You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Cross subscription patching in Azure Update Manager
3
+
description: Learn about the overview, benefits, and limitations of cross-subscription patching in Azure Update Manager. Centralize and streamline patch management across multiple Azure subscriptions.
4
+
ms.service: azure-update-manager
5
+
ms.date: 02/04/2025
6
+
ms.topic: conceptual
7
+
author: SnehaSudhirG
8
+
ms.author: sudhirsneha
9
+
---
10
+
11
+
# Cross-subscription patching in Azure Update Manager
12
+
13
+
**Applies to:**:heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
14
+
15
+
Azure Update Management offers a straightforward and efficient solution for managing asset patching within a subscription. The capability is beneficial for organizations with resources distributed across various subscriptions, ensuring consistent and streamlined patch management.
16
+
17
+
However, its capabilities go well beyond this. With proper configuration, you can manage and apply patches across multiple Azure subscriptions from a centralized location.
18
+
19
+
## Key benefits of Cross-subscription patching
20
+
21
+
-**Operational Efficiency**: You can centralize the management of patches, reducing the complexity and time required for patch management. This leads to more streamlined operations.
22
+
-**Improved Reliability**: Regular and consistent patching across all subscriptions helps maintain system stability and reduces downtime caused by unpatched vulnerabilities.
23
+
24
+
## Supported workloads
25
+
26
+
# [Supported resource type](#tab/sup-resource)
27
+
28
+
-**Azure Resource Manager (Arc)-connected hosts**: Non-Azure hosts connected to Azure through Arc, subject to [Arc prerequisites](/azure/azure-arc/servers/prerequisites) and Azure Update Manager [supported regions](support-matrix.md#azure-arc-enabled-servers)
29
+
30
+
-**Azure VM** - Native virtual machines created in Azure.
31
+
32
+
# [Supported OS type](#tab/sup-os)
33
+
34
+
-**Windows**: Cross-subscription patching supports various versions of Windows Server and Windows operating systems. Ensure that your Windows devices are up-to-date and compatible with the patching process. For more information, see [support matrix for Arc-connected hosts](support-matrix-updates.md#azure-arc-enabled-servers)and [Azure VM for supported images](support-matrix-updates.md#supported-windows-os-images).
35
+
36
+
-**Linux**: Cross-subscription patching also supports multiple Linux distributions, including most mainstream distributions like Ubuntu, CentOS, and Red Hat Enterprise Linux (RHEL) etc. Ensure that your Linux devices meet the necessary requirements for patching. For more information, see[support matrix for Arc-connected hosts](support-matrix-updates.md#azure-arc-enabled-servers) and [Azure VM for supported images](support-matrix-updates.md#supported-linux-os-images).
37
+
38
+
---
39
+
40
+
> [!NOTE]
41
+
> If VMs running unsupported images are included in the schedule, the maintenance configuration (i.e., patch job) will fail.
42
+
43
+
44
+
## Limitations
45
+
46
+
**Rate limits** - For managing a large number of assets through API/SPN (Service Principal Name), be mindful of rate limits and distribute the load among multiple Service principals to avoid throttling issues.
47
+
48
+
49
+
## Next steps
50
+
51
+
* Learn more on [how to enable cross-subscription patching either through Azure CLI or portal](enable-cross-subscription-patching.md).
52
+
* Learn more about [Dynamic scope](dynamic-scope-overview.md), an advanced capability of schedule patching.
53
+
* Learn about [pre and post events](pre-post-scripts-overview.md) to automatically perform tasks before and after a scheduled maintenance configuration.
title: Enable cross-subscription patching in Azure Update Manager
3
+
description: Learn how to enable cross-subscription patching in Azure Update Manager.
4
+
ms.service: azure-update-manager
5
+
author: SnehaSudhirG
6
+
ms.author: sudhirsneha
7
+
ms.date: 02/04/2025
8
+
ms.topic: how-to
9
+
---
10
+
11
+
# Enable cross subscription patching in Azure Update Manager
12
+
13
+
**Applies to:**:heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
14
+
15
+
This article describes how to enable cross-subscription patching either through Azure CLI or Azure portal.
16
+
17
+
## Enable resource providers in your subscription
18
+
19
+
1. You can register the necessary resource providers to your subscription through Azure CLI or manually via the Azure portal.
20
+
21
+
# [Azure CLI](#tab/az-cli)
22
+
23
+
Open your Azure CLI and run the following commands:
24
+
25
+
```azurecli-interactive
26
+
az provider register--namespace "Microsoft.Insights"
27
+
az provider register--namespace "Microsoft.Maintenance"
28
+
```
29
+
# [Azure portal](#tab/az-portal)
30
+
31
+
1. Sign in to the [Azure portal](https://portal.azure.com) and go to your subscription.
32
+
1. Under **Settings**, select **Resource providers**.
33
+
1. Activate both **Microsoft.Insights** and **Microsoft.Maintenance**.
34
+
35
+
:::image type="content" source="./media/enable-cross-subscription-patching/select-resource-providers.png" alt-text="Screenshot that shows how to select the resource providers from subscription." lightbox="./media/enable-cross-subscription-patching/select-resource-providers.png":::
36
+
37
+
---
38
+
2. Grant necessary roles to your managed identity
39
+
40
+
- Assign the appropriate roles to your Azure VM and Arc assets to ensure scheduled patching is managed effectively. The required roles are:
41
+
- Scheduled patching contributor
42
+
- Reader
43
+
- These roles can be granted on the Resource Group or at the Subscription level if you have resources spread among multiple resource groups and want to include them all at once.
44
+
- If you have a smaller scope and plan to manage it with a dedicated admin or group, these two roles can be granted to a user or a security group (SG). If you are envisioning a larger scope with automation in place, ensure to grant these roles to the API and Service Principal Name (SPN) you use.
45
+
46
+
3. Scheduling using maintenance configurations
47
+
48
+
To create maintenance configurations in Azure Update Manager, you can set it up as follows:
49
+
50
+
# [Using Azure portal](#tab/az-patch-portal)
51
+
52
+
1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.
53
+
1. Under **Resources**, select **Machines**, and then select **Maintenance configurations**.
54
+
1. In the **Maintenance Configurations** page, follow the steps to [set up the patching schedule](scheduled-patching.md#schedule-recurring-updates-on-a-single-vm).
55
+
56
+
# [Using API](#tab/az-patch-cli)
57
+
58
+
- Use the API to programmatically schedule the patching.
59
+
- For scheduled patching on VM or Arc assets, locate the assets by using the *resourceId* and *subscription* that they're attached to.
60
+
61
+
---
62
+
63
+
## Next steps
64
+
65
+
* Overview on [cross-subscription patching](cross-subscription-patching.md)
Copy file name to clipboardExpand all lines: articles/update-manager/overview.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ ms.service: azure-update-manager
5
5
ms.custom: linux-related-content, ignite-2024
6
6
author: SnehaSudhirG
7
7
ms.author: sudhirsneha
8
-
ms.date: 01/27/2025
8
+
ms.date: 02/03/2025
9
9
ms.topic: overview
10
10
---
11
11
@@ -24,8 +24,8 @@ You can use Update Manager for:
24
24
-**Flexible patching options**:
25
25
- Schedule updates within [customer-defined maintenance ](https://aka.ms/umc-scheduled-patching), for both Azure and Arc-connected machines.
26
26
-[Apply updates in real-time](deploy-updates.md)
27
-
- Use [Automatic VM guest patching](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching), to automatically apply updates to Azure VMs without requiring manual intervention.
28
-
- Use [Hot patching](https://learn.microsoft.com/windows-server/get-started/hotpatch), to apply critical updates to Azure VMs without requiring a reboot, minimizing downtime
27
+
- Use [Automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching), to automatically apply updates to Azure VMs without requiring manual intervention.
28
+
- Use [hotpatching](/windows-server/get-started/hotpatch), to apply critical updates to Azure VMs without requiring a reboot, minimizing downtime
29
29
-**Security and Compliance tracking** - Apply security and critical patches with enhanced security measures and compliance tracking.
30
30
-**Periodic update Assessments** - Enable [periodic assessments](https://aka.ms/umc-periodic-assessment-policy) to check for updates every 24 hours.
31
31
-**Dynamic Scoping** - Group machines based on criteria and apply updates at scale.
@@ -34,13 +34,14 @@ You can use Update Manager for:
34
34
-**Software updates including application updates**:
35
35
- That are available in Microsoft Updates
36
36
- That are available in Linux packages
37
-
- That are published to [Windows Server Update Services (WSUS)](https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
37
+
- That are published to [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
38
38
- Patching diverse resources
39
39
- Azure Virtual Machines (VMs): both Windows and Linux VMs in Azure (including SQL servers). VMs also include the ones which are created by Azure Migrate, Azure Backup, and Azure Site Recovery.
40
-
-[Hybrid machines](https://learn.microsoft.com/azure/azure-arc/servers/) (including SQL Arc servers) and Windows IoT Enterprise on Arc enabled servers
These features make Azure Update Manager a powerful tool for maintaining the security and performance of your IT infrastructure.
46
47
@@ -59,7 +60,7 @@ Update Manager offers many new features and provides enhanced and native functio
59
60
- Offers enhanced flexibility
60
61
- Take immediate action either by [installing updates immediately](https://aka.ms/on-demand-patching) or [scheduling them for a later date](https://aka.ms/umc-scheduled-patching).
61
62
-[Check updates automatically](https://aka.ms/aum-policy-support) or [on demand](https://aka.ms/on-demand-assessment).
62
-
- Secure machines with new ways of patching such as [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching) in Azure, [hot patching](/azure/automanage/automanage-hotpatch) or [custom maintenance schedules](https://aka.ms/umc-scheduled-patching).
63
+
- Secure machines with new ways of patching such as [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching) in Azure, [hotpatching](/azure/automanage/automanage-hotpatch) or [custom maintenance schedules](https://aka.ms/umc-scheduled-patching).
63
64
- Sync patch cycles in relation to **patch Tuesday** the unofficial term for Microsoft's scheduled security fix release on every second Tuesday of each month.
64
65
- Reporting and alerting
65
66
- Build custom reporting dashboards through [Azure Workbooks](manage-workbooks.md) to monitor the update compliance of your infrastructure.
0 commit comments