft Monitoring Agent (MMA) and Automation hybrid runbook worker. This agent is used to communicate with Azure Automation and obtain information about the update status. The agent requires port 443 to be open to communicate with the Azure Automation service and to download updates.

If any of the following prerequisites were found to be missing during onboarding, they're automatically added:

The Update Management screen opens. Configure the location, Log analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used.

Enable Update management solution window

Enabling the solution can take up to a few minutes. During this time, you shouldn't close the browser window. After the solution is enabled, information about missing updates on the VM flows to Log Analytics. It can take between 30 minutes and 6 hours for the data to be available for analysis.

View update assessment

After Update management is enabled, the Update management screen appears. If any updates are missing, you see a list of missing updates on the Missing updates tab.

Select the INFORMATION LINK on the update to open the support article for the update in a new window. Here you can learn important information regarding the update.

View update status

Clicking anywhere else on the update opens the Log Search window for the selected update. The query for the log search is predefined for that particular update. You can modify this query or create your own query to view detailed information about the updates deployed or missing in your environment.

View update status

Configure alerting

In this step, you configure an alert to let you know when updates have been successfully deployed. The alert you create is based on a Log Analytics query. Any custom query can be written for additional alerts to cover many different scenarios. In the Azure portal, navigate to Monitor and click Create Alert. this opens the Create rule page.

Under 1. Define alert condition, click + Select target. Under Filter by resource type, select Log Analytics. Choose your Log Analytics workspace and click Done.

create alert

Click the + Add criteria button to open the Configure signal logic page. Choose Custom log search in the table. Enter the following query in the Search query text box. This query returns the computers and the update run name that completed in the time frame specified.

| where InstallationStatus == 'Succeeded'
| where TimeGenerated > now(-10m)
| summarize by UpdateRunName, Computer

Enter 1 as the Threshold for the Alert logic. When finished, click Done.

Configure signal logic

Under 2. Define alert details, give the alert a friendly name and description. Set the Severity to Informational(Sev 2) since the alert is for a successful run.

Configure signal logic

Under 3. Define action group, click + New action group. An action group is a group of actions that you can use across multiple alerts. These can include but are not limited to, email notifications, runbooks, webhooks, and many more. To learn more about action groups, see Create and manage action groups

In the Action group name box, give it a friendly name and short name. The short name is used in place of a full action group name when notifications are sent using this group.

Under Actions, the action a friendly name like Email Notifications under ACTION TYPE select Email/SMS/Push/Voice. Under DETAILS, select Edit details.

On the Email/SMS/Push/Voice page, give it a name. Check the Email checkbox and enter in a valid email address to be used.

Configure email action group

Click OK on the Email/SMS/Push/Voice page to close it and click OK to close the Add action group page.

You can customize the subject of the email sent by clicking Email subject under Customize Actions on the Create rule page. When complete, click Create alert rule. This creates the rule that alerts you when an update deployment succeeds and which machines were part of that update deployment run.

Schedule an update deployment

Now that alerting is configured, schedule a deployment that follows your release schedule and service window to install updates. You can choose which update types to include in the deployment. For example, you can include critical or security updates and exclude update rollups.


When updates require a reboot, the VM is restarted automatically.

Schedule a new update deployment for the VM by navigating back to Update management and selecting Schedule update deployment at the top of the screen.

In the New update deployment screen, specify the following information:

  • Name - Provide a unique name for the update deployment.

  • Operating system - Choose the OS to target for the update deployment.

  • Update classification - Select the types of software the update deployment included in the deployment. For this tutorial, leave all types selected.

    The classification types are:

    OS Type
    Windows Critical updates
    Security updates
    Update rollups
    Feature packs
    Service packs
    Definition updates
    Linux Critical and security updates
    Other updates

    For a description of the classification types, see update classifications.

  • Schedule settings - This opens the Schedule Settings page. The default start time is 30 minutes after the current time. It can be set any time from 10 minutes in the future.

    You can also specify whether the deployment occurs once or set up a recurring schedule. Select Once under Recurrence. Leave the default to 1 day and click OK. This sets up a recurring schedule.

  • Maintenance window (minutes) - Leave this value at the default value. You can specify the period of time you want the update deployment to occur within. This setting helps ensure changes are performed within your defined service windows.

Update Schedule Settings screen

After you've completed configuring the schedule, click the Create button. You are returned to the status dashboard. Select Scheduled Update deployments to show the deployment schedule you created.

View results of an update deployment

After the scheduled deployment starts, you can see the status for that deployment on the Update deployments tab on the Update management screen. The status shows as In progress when it's currently running. After it completes, if successful, it changes to Succeeded. When there are failures with one or more updates in the deployment, the status is Partially failed. Click the completed update deployment to see the dashboard for that update deployment.

Update Deployment status dashboard for specific deployment

In the Update results tile, a summary provides the total number of updates and deployment results on the VM. The table on the right shows a detailed breakdown of each update and the installation results. The following list shows the available values:

  • Not attempted - the update was not installed because there was insufficient time available based on the maintenance window duration defined.
  • Succeeded - the update succeeded
  • Failed - the update failed

Click All logs to see all log entries that the deployment created.

Click the Output tile to see job stream of the runbook responsible for managing the update deployment on the target VM.

Click Errors to see detailed information about any errors from the deployment.

Once your update deployment is successful, an email similar to the following image is sent to show success of the deployment.

Configure email action group

Next Steps

In this tutorial, you learned how to:

  • Onboard a VM for update management
  • View an update assessment
  • Configure alerting
  • Schedule an update deployment
  • View the results of a deployment

Continue to the overview for the Update Management solution.