Action required: Your help is needed to unlock resources to allow OS Upgrade to Server 2022

Question

Action required: Your help is needed to unlock resources to allow OS Upgrade to Server 2022

Vanessa Hew 0

Required action

To enable us to proceed with the necessary upgrades, we request that you temporarily unlock your Azure resources and Network Security Groups (NSGs) to allow changes.

Could I get the steps on Azure portal to 'unlocking Azure resources and NSGs' mentioned above?

1 answer

Your answer

Answer 1

Suchitra Suregaunkar 4,210 Microsoft External Staff Moderator

Hello Vanessa Hew

Thank you for posting your query on Microsoft Q&A platform.

Check for Resource Locks:

Locks prevent changes to resources. You need to remove them temporarily.

Steps in Azure Portal:

Sign in to Azure Portal.
Navigate to the resource (VM, resource group, etc.).
In the left menu, select Locks.
If you see any locks (e.g., Read-only or CanNotDelete), click the lock name.
Select Delete to remove the lock.

Review NSG Rules:

NSGs control traffic. If upgrade traffic is blocked, you need to adjust rules.

Steps in Azure Portal:

In the portal, search for Network security groups → open the NSG attached to your VM NIC and/or subnet.
Review Inbound security rules and Outbound security rules.
Temporarily allow the ports/protocols you need for the upgrade (examples below).
- RDP: TCP 3389 inbound to your admin IP(s) (least‑privilege).
- WinRM (HTTP/HTTPS): TCP 5985/5986 inbound from your management network if used. (Ensure matching Windows firewall rules inside the VM.)
- Windows Update/Content delivery (outbound): allow HTTP/HTTPS (80/443); for Azure Firewall/advanced scenarios prefer FQDN/App rules per current guidance instead of deprecated service tags for update scanning.
Save changes and run the upgrade.
After the upgrade, revert NSG changes to your baseline.

Validate Connectivity:

Ensure the VM can reach Windows Update or upgrade media sources.
If using private networks, confirm outbound connectivity via firewall or NSG adjustments.

After Upgrade:

Reapply resource locks (Read‑only/CanNotDelete) at the original scopes.
Reinstate NSG baselines (remove temporary “Allow” rules, re‑enable any “Deny” rules)

Reference: https://dori-uw-1.kuma-moon.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json and https://dori-uw-1.kuma-moon.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r5

Thanks,

Suchitra.

Siva shunmugam Nadessin 3,345 Reputation points Microsoft External Staff Moderator

2025-12-01T09:46:51.39+00:00

Hello Vanessa Hew,

Could you please let us know whether you got the chance to look into the answer we have provided?
Vanessa Hew 0 Reputation points

2025-12-03T02:40:22.1533333+00:00
Hello Siva,

Thanks. I have looked at the above answer. my questions:

I don't have any resource locks on my NSG or targeted VM to be upgraded.

I have confirmed the inbound and outbound security rules are in place for the upgrade

My question: how do I know when the server will be upgraded? there is no further information or emails from azure on when exactly the upgrade takes place.

Seek your help on this! thank you!
Bharath Y P 2,805 Reputation points Microsoft External Staff Moderator

2025-12-03T12:51:01.3166667+00:00
Hello Vanessa Hew, You can check in the in Azure portal

Sign in to https://portal.azure.com

Go to Virtual Machines > select your VM.

In the left menu, click Maintenance > Virtual Machine Maintenance. check the Maintenance Status shows:

Scheduled – Azure will apply maintenance automatically during the scheduled window.

Start now – You’re in the self-service window; you can initiate maintenance yourself.

Already updated – No further action needed.

Scheduled Window column shows the time frame when Azure will perform the upgrade if you don’t start it manually.

https://dori-uw-1.kuma-moon.com/en-us/azure/virtual-machines/maintenance-notifications-portal
Vanessa Hew 0 Reputation points

2025-12-04T04:53:25.5233333+00:00

Hello!

I navigated to the 'Virtual machines maintenance' section, but there are no scheduled maintenance for the VM. My question is whether a VM server upgrade is categorised under 'Maintenance'?

The title of the email I received is: "Action required: Your help is needed to unlock resources to allow OS Upgrade to Server 2022"

body message:

"Required action

To enable us to proceed with the necessary upgrades, we request that you temporarily unlock your Azure resources and Network Security Groups (NSGs) to allow changes between now and 5 December 2025."

However, there are no further indication of when this upgrade is going to take place. Seek your help on this, please and thanks!
Suchitra Suregaunkar 4,210 Reputation points Microsoft External Staff Moderator

2025-12-05T13:20:30.25+00:00

Hello Vanessa Hew

The OS upgrade to Windows Server 2022 is not shown under the “Virtual Machine Maintenance” blade because that section only covers Azure platform maintenance (host-level updates). An in-place OS upgrade is a guest-level operation, so it will not appear there.

The email you received indicates that the upgrade will occur any time before the deadline (5 December 2025) once prerequisites are met (resource locks removed and NSG rules allow required traffic). Azure does not automatically display a schedule for these guest OS upgrades in the portal.

What you can do:

Check the Activity Log for any operations related to OS upgrade.

If your organization uses Update Management or Automation accounts, review those schedules.

If no further details are provided in the portal or email, contact the sender or your subscription administrator for the exact timing.

Reference: https://dori-uw-1.kuma-moon.com/en-us/azure/virtual-machines/windows-in-place-upgrade

Thanks,

Suchitra.

Share via

Action required: Your help is needed to unlock resources to allow OS Upgrade to Server 2022

Required action

1 answer

Your answer