How to patch linux Arc machines using customer managed schedules

For Arc-enabled machines (Windows and Linux), Azure Update Manager scheduled patching with customer-managed schedules is supported via Maintenance Configurations. The prerequisites and configuration differ slightly from Azure VMs.

Prerequisites on the Azure side

1. Enable Azure Update Manager and meet its prerequisites
   • Ensure the environment meets the general prerequisites for Update Manager and scheduled patching. These include enabling Update Manager and having the required permissions and connectivity as described in the prerequisites for Update Manager and scheduled patching.
   • Scheduled patching uses Maintenance Configurations. Create a Maintenance Configuration with the desired cadence (daily/weekly/hourly) and update classifications, and then attach it to the Arc machines that must be patched.
   • Use the Scheduled patching experience in Update Manager to create and save recurring deployment schedules. These are stored as Maintenance Configurations.
2. Use Maintenance Configurations for scheduling
   • Azure Update Manager uses Maintenance Configurations (maintenance control) instead of its own schedule objects for recurring updates. The schedule defines:
     • Frequency (daily/weekly/hourly)
     • Maintenance window
     • Target machines (including Arc-enabled servers)
     • Which updates to install

Prerequisites and settings on the VM side

1. Patch orchestration requirement
   • The requirement to set Patch orchestration = Customer Managed Schedules applies to Azure VMs, not Arc-enabled machines.
   • For Arc-enabled machines, it is explicitly stated that setting patch orchestration to Customer Managed Schedules is not required.
2. OS-level update behavior
   • For Arc-enabled servers, platform features such as Automatic VM Guest patching, Windows Automatic Updates, and hotpatching are not supported.
   • Patching is driven by Update Manager using the machine’s native update mechanism:
     • On Windows: Windows Update Agent
     • On Linux: the configured package manager and repositories
3. Assessment behavior
   • Update assessment scans are triggered from Update Manager:
     • On Linux, the scan is performed using the package manager and returns missing updates from the configured repositories.
   • Periodic assessment can be enabled in Update Manager so that machines are assessed every 24 hours.

Assessment mode / patch mode for Linux Arc machines

• The context does not define or require a specific properties.osProfile.linuxConfiguration.patchSettings.assessmentMode or patch mode value for Arc-enabled Linux machines to use customer-managed schedules.
• The key points from the provided information are:
  • Scheduled patching for Arc-enabled servers is supported via Maintenance Configurations.
  • The “Customer Managed Schedules” patch orchestration setting is a prerequisite only for Azure VMs, not for Arc-enabled machines.
  • For Arc-enabled servers, Automatic VM Guest patching and similar Azure VM–specific orchestration modes are not supported.

Therefore, for Linux Arc machines:

• Use Maintenance Configurations in Update Manager to define and attach customer-managed schedules.
• Do not rely on Azure VM–specific patch orchestration modes (such as AutomaticByPlatform / Automatic VM guest patching) because they are not supported for Arc-enabled servers.
• The configuration of assessmentMode or patch mode for Linux Arc machines is not specified as a prerequisite in the provided material; the critical requirement is attaching the machine to the appropriate Maintenance Configuration and ensuring Update Manager prerequisites and connectivity are satisfied.

References:

• Schedule recurring updates for machines by using the Azure portal and Azure Policy
• Update options and orchestration in Azure Update Manager
• Manage update configuration settings
• Assessment options in Update Manager
• What is Azure Update Manager?
• Manage multiple machines with Azure Update Manager