Manage Windows updates with Azure Automation

Update management allows you to manage updates and patches for your virtual machines. In this tutorial, you learn how to assess the status of available updates quickly, schedule installation of required updates, and review deployment results to verify updates apply successfully.

For pricing information, see Automation pricing for Update management

In this tutorial, you learn how to:

  • Onboard a VM for update management
  • View an update assessment
  • Schedule an update deployment
  • View the results of a deployment


To complete this tutorial, you need:

Log in to Azure

Log in to the Azure portal at

Enable Update management

First you need to enable Update management for your VM for this tutorial. If you have previously enabled another automation solution for a VM, this step is not necessary.

  1. On the left menu, select Virtual machines and select a VM from the list
  2. On the left menu, under the Operations section, click Update management. The Enable Update Management page opens.

Validation is performed to determine if Update management is enabled for this VM. The validation includes checks for a Log Analytics workspace and linked Automation account, and if the solution is in the workspace.

A Log Analytics workspace is used to collect data that is generated by features and services such as Update management. The workspace provides a single location to review and analyze data from multiple sources. To perform additional actions on VMs that require updates, Azure Automation allows you to run runbooks against VMs, such as download and apply updates.

The validation process also checks to see if the VM is provisioned with the Microsoft Monitoring Agent (MMA) and Automation hybrid runbook worker. This agent is used to communicate with the VM and obtain information about the update status.

Choose the Log analytics workspace and automation account and click Enable to enable the solution. The solution takes up to 15 minutes to enable.

If any of the following prerequisites were found to be missing during onboarding, they're automatically added:

The Update Management screen opens. Configure the location, Log analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used.

Enable Update management solution window

Enabling the solution can take up to 15 minutes. During this time, you shouldn't close the browser window. After the solution is enabled, information about missing updates on the VM flows to Log Analytics. It can take between 30 minutes and 6 hours for the data to be available for analysis.

View update assessment

After Update management is enabled, the Update management screen appears. If any updates are missing, you see a list of missing updates on the Missing updates tab.

Select the INFORMATION LINK on the update to open the support article for the update in a new window. Here you can learn important information regarding the update.

View update status

Clicking anywhere else on the update opens the Log Search window for the selected update. The query for the log search is predefined for that particular update. You can modify this query or create your own query to view detailed information about the updates deployed or missing in your environment.

View update status

Schedule an update deployment

You now know that your VM is missing updates. To install updates, schedule a deployment that follows your release schedule and service window. You can choose which update types to include in the deployment. For example, you can include critical or security updates and exclude update rollups.


When updates require a reboot, the VM is restarted automatically.

Schedule a new update deployment for the VM by navigating back to Update management and selecting Schedule update deployment at the top of the screen.

In the New update deployment screen, specify the following information:

  • Name - Provide a unique name for the update deployment.
  • Update classification - Select the types of software the update deployment included in the deployment. For this tutorial, leave all types selected.

    The classification types are:

    • Critical updates
    • Security updates
    • Update rollups
    • Feature packs
    • Service packs
    • Definition updates
    • Tools
    • Updates
  • Schedule settings - Set the time to 5 minutes in the future. You can also accept the default, which is 30 minutes after the current time. You can also specify whether the deployment occurs once or set up a recurring schedule. Select Recurring under Recurrence. Leave the default to 1 day and click OK. This sets up a recurring schedule.

  • Maintenance window (minutes) - Leave this value at the default value. You can specify the period of time you want the update deployment to occur within. This setting helps ensure changes are performed within your defined service windows.

Update Schedule Settings screen

After you've completed configuring the schedule, click the Create button. You are returned to the status dashboard. Select Scheduled Update deployments to show the deployment schedule you created.

View results of an update deployment

After the scheduled deployment starts, you can see the status for that deployment on the Update deployments tab on the Update management screen. The status shows as In progress when it's currently running. After it completes, if successful, it changes to Succeeded. When there are failures with one or more updates in the deployment, the status is Partially failed. Click the completed update deployment to see the dashboard for that update deployment.

Update Deployment status dashboard for specific deployment

In the Update results tile, a summary provides the total number of updates and deployment results on the VM. The table on the right shows a detailed breakdown of each update and the installation results. The following list shows the available values:

  • Not attempted - the update was not installed because there was insufficient time available based on the maintenance window duration defined.
  • Succeeded - the update succeeded
  • Failed - the update failed

Click All logs to see all log entries that the deployment created.

Click the Output tile to see job stream of the runbook responsible for managing the update deployment on the target VM.

Click Errors to see detailed information about any errors from the deployment.

Next Steps

In this tutorial, you learned how to:

  • Onboard a VM for update management
  • View an update assessment
  • Schedule an update deployment
  • View the results of a deployment

Continue to the overview for the Update Management solution.