I want to patch Arc machines using customer managed schedules in Azure Update manager. How to do it?

Question

I want to patch Arc machines using customer managed schedules in Azure Update manager. How to do it?

Ajit Sane 0

I want to patch Arc machines (windows and linux) using a maintanance configuration in Azure update manager. That is customer managed schedule. For this please let me know what are the prerequisites on the VM end and Azure end.

For now, I have configured below setting in windows VM. Please let me know also for Linux vm.

"windowsConfiguration": {
                "patchSettings": {
                    "assessmentMode": "AutomaticByPlatform",
                    "patchMode": "AutomaticByPlatform"
                }
            }

Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-04-06T14:56:29.92+00:00
Hello @Ajit Sane@Ajit Sane Thank you for posting your query on Microsoft Q&A platform.

Yes, Azure Update Manager supports patching Azure Arc–enabled servers using customer‑managed schedules, and the only supported way to do scheduled patching for Arc machines is by using a Maintenance Configuration.

Please have a look into below supported scenarios:

Azure Arc–enabled Windows and Linux servers

Customer‑managed schedules using Maintenance Configuration

Assessment and patch installation during the defined maintenance window

Important: Azure‑managed safe deployment (automatic monthly patching) is NOT supported for Arc‑enabled servers. Only Maintenance Configuration–based scheduling is supported.

Reference: https://docs.azure.cn/en-us/update-manager/manage-update-settings?tabs=manage-single-overview%2Cmanage-scale-overview

Please have a look into below configuration updates:

On the Azure side

The servers must be onboarded to Azure Arc and in a healthy state.

Use Azure Update Manager and create a Maintenance Configuration that defines:

Schedule and recurrence

Maintenance window

Patch classifications

Assign the Maintenance Configuration to the Arc machines (directly or via scope).

On the machine side:

Windows Arc machines

The Windows Update client must already be configured to use Microsoft Update or WSUS (Update Manager does not override this).

Patch settings must be set as below (this is required):

"windowsConfiguration": { "patchSettings": { "assessmentMode": "AutomaticByPlatform", "patchMode": "AutomaticByPlatform" } }

Linux Arc machines:

A supported Linux distribution must be used.

Python (2.7+ or 3.x) must be installed, and the machine must allow root/sudo access.

Patch settings should be configured as:

"linuxConfiguration": { "patchSettings": { "assessmentMode": "AutomaticByPlatform", "patchMode": "AutomaticByPlatform" } }

No manual VM extension installation is required. Azure Update Manager automatically deploys the required extensions when patching is triggered.

Once the Maintenance Configuration is assigned:

Azure Update Manager assesses and installs updates only during the defined maintenance window

Patches are downloaded from the machine’s configured update source

Reboots occur only if required and allowed by the configuration

Important clarification:

Supported: Customer‑managed schedules using Maintenance Configuration.

Not supported for Arc: Azure‑managed safe deployment (automatic monthly patching).

References:

Prerequisites for Azure Update Manager:
https://learn.microsoft.com/en-us/azure/update-manager/prerequisites

Customer‑managed schedules and update settings:

https://learn.microsoft.com/en-us/azure/update-manager/manage-update-settings?tabs=manage-single-overview%2Cmanage-scale-overview

Azure Update Manager overview (Arc behavior):

https://learn.microsoft.com/en-us/azure/update-manager/overview

To patch Azure Arc–enabled Windows and Linux machines on a schedule, you must use Azure Update Manager with a Maintenance Configuration. PatchMode and AssessmentMode must be set to AutomaticByPlatform, and updates are applied only during the configured maintenance window. Azure‑managed safe deployment is not supported for Arc machines.

Thanks,
Suchitra.
Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-04-07T16:03:21.98+00:00

Hello @Ajit Sane@Ajit Sane

Could you please let us know if the comment above resolved your issue? If you need any further assistance, feel free to reach out—we're always here to support you.

If you found the comment helpful, please consider clicking "Upvote it."

Thanks,

Suchitra.

1 answer

Your answer

Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-04-07T16:03:21.98+00:00

Hello @Ajit Sane@Ajit Sane

Could you please let us know if the comment above resolved your issue? If you need any further assistance, feel free to reach out—we're always here to support you.

If you found the comment helpful, please consider clicking "Upvote it."

Thanks,

Suchitra.

Answer 1

To patch Azure Arc-enabled machines (Windows and Linux) with customer managed schedules in Azure Update Manager, use Maintenance Configurations with scheduled patching. For Arc-enabled servers, there is no VM-side patch orchestration mode requirement like for Azure VMs.

Key points for Arc-enabled machines:

Prerequisites (Azure side)
- Ensure Update Manager prerequisites are met for the environment. (See “Prerequisites for Update Manager” referenced from scheduled patching.)
- Use Azure Update Manager and create Maintenance Configurations that define:
  - Schedule (daily, weekly, or hourly cadence).
  - Maintenance window duration.
  - Included machines (Arc-enabled Windows and Linux servers).
  - Update classifications and inclusion/exclusion rules.
- Azure Update Manager uses Maintenance Configurations (maintenance control) to orchestrate these schedules. For Arc-enabled servers, scheduled patching does not depend on a specific patch orchestration mode.
Prerequisites (VM/Arc machine side)
- For Arc-enabled machines, there is explicitly no requirement to set patch orchestration to Customer Managed Schedules. The note in scheduled patching states that the “Patch orchestration of the Azure machines should be set to Customer Managed Schedules. For Azure Arc-enabled machines, it is not a requirement.”
- The Windows windowsConfiguration.patchSettings values such as assessmentMode and patchMode are relevant for Azure VMs. They are not required for Arc-enabled servers to participate in customer managed schedules via Update Manager.
Configure customer managed schedules for Arc machines
- In Azure Update Manager:
  1. Create a Maintenance Configuration (customer-defined maintenance schedule) for updates.
  2. Choose the cadence (daily/weekly/hourly) and maintenance window.
  3. Select the Arc-enabled machines (Windows and Linux) as the target resources.
  4. Define which updates to install (for example, security, critical, or all available updates).
- Once saved, the Maintenance Configuration acts as the customer managed schedule. Update Manager will automatically install updates on the Arc machines according to this schedule.
Notes and behavior
- Update Manager supports Windows and Linux VMs, on-premises environments, and Azure Arc-enabled servers for scheduled patching using Maintenance Configurations.
- For Azure VMs (not Arc), patch orchestration must be set to Customer Managed Schedules to avoid schedule failures. This requirement does not apply to Arc-enabled servers.

In summary, for Arc-enabled machines, ensure they are onboarded to Azure Arc and visible in Azure Update Manager, then create Maintenance Configurations (customer managed schedules) targeting those machines. No special patchMode or assessmentMode settings are required on the Arc machines for scheduled patching to work.

References:

Share via

I want to patch Arc machines using customer managed schedules in Azure Update manager. How to do it?

1 answer

Your answer