cross-subscription patching - added two new articles, image and updated TOC

SnehaSudhirG · SnehaSudhirG · commit 8a71d55a818f · 2025-02-03T09:28:29.000+05:30
diff --git a/articles/update-manager/cross-subscription-patching.md b/articles/update-manager/cross-subscription-patching.md
@@ -0,0 +1,51 @@
+---
+title: Cross subscription patching in Azure Update Manager
+description: Learn about the overview, benefits, and limitations of cross-subscription patching in Azure Update Manager. Centralize and streamline patch management across multiple Azure subscriptions.
+ms.service: azure-update-manager
+ms.date: 02/01/2025
+ms.topic: conceptual
+author: SnehaSudhirG
+ms.author: sudhirsneha
+---
+
+# Cross-subscription patching in Azure Update Manager
+
+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
+
+Azure Update Management offers a straightforward and efficient solution for managing asset patching within a subscription. However, its capabilities extend far beyond that. With proper configuration, users can manage and apply patches across multiple Azure subscriptions from a centralized location. The capability is beneficial for organizations with resources distributed across various subscriptions, ensuring consistent and streamlined patch management.
+
+## Key benefits of Cross-subscription patching
+
+- **Operational Efficiency**: You can centralize the management of patches, reducing the complexity and time required for patch management. This leads to more streamlined operations.
+- **Improved Reliability**: Regular and consistent patching across all subscriptions helps maintain system stability and reduces downtime caused by unpatched vulnerabilities.
+
+## Supported workloads
+
+# [Supported resource type](#tab/sup-resource)
+
+- **Azure Resource Manager (Arc)-connected hosts**: Non-Azure hosts connected to Azure through Arc, subject to [Arc prerequisites](https://learn.microsoft.com/azure/azure-arc/servers/prerequisites) and Azure Update Manager [supported regions](support-matrix.md#azure-arc-enabled-servers)
+
+- **Azure VM** - Native virtual machines created in Azure
+
+# [Supported OS type](#tab/sup-os)
+
+- **Windows**: Cross-subscription patching supports various versions of Windows Server and Windows operating systems. Ensure that your Windows devices are up-to-date and compatible with the patching process. For more information, see [support matrix for Arc-connected hosts](support-matrix-updates#azure-arc-enabled-servers)and [Azure VM for supported images](support-matrix-updates.md#supported-windows-os-images). 
+
+- **Linux**: Cross-subscription patching also supports multiple Linux distributions, including most mainstream distributions like Ubuntu, CentOS, and Red Hat Enterprise Linux (RHEL) etc. Make sure that your Linux devices meet the necessary requirements for patching. For more information, see[support matrix for Arc-connected hosts](support-matrix-updates#azure-arc-enabled-servers) and [Azure VM for supported images](support-matrix-updates.md#supported-linux-os-images). 
+
+---
+
+> [!NOTE]
+> If VMs running unsupported images are included in the schedule, the maintenance configuration (that is, patch job) scheduled fails.
+
+
+## Limitations
+
+**Rate limits** - For managing a large number of assets through API/SPN (Service Principal Name), be mindful of rate limits and distribute the load among multiple Service Principals to avoid throttling issues.
+
+
+## Next steps
+
+* Learn more on [how to enable cross-subscription patching either through Azure CLI or portal](enable-cross-subscription-patching.md).
+* Learn more about [Dynamic scope](dynamic-scope-overview.md), an advanced capability of schedule patching.
+* Learn about [pre and post events](pre-post-scripts-overview.md) to automatically perform tasks before and after a scheduled maintenance configuration.
diff --git a/articles/update-manager/enable-cross-subscription-patching.md b/articles/update-manager/enable-cross-subscription-patching.md
@@ -0,0 +1,66 @@
+---
+title: Enable cross-subscription patching in Azure Update Manager
+description: Learn how to enable cross-subscription patching in Azure Update Manager.
+ms.service: azure-update-manager
+author: SnehaSudhirG
+ms.author: sudhirsneha
+ms.date: 08/22/2024
+ms.topic: how-to
+---
+
+# Enable cross subscription patching in Azure Update Manager
+
+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
+
+This article describes how to enable cross-subscription patching either through Azure CLI or portal.
+
+## Enable resource providers in subscription
+
+1. Register the necessary resource providers to your subscription either through Azure CLI or manually via the Azure portal
+
+    # [Using Azure CLI](#tab/az-cli)
+
+    Open your Azure CLI and enter the following commands:
+
+    az provider register --namespace "Microsoft.Insights"
+    az provider register --namespace "Microsoft.Maintenance"
+
+    # [Using Azure portal](#tab/az-portal)
+
+    1. Sign in to the [Azure portal](https://portal.azure.com) and go to your subscription.
+    1. Under **Settings**, select **Resource providers**.
+    1. Activate both **Microsoft.Insights** and **Microsoft.Maintenance**.
+
+    :::image type="content" source="./media/enable-cross-subscription-patching/select-resource-providers.png" alt-text="Screenshot that shows how to select the resource providers from subscription." lightbox="./media/enable-cross-subscription-patching/select-resource-providers.png":::
+
+---
+2. Grant necessary roles to your managed identity
+
+   - Assign the appropriate roles to your Azure VM and Arc assets to ensure scheduled patching can be managed effectively. The required roles are:
+        - Scheduled patching contributor
+        - Reader
+   - These roles can be granted on the Resource Group or Subscription level if you have resources spread amongst multiple resource groups and want to include them all at once.
+   - If you have a smaller scope and plan to manage it with a dedicated admin or group, these two roles can be granted to an user or a security group (SG). If you are envisioning a larger scope with automation in place, grant these roles to the API and Service Principal Name (SPN) you use.
+
+3. Scheduling
+   
+   There are two methods for schedule patching.
+
+   # [Using Azure portal](#tab/az-patch-portal)
+      
+      1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.
+      1. Under **Resources**, select **Machines**, and then select **Maintenance configurations**.
+      1. In the **Maintenance Configurations** page, follow the steps to [set up the patching schedule](scheduled-patching.md#schedule-recurring-updates-on-a-single-vm).
+
+   # [Using API](#tab/az-patch-cli)
+    
+     - Use the API to programmatically schedule the patching.
+     - For schedule patching on VM or Arc assets, locate the assets by using the *resourceId* and *subscription* that they are attached to.
+
+---
+## Next steps
+
+* Overview on [cross-subscription patching](cross-subscription-patching.md)
+* [Schedule recurring updates](scheduled-patching.md)
+* [Manage update settings via portal](manage-update-settings.md)
+* [Manage multiple machines using Update Manager](manage-multiple-machines.md)
diff --git a/articles/update-manager/media/enable-cross-subscription-patching/select-resource-providers.png b/articles/update-manager/media/enable-cross-subscription-patching/select-resource-providers.png
diff --git a/articles/update-manager/overview.md b/articles/update-manager/overview.md
@@ -5,7 +5,7 @@ ms.service: azure-update-manager
 ms.custom: linux-related-content, ignite-2024
 author: SnehaSudhirG
 ms.author: sudhirsneha
-ms.date: 01/27/2025
+ms.date: 02/03/2025
 ms.topic: overview
 ---
 
@@ -41,6 +41,7 @@ You can use Update Manager for:
     - [VMware machines](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/)
     - [System Center Virtual Machine Manager (SCVMM) machines](https://learn.microsoft.com/azure/azure-arc/system-center-virtual-machine-manager/) 
     - [Azure Local clusters](https://learn.microsoft.com/azure/azure-local/)
+    - [Cross-subscription-patching](cross-subscription-patching.md)
 
 These features make Azure Update Manager a powerful tool for maintaining the security and performance of your IT infrastructure. 
 
diff --git a/articles/update-manager/toc.yml b/articles/update-manager/toc.yml
@@ -46,6 +46,8 @@ items:
     href: updates-maintenance-schedules.md
   - name: Assessment options
     href: assessment-options.md
+  - name: Cross-subscription patching
+    href: cross-subscription-patching.md
   - name: Overview of Pre and Post Events
     href: pre-post-scripts-overview.md
   - name: Access Azure Update Manager operations data using Azure Resource Graph
@@ -92,6 +94,8 @@ items:
       href: manage-update-settings.md
     - name: Schedule updates
       href: scheduled-patching.md
+    - name: Manage cross-subscription patching
+      href: enable-cross-subscription patching.md
     - name: Dynamic scope
       items:
       - name: Overview
