Azure Update Manager - Operations Guide

Contents

Intro
Pre-requirements
Scripting AUM
Enabling VM OS Scans
Updating OS

Intro

Azure Update Manager is a unified service, tightly integrated into the Azure Portal, simplifying the patching of Windows and Linux operating systems.

HMCTS is using Azure Update Manager (AUM) within multiple Azure platforms, so be sure to check the repositories being used are correct for your platform.

If you are changing schedules, VMs targeted or scanning policy → use this guide + repos
If you are doing one-off manual patching, use Link
For troubleshooting AUM, use Link
Microsoft’s Azure Update Manager documentation
Support matrix for Azure Update Manager
- Only supported configurations will receive patches Supported Operating Systems.

Please beware and do not confuse Azure Update Manager with the legacy and similarly named Update Management (Azure Automation).

Pre-requisites

AUM requires an assessment of the VM’s OS before anything else can happen, which can be triggered manually in the Azure Portal. This is also a very useful troubleshooting step, as it proves AUM operates and this process is benign to the VM’s OS.

Find the VM in the Azure portal, select Updates, from the Operations menu. Then click “Check for updates” and confirm to trigger the assessment. Wait 10 minutes, to 1 hour for the results to be returned. An error message will be displayed, if the process fails for any reason.

Scripting AUM

HMCTS Cloud Native Platform adopted AUM in February 2024, then Crime Platform in January 2026, so many VMs are already protected. Additional VMs should be added to the repositories described below.

Enabling VM OS Scans

To ensure all VMs are automatically assessed, Azure policy has been used to set VM Update Settings, enabling periodic assessment for all VMs within the management group or subscription.

Specific instructions are in the README.md file of each repository.

CNP (Via Management Groups) - GitHub Azure-Policy azure-policy/assignments/mgmt-groups/mg-HMCTS/ - Windows VMs - assign.aum_Windows_scan.json - Linux VMs - assign.aum_Linux_scan.json

CP (Via Subscriptions) - GitHub Azure-Policy assignments/environment/subscriptions/subscription-XYZ/ - Linux VMs - assign.aum_scan_ubuntu24_vms.json - Linux VMSS - assign.aum_scan_ubuntu24_vmss.json

Updating OS

Azure maintenance configurations are used to select VMs for updating, assigning the types of updates, scheduling and managing reboots. Be aware that terraform limits each maintenance configuration to a single subscription ID, so the code repeats for EACH subscription.

CNP CNP Maintenance Repository

CP CP Maintenance Repository

See the detailed README.md file in the repository for further details.

This page was last reviewed on 26 February 2026. It needs to be reviewed again on 26 February 2027 by the page owner platops-build-notices .

This page was set to be reviewed before 26 February 2027 by the page owner platops-build-notices. This might mean the content is out of date.