How to patch linux Arc machines using customer managed schedules

Hello @Ajit Sane Yes, Azure Arc–enabled Linux (and Windows) machines can be patched using customer‑managed schedules via Maintenance Configurations in Azure Update Manager.

No, settings such as properties.osProfile.linuxConfiguration.patchSettings.assessmentMode = AutomaticByPlatform do NOT apply to Azure Arc–enabled machines.

This setting is only for Azure IaaS VMs, not for Arc servers.

For Azure Arc–enabled servers:

• Azure Update Manager is the only orchestrator
• Patching is NOT platform‑based
• The service:
  • Triggers assessment
  • Installs patches during the Maintenance Configuration window
• Linux updates are installed using the native package manager (apt/yum/zypper)

Please have a look into below pre-requisites on Azure Side:

• Azure Update Manager enabled
• Microsoft.Maintenance resource provider registered
• Maintenance Configuration created
  • Defines schedule and maintenance window
  • Associated with Arc machines
• Required RBAC (minimum):
  • Contributor on the target resources

Prerequisites – Server (VM) side:

For Azure Arc–enabled Linux machines:

• Server must be successfully onboarded to Azure Arc
• Supported Linux OS (as per Update Manager support matrix)
• Python 2.7 or later
• Root/sudo permissions available
• Outbound connectivity to:
  • Azure Arc endpoints
    • Linux update repositories

No manual extension installation is required; Update Manager deploys the required extensions automatically.

Is this setting required or recommended?

properties.osProfile.linuxConfiguration.patchSettings.assessmentMode = "AutomaticByPlatform" -- NO

• AutomaticByPlatform is an Azure VM guest patching mode
• Azure Arc–enabled servers do not support platform‑orchestrated patching
• For Arc machines:
  • Assessment is triggered by Azure Update Manager
  • Patch installation is controlled by Maintenance Configurations

For Arc‑enabled servers, patch orchestration settings such as Customer Managed Schedules or AutomaticByPlatform are not required and not applicable. Patching is driven by Azure Update Manager using the machine’s native update mechanism.

Thanks,
Suchitra.

For Arc-enabled machines (Windows and Linux), Azure Update Manager scheduled patching with customer-managed schedules is supported via Maintenance Configurations. The prerequisites and configuration differ slightly from Azure VMs.

Prerequisites on the Azure side

1. Enable Azure Update Manager and meet its prerequisites
   • Ensure the environment meets the general prerequisites for Update Manager and scheduled patching. These include enabling Update Manager and having the required permissions and connectivity as described in the prerequisites for Update Manager and scheduled patching.
   • Scheduled patching uses Maintenance Configurations. Create a Maintenance Configuration with the desired cadence (daily/weekly/hourly) and update classifications, and then attach it to the Arc machines that must be patched.
   • Use the Scheduled patching experience in Update Manager to create and save recurring deployment schedules. These are stored as Maintenance Configurations.
2. Use Maintenance Configurations for scheduling
   • Azure Update Manager uses Maintenance Configurations (maintenance control) instead of its own schedule objects for recurring updates. The schedule defines:
     • Frequency (daily/weekly/hourly)
     • Maintenance window
     • Target machines (including Arc-enabled servers)
     • Which updates to install

Prerequisites and settings on the VM side

1. Patch orchestration requirement
   • The requirement to set Patch orchestration = Customer Managed Schedules applies to Azure VMs, not Arc-enabled machines.
   • For Arc-enabled machines, it is explicitly stated that setting patch orchestration to Customer Managed Schedules is not required.
2. OS-level update behavior
   • For Arc-enabled servers, platform features such as Automatic VM Guest patching, Windows Automatic Updates, and hotpatching are not supported.
   • Patching is driven by Update Manager using the machine’s native update mechanism:
     • On Windows: Windows Update Agent
     • On Linux: the configured package manager and repositories
3. Assessment behavior
   • Update assessment scans are triggered from Update Manager:
     • On Linux, the scan is performed using the package manager and returns missing updates from the configured repositories.
   • Periodic assessment can be enabled in Update Manager so that machines are assessed every 24 hours.

Assessment mode / patch mode for Linux Arc machines

• The context does not define or require a specific properties.osProfile.linuxConfiguration.patchSettings.assessmentMode or patch mode value for Arc-enabled Linux machines to use customer-managed schedules.
• The key points from the provided information are:
  • Scheduled patching for Arc-enabled servers is supported via Maintenance Configurations.
  • The “Customer Managed Schedules” patch orchestration setting is a prerequisite only for Azure VMs, not for Arc-enabled machines.
  • For Arc-enabled servers, Automatic VM Guest patching and similar Azure VM–specific orchestration modes are not supported.

Therefore, for Linux Arc machines:

• Use Maintenance Configurations in Update Manager to define and attach customer-managed schedules.
• Do not rely on Azure VM–specific patch orchestration modes (such as AutomaticByPlatform / Automatic VM guest patching) because they are not supported for Arc-enabled servers.
• The configuration of assessmentMode or patch mode for Linux Arc machines is not specified as a prerequisite in the provided material; the critical requirement is attaching the machine to the appropriate Maintenance Configuration and ensuring Update Manager prerequisites and connectivity are satisfied.

References:

• Schedule recurring updates for machines by using the Azure portal and Azure Policy
• Update options and orchestration in Azure Update Manager
• Manage update configuration settings
• Assessment options in Update Manager
• What is Azure Update Manager?
• Manage multiple machines with Azure Update Manager