+## AI Services

+### Potential Cost Savings on this Form Recognizer Resource

+We observed that your Form Recognizer resource has had enough usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorFRCommitment (Potential Cost Savings on this Form Recognzier Resource)](https://azure.microsoft.com/pricing/details/form-recognizer/).

+### Potential Cost Savings on this Computer Vision Resource

+We observed that your Computer Vision resource has had enough READ usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorCVReadCommitment (Potential Cost Savings on this Computer Vision Resource)](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/).

+### Potential Cost Savings on this Speech Service Resource

+We observed that your Speech Service resource has had enough usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorSpeechCommitment (Potential Cost Savings on this Speech Service Resource)](https://azure.microsoft.com/pricing/details/form-recognizer/).

+### Potential Cost Savings on this Translator Resource

+We observed that your Translator resource has had enough usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorTranslatorCommitment (Potential Cost Savings on this Translator Resource)](https://azure.microsoft.com/pricing/details/cognitive-services/translator/).

+### Potential Cost Savings on this LUIS Resource

+We observed that your LUIS resource has had enough usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorLUISCommitment (Potential Cost Savings on this LUIS Resource)](https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/).

+### Potential Cost Savings on this Language Service Resource

+We observed that your Language Service resource has had enough usage in the past 30 days for you to consider using a Commitment tier.

+Learn more about [Cognitive Service - AzureAdvisorTextAnalyticsCommitment (Potential Cost Savings on this Language Service Resource)](https://azure.microsoft.com/pricing/details/cognitive-services/language-service/).

+### Enable Autoscaling for Azure Databricks Clusters

+Autoscaling makes it easier to achieve high cluster utilization, because you donΓÇÖt need to provision the cluster to match a workload. When you're using autoscaling, workloads can run faster and overall costs can be reduced compared to a static cluster.

+Learn more about [Databricks Workspace - DatabricksEnableAutoscaling (Enable Autoscaling for Azure Databricks Clusters)](/azure/databricks/archive/compute/configure).

+## Analytics

+### Unused, stopped, Data Explorer resources

+This recommendation surfaces all stopped Data Explorer resources that have been stopped for at least 60 days. Consider deleting the resources.

+Learn more about [Data explorer resource - ADX stopped resource (Unused stopped Data Explorer resources)](https://aka.ms/adxunusedstoppedcluster).

+### Unused/Empty Data Explorer resources

+This recommendation surfaces all Data Explorer resources provisioned more than 10 days from the last update, and found either empty or with no activity. Consider deleting the resources.

+Learn more about [Data explorer resource - ADX Unused resource (Unused/Empty Data Explorer resources)](https://aka.ms/adxemptycluster).

+### Right-size Data Explorer resources for optimal cost

+One or more of these issues were detected: Low data capacity, CPU utilization, or memory utilization. Scale down and/or scale in the resource to the recommended configuration shown.

+Learn more about [Data explorer resource - Right-size for cost (Right-size Data Explorer resources for optimal cost)](https://aka.ms/adxskusize).

+### Reduce Data Explorer table cache policy to optimize costs

+Reducing the table cache policy frees up Data Explorer cluster nodes with low CPU utilization, memory, and a high cache size configuration.

+Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTables (Reduce Data Explorer table cache policy to optimize costs)](https://aka.ms/adxcachepolicy).

+### Unused running Data Explorer resources

+This recommendation surfaces all running Data Explorer resources with no user activity. Consider stopping the resources.

+Learn more about [Data explorer resource - StopUnusedClusters (Unused running Data Explorer resources)](/azure/data-explorer/azure-advisor#azure-data-explorer-unused-cluster).

+### Cleanup unused storage in Data Explorer resources

+Over time, internal extents merge operations can accumulate redundant and unused storage artifacts that remain beyond the data retention period. While this unreferenced data doesnΓÇÖt negatively impact the performance, it can lead to more storage use and larger costs than necessary. This recommendation surfaces Data Explorer resources that have unused storage artifacts. We recommended that you run the cleanup command to detect and delete unused storage artifacts and reduce cost. Recoverability will be reset to the cleanup time and not available on data that was created before running the cleanup.

+Learn more about [Data explorer resource - RunCleanupCommandForAzureDataExplorer (Cleanup unused storage in Data Explorer resources)](https://aka.ms/adxcleanextentcontainers).

+### Enable optimized autoscale for Data Explorer resources

+Looks like your resource could have automatically scaled to reduce costs (based on the usage patterns, cache utilization, ingestion utilization, and CPU). To optimize costs and performance, we recommend enabling optimized autoscale. To make sure you don't exceed your planned budget, add a maximum instance count when you enable optimized autoscale.

+Learn more about [Data explorer resource - EnableOptimizedAutoscaleAzureDataExplorer (Enable optimized autoscale for Data Explorer resources)](https://aka.ms/adxoptimizedautoscale).

+### Change Data Explorer clusters to a more cost effective and better performing SKU

+You have resources operating under a nonoptimal SKU. We recommend migrating to a more cost effective and better performing SKU. This SKU should reduce your costs and improve overall performance. We have calculated the required instance count that meets both the CPU and cache of your cluster.

+Learn more about [Data explorer resource - SkuChangeForAzureDataExplorer (Change Data Explorer clusters to a more cost effective and better performing SKU)](https://aka.ms/clusterChooseSku).

+### Consider Changing Pricing Tier

+Based on your current usage volume, investigate changing your pricing (Commitment) tier to receive a discount and reduce costs.

+Learn more about [Log Analytics workspace - considerChangingPricingTier (Consider Changing Pricing Tier)](/azure/azure-monitor/logs/change-pricing-tier).

+### Consider configuring the low-cost Basic logs plan on selected tables

+We have identified ingestion of more than 1 GB per month to tables that are eligible for the low cost Basic log data plan. The Basic log plan gives you search capabilities for debugging and troubleshooting at a lower cost.

+Learn more about [Log Analytics workspace - EnableBasicLogs (Consider configuring the low-cost Basic logs plan on selected tables)](https://aka.ms/basiclogs).

+### Consider removing unused restored tables

+You have one or more tables with restored data active in your workspace. If you're no longer using a restored data, delete the table to avoid unnecessary charges.

+Learn more about [Log Analytics workspace - DeleteRestoredTables (Consider removing unused restored tables)](https://aka.ms/LogAnalyticsRestore).

+### Consider enabling autopause on Spark compute

+Auto-pause releases and shuts down unused Compute resources after a set idle period of inactivity.

+Learn more about [Synapse workspace - EnableSynapseSparkComputeAutoPauseGuidance (Consider enabling autopause feature on spark compute.)](https://aka.ms/EnableSynapseSparkComputeAutoPauseGuidance).

+### Consider enabling autoscale on Spark compute

+Autoscale automatically scales the number of nodes in a cluster instance up and down. During the creation of a new Spark pool, you can set a minimum and maximum number of nodes when autoscale is selected. Autoscale then monitors the resource requirements of the load and scales the number of nodes up or down. There's no extra charge for this feature.

+Learn more about [Synapse workspace - EnableSynapseSparkComputeAutoScaleGuidance (Consider enabling autoscale feature on spark compute.)](https://aka.ms/EnableSynapseSparkComputeAutoScaleGuidance).

+### Standard SSD disks billing caps.

+Customers running high IO workloads in Standard HDDs can upgrade to Standard SSDs and benefit from better performance and SLA and now experience a limit on the maximum number of billed transactions.

+Learn more about [Disk - UpgradeHDDtoSDD (Standard SSD disks billing caps.)]().

+### Underutilized Disks Identified

+You have disks that are utilized less than 10%, right-size to save cost.

+Learn more about [Disk - wiprounderutilizeddisks (Underutilized Disks Identified)]().

+### You have disks that have not been attached to a VM for more than 30 days. Evaluate if you still need the disk.

+We've observed that you have disks that haven't been attached to a VM for more than 30 days. Evaluate if you still need the disk. If you decide to delete the disk, recovery isn't possible. We recommend that you create a snapshot before deletion or ensure the data in the disk is no longer required.

+Learn more about [Disk - DeleteOrDowngradeUnattachedDisks (You have disks that haven't been attached to a VM for more than 30 days. Evaluate if you still need the disk.)](https://aka.ms/unattacheddisks).

+### Right-size or shutdown underutilized virtual machine scale sets

+We've analyzed the usage patterns of your virtual machine scale sets over the past seven days and identified virtual machine scale sets with low usage. While certain scenarios can result in low utilization by design, you can often save money by managing the size and number of virtual machine scale sets.

+Learn more about [Virtual machine scale set - LowUsageVmss (Right-size or shutdown underutilized virtual machine scale sets)](https://aka.ms/aa_lowusagerec_vmss_learnmore).

+### Use Virtual Machines with Ephemeral OS Disk enabled to save cost and get better performance

+With Ephemeral OS Disk, You get these benefits: Save on storage cost for OS disk. Get lower read/write latency to OS disk. Faster VM Reimage operation by resetting OS (and Temporary disk) to its original state. It is preferable to use Ephemeral OS Disk for short-lived IaaS VMs or VMs with stateless workloads.

+Learn more about [Subscription - EphemeralOsDisk (Use Virtual Machines with Ephemeral OS Disk enabled to save cost and get better performance)](/azure/virtual-machines/windows/ephemeral-os-disks).

+## Databases

+Our internal telemetry shows that your MariaDB database server resources have been underutilized for an extended period of time over the last seven days. Low resource utilization results in unwanted expenditure that can be fixed without significant performance impact. To reduce your costs and efficiently manage your resources, we recommend reducing the compute size (vCores) by half.

+Our internal telemetry shows that your MySQL database server resources have been underutilized for an extended period of time over the last seven days. Low resource utilization results in unwanted expenditure that can be fixed without significant performance impact. To reduce your costs and efficiently manage your resources, we recommend reducing the compute size (vCores) by half.

+Our internal telemetry shows that your PostgreSQL database server resources have been underutilized for an extended period of time over the last seven days. Low resource utilization results in unwanted expenditure that can be fixed without significant performance impact. To reduce your costs and efficiently manage your resources, we recommend reducing the compute size (vCores) by half.

+Your Azure Cosmos DB free tier account currently contains resources with a total provisioned throughput exceeding 1000 Request Units per second (RU/s). Because the free tier only covers the first 1000 RU/s of throughput provisioned across your account, any throughput beyond 1000 RU/s is billed at the regular pricing. As a result, we anticipate that you're charged for the throughput currently provisioned on your Azure Cosmos DB account.

+Based on your usage in the past seven days, you can save by enabling autoscale. For each hour, we compared the RU/s provisioned to the actual utilization of the RU/s (what autoscale would have scaled to) and calculated the cost savings across the time period. Autoscale helps optimize your cost by scaling down RU/s when not in use.

+Based on your usage in the past seven days, you can save by using manual throughput instead of autoscale. Manual throughput is more cost-effective when average utilization of your max throughput (RU/s) is greater than 66% or less than or equal to 10%.

+## Management and Governance

+### Azure Monitor

+For Azure Monitor cost optimization suggestions, please see [Optimize costs in Azure Monitor](../azure-monitor/best-practices-cost.md).

+### Purchasing a savings plan for compute could unlock lower prices

+We analyzed your compute usage over the last 30 days and recommend adding a savings plan to increase your savings. The savings plan unlocks lower prices on select compute services when you commit to spend a fixed hourly amount for 1 or 3 years. As you use select compute services globally, your usage is covered by the plan at reduced prices. During the times when your usage is above your hourly commitment, youΓÇÖll simply be billed at your regular pay-as-you-go prices. With savings automatically applying across compute usage globally, youΓÇÖll continue saving even as your usage needs change over time. Savings plan are more suited for dynamic workloads while accommodating for planned or unplanned changes while reservations are more suited for stable, predictable workloads with no planned changes. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope savings plans are available in purchase experience and can further increase savings.

+Learn more about [Subscription - SavingsPlan (Purchasing a savings plan for compute could unlock lower prices)](https://aka.ms/savingsplan-compute).

+## Networking

+### Delete ExpressRoute circuits in the provider status of Not Provisioned

+We noticed that your ExpressRoute circuit is in the provider status of Not Provisioned for more than one month. This circuit is currently billed hourly to your subscription. Delete the circuit if you aren't planning to provision the circuit with your connectivity provider.

+Learn more about [ExpressRoute circuit - ExpressRouteCircuit (Delete ExpressRoute circuits in the provider status of Not Provisioned)](https://aka.ms/expressroute).

+### Repurpose or delete idle virtual network gateways

+We noticed that your virtual network gateway has been idle for over 90 days. This gateway is being billed hourly. Reconfigure this gateway, or delete it if you do not intend to use it anymore.

+Learn more about [Virtual network gateway - IdleVNetGateway (Repurpose or delete idle virtual network gateways)](https://aka.ms/aa_idlevpngateway_learnmore).

+## Reserved instances

+### Buy virtual machine reserved instances to save money over pay-as-you-go costs

+Reserved instances can provide a significant discount over pay-as-you-go prices. With reserved instances, you can prepurchase the base costs for your virtual machines. Discounts automatically apply to new or existing VMs that have the same size and region as your reserved instance. We analyzed your usage over the last 30 days and recommend money-saving reserved instances.

+Learn more about [Virtual machine - ReservedInstance (Buy virtual machine reserved instances to save money over pay-as-you-go costs)](https://aka.ms/reservedinstances).

+### Consider App Service reserved instances to save over your on-demand costs

+We analyzed your App Service usage pattern over the selected term, look-back period, and recommend a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase hourly usage for the App Service plan and save over your Pay-as-you-go costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions based on usage pattern over selected Term, look-back period.

+Learn more about [Subscription - AppServiceReservedCapacity (Consider App Service reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Azure Cosmos DB reserved instances to save over your pay-as-you-go costs

+We analyzed your Azure Cosmos DB usage pattern over last 30 days and calculate a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase Azure Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings even more.

+Learn more about [Subscription - CosmosDBReservedCapacity (Consider Azure Cosmos DB reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider virtual machine reserved instances to save over your on-demand costs

+Reserved instances can provide a significant discount over on-demand prices. With reserved instances, you can prepurchase the base costs for your virtual machines. Discounts automatically apply to new or existing VMs that have the same size and region as your reserved instance. We analyzed your usage over the selected Term, look-back period, and recommend money-saving reserved instances.

+Learn more about [Subscription - ReservedInstance (Consider virtual machine reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Cosmos DB reserved instances to save over your pay-as-you-go costs

+We analyzed your Cosmos DB usage pattern over selected Term, look-back period and calculate a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and usage pattern over the selected Term, look-back period. Shared scope recommendations are available in reservation purchase experience and can increase savings even more.

+Learn more about [Subscription - CosmosDBReservedCapacity (Consider Cosmos DB reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider SQL PaaS DB reserved instances to save over your pay-as-you-go costs

+We analyzed your SQL PaaS usage pattern over last 30 days and recommend a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase hourly usage for your SQL PaaS deployments and save over your SQL PaaS compute costs. SQL license is charged separately and is not discounted by the reservation. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - SQLReservedCapacity (Consider SQL PaaS DB reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider App Service stamp fee reserved instances to save over your on-demand costs

+We analyzed your App Service isolated environment stamp fees usage pattern over last 30 days and recommend a Reserved Instance purchase to maximize your savings. With reserved instances, you can prepurchase hourly usage for the isolated environment stamp fee and save over your pay-as-you-go costs. Reserved instances only applies to the stamp fee and not to the App Service instances. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions based on usage pattern over last 30 days.

+Learn more about [Subscription - AppServiceReservedCapacity (Consider App Service stamp fee reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Database for MariaDB reserved instances to save over your pay-as-you-go costs

+We analyzed your Azure Database for MariaDB usage pattern over last 30 days and recommend a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase MariaDB hourly usage and save over your compute costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - MariaDBSQLReservedCapacity (Consider Database for MariaDB reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider Database for MySQL reserved instances to save over your pay-as-you-go costs

+We analyzed your MySQL Database usage pattern over last 30 days and recommend reserved instances purchase that maximizes your savings. With reserved instances, you can prepurchase MySQL hourly usage and save over your compute costs. Reserved instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - MySQLReservedCapacity (Consider Database for MySQL reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider Database for PostgreSQL reserved instances to save over your pay-as-you-go costs

+We analyzed your Database for PostgreSQL usage pattern over last 30 days and recommend a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase PostgreSQL Database hourly usage and save over your on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - PostgreSQLReservedCapacity (Consider Database for PostgreSQL reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider Cache for Redis reserved instances to save over your pay-as-you-go costs

+We analyzed your Cache for Redis usage pattern over last 30 days and calculated a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase Cache for Redis hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - RedisCacheReservedCapacity (Consider Cache for Redis reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### Consider Azure Synapse Analytics (formerly SQL DW) reserved instances to save over your pay-as-you-go costs

+We analyze your Azure Synapse Analytics usage pattern over last 30 days and recommend a Reserved Instance purchase that maximizes your savings. With reserved instances, you can prepurchase Synapse Analytics hourly usage and save over your on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - SQLDWReservedCapacity (Consider Azure Synapse Analytics (formerly SQL DW) reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+### (Preview) Consider Blob storage reserved instances to save on Blob v2 and Data Lake storage Gen2 costs

+We analyzed your Azure Blob and Data Lake storage usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Blob storage reserved instances applies only to data stored on Azure Blob (GPv2) and Azure Data Lake Storage (Gen 2). Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - BlobReservedCapacity ((Preview) Consider Blob storage reserved instances to save on Blob v2 and and Data Lake storage Gen2 costs)](https://aka.ms/rirecommendations).

+### Consider Azure Dedicated Host reserved instances to save over your on-demand costs

+We analyzed your Azure Dedicated Host usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - AzureDedicatedHostReservedCapacity (Consider Azure Dedicated Host reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Data Factory reserved instances to save over your on-demand costs

+We analyzed your Data Factory usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - DataFactorybReservedCapacity (Consider Data Factory reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Azure Data Explorer reserved instances to save over your on-demand costs

+We analyzed your Azure Data Explorer usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - AzureDataExplorerReservedCapacity (Consider Azure Data Explorer reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Azure Files reserved instances to save over your on-demand costs

+We analyzed your Azure Files usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - AzureFilesReservedCapacity (Consider Azure Files reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Azure VMware Solution reserved instances to save over your on-demand costs

+We analyzed your Azure VMware Solution usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - AzureVMwareSolutionReservedCapacity (Consider Azure VMware Solution reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider NetApp Storage reserved instances to save over your on-demand costs

+We analyzed your NetApp Storage usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - NetAppStorageReservedCapacity (Consider NetApp Storage reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Azure Managed Disk reserved instances to save over your on-demand costs

+We analyzed your Azure Managed Disk usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - AzureManagedDiskReservedCapacity (Consider Azure Managed Disk reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider Red Hat reserved instances to save over your on-demand costs

+We analyzed your Red Hat usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - RedHatReservedCapacity (Consider Red Hat reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider RedHat OSA reserved instances to save over your on-demand costs

+We analyzed your RedHat Open Source Assurance (OSA) usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - RedHatOsaReservedCapacity (Consider RedHat OSA reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider SapHana reserved instances to save over your on-demand costs

+We analyzed your SapHana usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - SapHanaReservedCapacity (Consider SapHana reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider SuseLinux reserved instances to save over your on-demand costs

+We analyzed your SuseLinux usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - SuseLinuxReservedCapacity (Consider SuseLinux reserved instances to save over your on-demand costs)](https://aka.ms/rirecommendations).

+### Consider VMware Cloud Simple reserved instances

+We analyzed your VMware Cloud Simple usage over last 30 days and calculated a Reserved Instance purchase that would maximize your savings. With reserved instances, you can prepurchase hourly usage and save over your current on-demand costs. Reserved Instance is a billing benefit and automatically applies to new or existing deployments. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings further.

+Learn more about [Subscription - VMwareCloudSimpleReservedCapacity (Consider VMware Cloud Simple reserved instances )](https://aka.ms/rirecommendations).

+### Configure automatic renewal for your expiring reservation

+The reserved instances listed are expiring soon or recently expired. Your resources will continue to operate normally, however, you'll be billed at the on-demand rates going forward. To optimize your costs, configure automatic renewal for these reservations or purchase a replacement manually.

+Learn more about [Reservation - ReservedInstancePurchaseNew (Configure automatic renewal for your expiring reservation)](https://aka.ms/reservedinstances).

+### Purchasing a savings plan for compute could unlock lower prices

+We analyzed your compute usage over the last 30 days and recommend adding a savings plan to increase your savings. The savings plan unlocks lower prices on select compute services when you commit to spend a fixed hourly amount for 1 or 3 years. As you use select compute services globally, your usage is covered by the plan at reduced prices. During the times when your usage is above your hourly commitment, youΓÇÖll simply be billed at your regular pay-as-you-go prices. With savings automatically applying across compute usage globally, youΓÇÖll continue saving even as your usage needs change over time. Savings plan are more suited for dynamic workloads while accommodating for planned or unplanned changes while reservations are more suited for stable, predictable workloads with no planned changes. Saving estimates are calculated for individual subscriptions and the usage pattern observed over last 30 days. Shared scope savings plans are available in purchase experience and can further increase savings.

+Learn more about [Subscription - SavingsPlan (Purchasing a savings plan for compute could unlock lower prices)](https://aka.ms/savingsplan-compute).

+### Consider Cosmos DB reserved instances to save over your pay-as-you-go costs

+We analyzed your Cosmos DB usage pattern over selected Term, look-back period and calculate a Reserved Instance purchase that maximizes your savings. With reserved instances you can pre-purchase Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved Instance is a billing benefit and will automatically apply to new or existing deployments. Saving estimates are calculated for individual subscriptions and usage pattern over selected Term, look-back period. Shared scope recommendations are available in reservation purchase experience and can increase savings even more.

+Learn more about [Subscription - CosmosDBReservedCapacity (Consider Cosmos DB reserved instances to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).

+## Storage

+### Use Standard Storage to store Managed Disks snapshots

+To save 60% of cost, store your snapshots in Standard Storage, regardless of the storage type of the parent disk. It is the default option for Managed Disks snapshots. Migrate your snapshot from Premium to Standard Storage. Refer to Managed Disks pricing details.

+Learn more about [Managed Disk Snapshot - ManagedDiskSnapshot (Use Standard Storage to store Managed Disks snapshots)](https://aka.ms/aa_manageddisksnapshot_learnmore).

+### Revisit retention policy for classic log data in storage accounts

+Large classic log data is detected on your storage accounts. You're billed on capacity of data stored in storage accounts including classic logs. Check the retention policy of classic logs and update with necessary period to retain less log data. This would reduce unnecessary classic log data and save your billing cost from less capacity.

+Learn more about [Storage Account - XstoreLargeClassicLog (Revisit retention policy for classic log data in storage accounts)](/azure/storage/common/manage-storage-analytics-logs#modify-retention-policy).

+### Based on your high transactions/TB ratio, premium storage might be more cost effective

+Your transactions/TB ratio might be high. Exact number would depend on transaction mix and region but anywhere over 30 or 35 TPB/TB are good candidates to evaluate a move to Premium storage.

+Learn more about [Storage Account - MoveToPremiumStorage (Based on your high transactions/TB ratio, there is a possibility that premium storage might be more cost effective in addition to being performant for your scenario. More details on pricing for premium and standard accounts can be found here)](https://aka.ms/azureblobstoragepricing).

+### Use differential or incremental backup for database workloads

+For SQL/HANA DBs in Azure VMs being backed up to Azure, using daily differential with weekly full backup is often more cost-effective than daily fully backups. For HANA, Azure Backup also supports incremental backup that is even more cost effective.

+Learn more about [Recovery Services vault - Optimize costs of database backup (Use differential or incremental backup for database workloads)](https://aka.ms/DBBackupCostOptimization).

+We've analyzed the usage patterns of your App Service plan over the past seven days and identified low CPU usage. While certain scenarios can result in low utilization by design, you can save money by choosing a less expensive SKU while retaining the same features.

+> - CPU bursts that last only a few minutes might not be correctly detected. Perform a careful analysis in your App Service plan metrics blade before downscaling your SKU.

+* **contributionScore**: This is the contribution score of each variable. Higher contribution scores indicate a higher possibility of the root cause. This list is often used for interpreting anomalies and diagnosing the root causes.

+* **correlationChanges**: This field only appears when a timestamp is detected as abnormal, which is included in the interpretation. It contains `changedVariables` and `changedValues` that interpret which correlations between variables changed.

+* **changedVariables**: This field will show which variables that have a significant change in correlation with `variable`. The variables in this list are ranked by the extent of correlation changes.

+The size of the subnet can affect the scaling limits of the App Service plan instances within the App Service Environment. For production scale, we recommend a `/24` address space (256 addresses) for your subnet. If you plan to scale near max capacity of 200 instances in our App Service Environment and you plan frequent up/down scale operations, we recommend a `/23` address space (512 addresses) for your subnet.

+If you use a smaller subnet, be aware of the following limitations:

+- Any particular subnet has five addresses reserved for management purposes. In addition to the management addresses, App Service Environment dynamically scales the supporting infrastructure, and uses between 7 and 27 addresses, depending on the configuration and load. You can use the remaining addresses for instances in the App Service plan. The minimal size of your subnet is a `/27` address space (32 addresses).

+- For any App Service plan OS/SKU combination used in your App Service Environment like I1v2 Windows, one standby instance is created for every 20 active instances. The standby instances also require IP addresses.

+- When scaling App Service plans in the App Service Environment up/down, the amount of IP addresses used by the App Service plan is temporarily doubled while the scale operation completes. The new instances need to be fully operational before the existing instances are deprovisioned.

+- Platform upgrades need free IP addresses to ensure upgrades can happen without interruptions to outbound traffic.

+- After scale up, down, or in operations complete, there might be a short period of time before IP addresses are released. In rare cases, this can be up to 12 hours.

+- If you run out of addresses within your subnet, you can be restricted from scaling out your App Service plans in the App Service Environment. Another possibility is that you can experience increased latency during intensive traffic load, if Microsoft isn't able to scale the supporting infrastructure.

+The advanced tools site, which is also known as scm or kudu, has an individual rules collection that you can configure. You can also configure the unmatched rule for this site. A setting allows you to use the rules configured for the main site. You can't selectively allow access to certain advanced tool site features. For example, you can't selectively allow access only to the WebJobs management console in the advanced tools site.

+The SCM site, also known as Kudu, is an admin site that exists for every web app. It isn't possible to use reverse proxy for the SCM site. You most likely also want to lock it down to individual IP addresses or a specific subnet.

+The following example creates a Node.js app. Replace `<app-name>` with a name that's unique within your cluster (valid characters are `a-z`, `0-9`, and `-`).

+Supported runtimes:

+| Description | Runtime Value for CLI |

+|-|-|

+| .NET Core 3.1 | DOTNETCORE\|3.1 |

+| .NET 5.0 | DOTNETCORE\|6.0 |

+| Node JS 12 | NODE\|12-lts |

+| Node JS 14 | NODE\|14-lts |

+| Python 3.6 | PYTHON\|3.6 |

+| Python 3.7 | PYTHON\|3.7 |

+| Python 3.8 | PYTHON\|3.8 |

+| PHP 7.3 | PHP\|7.3 |

+| PHP 7.4 | PHP\|7.4 |

+| Ruby 2.5 | RUBY\|2.5 |

+| Ruby 2.6 | RUBY\|2.6 |

+| Java 8 | JAVA\|8-jre8 |

+| Java 11 | JAVA\|11-java11 |

+| Tomcat 8.5 | TOMCAT\|8.5-jre8 |

+| Tomcat 8.5 | TOMCAT\|8.5-java11 |

+| Tomcat 9.0 | TOMCAT\|9.0-jre8 |

+| Tomcat 9.0 | TOMCAT\|9.0-java11 |

+You can monitor Flux configuration status and compliance in the Azure portal, or use dashboards to monitor status, compliance, resource consumption, and reconciliation activity. For more information, see [Monitor GitOps (Flux v2) status and activity](monitor-gitops-flux-2.md).

+To monitor status and activity related to GitOps with Flux v2 in your Azure Arc-enabled Kubernetes clusters or Azure Kubernetes Service (AKS) clusters, you have several options:

+- Use the Azure portal to [monitor Flux configurations and resources on individual clusters](#monitor-flux-configurations-in-the-azure-portal).

+- Use a Grafana dashboard to [monitor deployment and compliance status](#monitor-deployment-and-compliance-status).

+- Use the Flux Control Plane and Flux Cluster Stats dashboards to [monitor resource consumption and reconciliations](#monitor-resource-consumption-and-reconciliations).

+- Enable Prometheus scraping from clusters and create your own dashboards using the data in Azure Monitor workspace.

+- Create alerts on Azure Monitor using the data available through Prometheus scraping.

+This topic describes some of the ways you can monitor your Flux activity and status.

+## Monitor Flux configurations in the Azure portal

+After you've [created Flux configurations](tutorial-use-gitops-flux2.md#apply-a-flux-configuration) on your cluster, you can view status information in the Azure portal by navigating to a cluster and selecting **GitOps**.

+### View details on cluster compliance and objects

+The **Compliance** state shows whether the current state of the cluster matches the desired state. Possible values:

+- **Compliant**: The cluster's state matches the desired state.

+- **Pending**: An updated desired state has been detected, but that state has not yet been reconciled on the cluster.

+- **Not Compliant**: The current state doesn't match the desired state.

+To help debug reconciliation issues for a cluster, select **Configuration objects**. Here, you can view logs of each of the configuration objects that Flux creates for each Flux configuration. Select an object name to view its logs.

+To view the Kubernetes objects that have been created as a result of Flux configurations being applied, select **Workloads** in the **Kubernetes resources** section of the cluster's left navigation pane. Here, you can view all details of any resources that have been created on the cluster.

+By default, you can filter by namespace and service name. You can also add any label filter that you may be using in your applications to help narrow down the search.

+### View Flux configuration state and details

+For each Flux configuration, the **State** column indicates whether the Flux configuration object has successfully been created on the cluster.

+Select any Flux configuration to see its **Overview** page, including the following information:

+- Source commit ID for the last synchronization

+- Timestamp of the latest source update

+- Status update timestamp (indicating when the latest statistics were obtained)

+- Repo URL and branch

+- Links to view different kustomizations

+## Use dashboards to monitor GitOps status and activity

+We provide dashboards to help you monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2. These JSON dashboards can be imported to Grafana to help you view and analyze your data in real time. You can also set up alerts for this information.

+## October 2023

+### Arc agents - Version 1.13.4

+- Various enhancements and bug fixes

+## September 2023

+### Arc agents - Version 1.13.1

+- Various enhancements and bug fixes

+For more information, see [Monitor GitOps (Flux v2) status and activity](monitor-gitops-flux-2.md).

+* Learn about [monitoring GitOps (Flux v2) status and activity](monitor-gitops-flux-2.md).

+This article describes how Arc resource bridge (preview) is upgraded and the two ways upgrade can be performed: cloud-managed upgrade or manual upgrade. Currently, some private cloud providers differ in how they handle Arc resource bridge upgrades. For more information, refer to the [Private Cloud Providers](#private-cloud-providers) section.

+Overall, the upgrade generally takes at least 30 minutes, depending on network speeds. A short intermittent downtime may happen during the handoff between the old Arc resource bridge to the new Arc resource bridge. Additional downtime may occur if prerequisites are not met, or if a change in the network (DNS, firewall, proxy, etc.) impacts the Arc resource bridge's network connectivity.

+Arc resource bridge is a Microsoft-managed product. Microsoft manages upgrades of Arc resource bridge through cloud-managed upgrade. Cloud-managed upgrade allows Microsoft to ensure that the resource bridge remains on a supported version.

+> Currently, your appliance version must be on 1.0.15 and you must request access in order to use cloud-managed upgrade. To do so, [open a support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). Select **Technical** for **Issue type** and **Azure Arc Resource Bridge** for **Service type**. In the **Summary** field, enter *Requesting access to cloud-managed upgrade*, and select **Resource Bridge Agent issue** for **Problem type**. Complete the rest of the support request and then select **Create**. We'll review your account and contact you to confirm your access to cloud-managed upgrade.

+Arc resource bridge can be manually upgraded from the management machine. You must meet all upgrade prerequisites before attempting to upgrade. The management machine must have the kubeconfig and appliance configuration files stored locally. Manual upgrade generally takes between 30-90 minutes, depending on network speeds. The upgrade command takes your Arc resource bridge to the next appliance version, which might not be the latest available appliance version. Multiple upgrades could be needed to reach the minimum n-3 supported version. You can check your appliance version by checking the Azure resource of your Arc resource bridge.

+Currently, private cloud providers differ in how they perform Arc resource bridge upgrades. Review the following information to see how to upgrade your Arc resource bridge for a specific provider.

+For Arc-enabled VMware, manual upgrade is available and cloud-managed upgrade is supported for appliances on version 1.0.15 and higher. When Arc-enabled VMware announces General Availability, appliances on 1.0.15 and higher will receive cloud-managed upgrade as the default experience. Appliances that are below version 1.0.15 must be manually upgraded.

+[Azure Arc VM management (preview) on Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview) supports upgrade of an Arc resource bridge on Azure Stack HCI, version 22H2 up until appliance version 1.0.14 and `az arcappliance` CLI extension version 0.2.33. These upgrades can be done through manual upgrade or a support request for cloud-managed upgrade. For subsequent upgrades, you must transition to Azure Stack HCI, version 23H2 (preview). In version 23H2 (preview), the LCM tool manages upgrades across all components as a "validated recipe" package. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+For Arc-enabled SCVMM, the upgrade feature isn't currently available yet. Review the steps for [performing the recovery operation](/azure/azure-arc/system-center-virtual-machine-manager/disaster-recovery), then delete the appliance VM from SCVMM and perform the recovery steps.  This deploys a new resource bridge and reconnect pre-existing Azure resources.

+## Notification and upgrade availability

+If your Arc resource bridge is at n-3 versions, then you may receive an email notification letting you know that your resource bridge may soon be out of support once the next version is released. If you receive this notification, upgrade the resource bridge as soon as possible to allow debug time for any issues with manual upgrade, or submit a support ticket if cloud-managed upgrade was unable to upgrade your resource bridge.

+To check if your Arc resource bridge has an upgrade available, run the command:

+```azurecli

+az arcappliance get-upgrades --resource-group [REQUIRED] --name [REQUIRED]

+```

+To see the current version of an Arc resource bridge appliance, run `az arcappliance show` or check the Azure resource of your Arc resource bridge.

+##

+#Customer intent: As an IT infrastructure admin, I want to install arc agents to use Azure management services for SCVMM VMs.

+In this article, you learn how to install Arc agents at scale for SCVMM VMs and use Azure management capabilities.

+>[!NOTE]

+>This article is applicable only if you are running:

+>- SCVMM 2022 UR1 or later

+>- SCVMM 2019 UR5 or later

+>- VMs running Windows Server 2012 R2, 2016, 2019, 2022, Windows 10, and Windows 11

+>For other SCVMM versions, Linux VMs or Windows VMs running WS 2012 or earlier, [install Arc agents through the script](https://learn.microsoft.com/azure/azure-arc/system-center-virtual-machine-manager/install-arc-agents-using-script).

+- The SCVMM management server must be in a connected state.

+ Title: Install Arc agent using a script for SCVMM VMs

+description: Learn how to enable guest management using a script for Arc enabled SCVMM VMs.

+#Customer intent: As an IT infrastructure admin, I want to install arc agents to use Azure management services for SCVMM VMs.

+# Install Arc agents using a script

+In this article, you will learn how to install Arc agents on Azure-enabled SCVMM VMs using a script.

+## Prerequisites

+Ensure the following before you install Arc agents using a script for SCVMM VMs:

+- The resource bridge must be in a running state.

+- The SCVMM management server must be in a connected state.

+- The user account must have permissions listed in Azure Arc SCVMM Administrator role.

+- The target machine:

+ - Is powered on and the resource bridge has network connectivity to the host running the VM.

+ - Is running a [supported operating system](/azure/azure-arc/servers/prerequisites#supported-operating-systems).

+ - Is able to connect through the firewall to communicate over the Internet and [these URLs](/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#urls) aren't blocked.

+ - Has Azure CLI [installed](https://learn.microsoft.com/cli/azure/install-azure-cli).

+ - Has the Arc agent installation script downloaded from [here](https://download.microsoft.com/download/7/1/6/7164490e-6d8c-450c-8511-f8191f6ec110/arcscvmm-enable-guest-management.ps1).

+>[!NOTE]

+>- If you're using a Linux VM, the account must not prompt for login on sudo commands. To override the prompt, from a terminal, run `sudo visudo`, and `add <username> ALL=(ALL) NOPASSWD:ALL` at the end of the file. Ensure you replace `<username>`.

+>- If your VM template has these changes incorporated, you won't need to do this for the VM created from that template.

+## Steps to install Arc agents using a script

+1. Login to the target VM as an administrator.

+2. Run the Azure CLI with the `az` command from either Windows Command Prompt or PowerShell.

+3. Login to your Azure account in Azure CLI using `az login --use-device-code`

+4. Run the downloaded script *arcscvmm-enable-guest-management.ps1*. The `vmmServerId` parameter should denote your VMM ServerΓÇÖs ARM ID.

+```azurecli

+./arcscvmm-enable-guest-management.ps1 -<vmmServerId> '/subscriptions/<subscriptionId>/resourceGroups/<rgName>/providers/Microsoft.ScVmm/vmmServers/<vmmServerName>

+```

+## Next steps

+[Manage VM extensions to use Azure management services](https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions).

+To learn more about data retention and potential storage costs, see [Data collection, retention, and storage in Application Insights](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+⁴ Service SDK types include types from the [Azure SDK for .NET](/dotnet/azure/sdk/azure-sdk-for-dotnet) such as [BlobClient](/dotnet/api/azure.storage.blobs.blobclient).

+To compile your project as ReadyToRun, update your project file by adding the `<PublishReadyToRun>` and `<RuntimeIdentifier>` elements. The following example shows a configuration for publishing to a Windows 64-bit function app.

+| [Azure Service Bus][servicebus-sdk-types] | **Generally Available** | _Input binding does not exist_ | _SDK types not recommended.¹_ |

+| [Azure Cosmos DB][cosmos-sdk-types] | _SDK types not used²_ | **Generally Available** | _SDK types not recommended.¹_ |

+² The Cosmos DB trigger uses the [Azure Cosmos DB change feed](../cosmos-db/change-feed.md) and exposes change feed items as JSON-serializable types. The absence of SDK types is by-design for this scenario.

+This example shows a [C# function](dotnet-isolated-process-guide.md) that receives multiple Service Bus queue messages, writes it to the logs, and then settles the message as completed:

+The isolated worker process supports parameter types according to the tables below.

+|**maxBatchWaitTime**¹|`00:00:30`|The maximum interval that the trigger should wait to fill a batch before invoking the function. The wait time is only considered when `minMessageBatchSize` is larger than 1 and is ignored otherwise. If less than `minMessageBatchSize` messages were available before the wait time elapses, the function is invoked with a partial batch. The longest allowed wait time is 50% of the entity message lock duration, meaning the maximum allowed is 2 minutes and 30 seconds. Otherwise, you may get lock exceptions. <br/><br/>**NOTE:** This interval is not a strict guarantee for the exact timing on which the function is invoked. There is a small margin of error due to timer precision.|

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Creating a Creator indoor map]

+> [Create indoor map with the onboarding tool]

+For more information about the coverage of the Route service, see [Routing Coverage].

+The Route Directions APIs return instructions including the travel time and the coordinates for a route path. The Route Matrix API lets you calculate the travel time and distances for a set of routes defined by origin and destination locations. For every given origin, the Matrix API calculates the cost (travel time and distance) of routing from that origin to every given destination. These APIs allow you to specify parameters such as the desired departure time, arrival times, and the vehicle type, like car or truck. They all use real-time or predictive traffic data accordingly to return the most optimal routes.

+For multi-stop routing, up to 150 waypoints can be specified in a single route request. The starting and ending coordinate locations can be the same, as would be the case with a round trip. But you need to provide at least one more waypoint to make the route calculation. Waypoints can be added to the query in-between the origin and destination coordinates.

+You might have situations where you want to reconstruct a route to calculate zero or more alternative routes for a reference route. For example, you can show customers alternative routes that pass your retail store. In this case, you need to bias a location using supporting points. Here are the steps to bias a location:

+After setting up [Application Insights for your project](../app/app-insights-overview.md), and if your app generates a certain minimum amount of data, Smart Detection of Failure Anomalies takes 24 hours to learn the normal behavior of your app, before it's switched on and can send alerts.

+The alert details tell you:

+Your app's performance has a typical pattern of behavior. Some requests or dependency calls are more prone to failure than others; and the overall failure rate may go up as load increases. Smart Detection uses machine learning to find these anomalies.

+In the previous example, the analysis has discovered that most failures are about a specific result code, request name, Server URL host, and role instance.

+Our proprietary machine learning algorithm triggers the alerts, so we can't share the exact implementation details. With that said, we understand that you sometimes need to know more about how the underlying logic works. The primary factors that are evaluated to determine if an alert should be triggered are:

+* There's logic that can automatically resolve the fired alert monitor condition, if the issue is no longer detected for 8-24 hours.

+This alert rule is created with an associated [Action Group](./action-groups.md) named "Application Insights Smart Detection" that contains email and webhook actions, and can be extended to trigger more actions when the alert fires.

+Open the Alerts page. Failure Anomalies alert rules are included along with any alerts that you have set manually, and you can see whether it's currently in the alert state.

+An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there's some problem with your app or its environment.

+To investigate further, click on 'View full details in Application Insights' the links in this page take you straight to a [search page](../app/search-and-transaction-diagnostics.md?tabs=transaction-search) filtered to the relevant requests, exception, dependency, or traces.

+Clicking on 'Diagnose failures' helps you get more details and resolve the issue.

+From the percentage of requests and number of users affected, you can decide how urgent the issue is. In the previous example, the failure rate of 78.5% compares with a normal rate of 2.2%, indicates that something bad is going on. On the other hand, only 46 users were affected. If it was your app, you'd be able to assess how serious that is.

+* We detected an abnormal rise in failed requests rate compared to the normal baseline of the preceding period. After analysis of the failures and associated application data, we think that there's a problem that you should look into.

+*So, you're looking at my application data?*

+* No. The service is entirely automatic. Only you get the notifications. Your data is [private](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+ * No. The service is entirely automatic. Only you get the notifications. Your data is [private](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+To determine how long data is kept, see [Data retention and privacy](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+<!-- IMPORTANT: If you're updating this code example, please remember to also update it in: 1) articles\azure-monitor\app\javascript-sdk.md and 2) articles\azure-monitor\app\javascript-feature-extensions.md -->

+!(function (cfg){function e(){cfg.onInit&&cfg.onInit(i)}var S,u,D,t,n,i,C=window,x=document,w=C.location,I="script",b="ingestionendpoint",E="disableExceptionTracking",A="ai.device.";"instrumentationKey"[S="toLowerCase"](),u="crossOrigin",D="POST",t="appInsightsSDK",n=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=n),i=C[n]||function(l){var d=!1,g=!1,f={initialize:!0,queue:[],sv:"7",version:2,config:l};function m(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[A+"id"]=i[S](),n[A+"type"]=i,n["ai.operation.name"]=w&&w.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(f.sv||f.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:4,seq:"1",aiDataContract:undefined}}var h=-1,v=0,y=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],k=l.url||cfg.src;if(k){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~k.indexOf("ai.3")&&(k=k.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<y.length;e++)if(0<k.indexOf(y[e])){h=e;break}var i=function(e){var a,t,n,i,o,r,s,c,p,u;f.queue=[],g||(0<=h&&v+1<y.length?(a=(h+v+1)%y.length,T(k.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+y[a]+i})),v+=1):(d=g=!0,o=k,c=(p=function(){var e,t={},n=l.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][S]()]=o[1])}return t[b]||(e=(n=t.endpointsuffix)?t.location:null,t[b]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l.instrumentationKey||"",p=(p=p[b])?p+"/v2/track":l.endpointUrl,(u=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=o,r=p,(s=(i=m(c,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(w&&w.pathname||"_unknown_")+"\nEndpoint: "+r,parsedStack:[]}],i)),u.push((s=o,t=p,(r=(n=m(c,"Message")).data).baseType="MessageData",(i=r.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',i.properties={endpoint:t},n)),o=u,c=p,JSON&&((r=C.fetch)&&!cfg.useXhr?r(c,{method:D,body:JSON.stringify(o),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(D,c),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(o))))))},a=function(e,t){g||setTimeout(function(){!t&&f.core||i()},500),d=!1},T=function(e){var n=x.createElement(I),e=(n.src=e,cfg[u]);return!e&&""!==e||"undefined"==n[u]||(n[u]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?x.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){x.getElementsByTagName(I)[0].parentNode.appendChild(n)},cfg.ld||0),n};T(k)}try{f.cookie=x.cookie}catch(p){}function t(e){for(;e.length;)!function(t){f[t]=function(){var e=arguments;d||f.queue.push(function(){f[t].apply(f,e)})}}(e.pop())}var r,s,n="track",o="TrackPage",c="TrackEvent",n=(t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+o,"stop"+o,"start"+c,"stop"+c,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),f.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[E]&&!0!==n[E]&&(t(["_"+(r="onerror")]),s=C[r],C[r]=function(e,t,n,i,a){var o=s&&s(e,t,n,i,a);return!0!==o&&f["_"+r]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},l.autoExceptionInstrumented=!0),f}(cfg.cfg),(C[n]=i).queue&&0===i.queue.length?(i.queue.push(e),i.trackPageView({})):e();})({

+ For more information, see [Data collection, retention, and storage in Application Insights](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+### How does Application Insights handle data collection, retention, storage, and privacy?

+#### Collection

+Application Insights collects telemetry about your app, including web server telemetry, web page telemetry, and performance counters. This data can be used to monitor your app's performance, health, and usage. You can select the location when you [create a new Application Insights resource](./create-workspace-resource.md).

+#### Retention and Storage

+Data is sent to an Application Insights [Log Analytics workspace](../logs/log-analytics-workspace-overview.md). You can choose the retention period for raw data, from 30 to 730 days. Aggregated data is retained for 90 days, and debug snapshots are retained for 15 days.

+#### Privacy

+Application Insights doesn't handle sensitive data by default, as long as you don't put sensitive data in URLs as plain text and ensure your custom code doesn't collect personal or other sensitive details. During development and testing, check the sent data in your IDE and browser's debugging output windows.

+For archived information on this topic, see [Data collection, retention, and storage in Application Insights](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+Included are the most common parameters that you need to get started.

+To get started, you need a connection string. For more information, see [Connection strings](sdk-connection-string.md).

+These instructions were written and tested on a computer running Windows 10 and the following versions.

+These steps prepare your server to download modules from PowerShell Gallery.

+ You receive this prompt if NuGet isn't set up:

+ You receive this prompt if PowerShell Gallery isn't trusted:

+ You can confirm this change and audit all `PSRepositories` by running the `Get-PSRepository` command.

+ You receive this error if you're not using the newest version of PowerShellGet:

+5. Restart PowerShell. You can't load the new version in the current session. New PowerShell sessions load the latest version of PowerShellGet.

+These steps download the Az.ApplicationMonitor module from PowerShell Gallery.

+Install the manually downloaded PowerShell module into a PowerShell directory so it's discoverable by PowerShell sessions.

+Install the manually downloaded PowerShell module into a PowerShell directory so it's discoverable by PowerShell sessions.

+When you monitor a computer on your private intranet, you need to route HTTP traffic through a proxy.

+The Application Insights SDK needs to send your app's telemetry to Microsoft. We recommend that you configure proxy settings for your app in your web.config file. For more information, see [How do I achieve proxy passthrough?](#how-do-i-achieve-proxy-passthrough).

+> - To get started, you need a connection string. For more information, see [Create a resource](create-workspace-resource.md).

+- You've manually instrumented your app with the .NET SDKs and want to collect extra telemetry.

+This cmdlet modifies the IIS applicationHost.config and sets some registry keys.

+It creates an applicationinsights.ikey.config file, which defines the instrumentation key used by each app.

+IIS loads the RedfieldModule on startup, which injects the Application Insights SDK into applications as the applications start.

+##### Example with a single connection string

+In this example, all apps on the current computer are assigned a single connection string.

+```powershell

+Enable-ApplicationInsightsMonitoring -ConnectionString 'InstrumentationKey=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/'

+```

+- `AppFilter='WebAppExclude'` provides a `null` instrumentation key. The specified app isn't instrumented.

+- `AppFilter` uses the `'.*'` wildcard to match any web apps it doesn't already match and assigns a default instrumentation key.

+##### -ConnectionString

+**Required.** Use this parameter to supply a single connection string for use by all apps on the target computer.

+> Apps matches against rules in the order that the rules are provided. So you should specify the most specific rules first and the most generic rules last.

+ - '.*' matches all

+ - 'ComputerName' matches only computers with the exact name specified.

+ - '.*' matches all

+ - 'SiteName' matches only the IIS Site with the exact name specified.

+This script fails with the message that extra installation steps are required.

+This cmdlet removes edits to the IIS applicationHost.config and remove registry keys.

+This cmdlet reports version information and information about key files required for monitoring.

+- **Machine Identifier** is an anonymous ID used to uniquely identify your server. If you create a support request, we need this ID to find logs for your server.

+- **DemoWebApp333** has been manually instrumented using the Application Insights SDK. Application Insights Agent detected the SDK and doesn't monitor this site.

+By default, this cmdlet reports the monitoring status of web applications.

+It downloads external tools to determine if the necessary DLLs are loaded into the IIS runtime.

+**Optional**. Used only with InspectProcess. Use this switch to skip the user prompt that appears before more tools are downloaded.

+In this example, all apps on the current computer are assigned a single instrumentation key.

+- `AppFilter='WebAppExclude'` provides a `null` instrumentation key. The specified app isn't instrumented.

+- `AppFilter` uses the `'.*'` wildcard to match web apps it doesn't already match and assigns a default instrumentation key.

+> Apps matches against rules in the order that the rules are provided. So you should specify the most specific rules first and the most generic rules last.

+ - '.*' matches all

+ - 'ComputerName' matches only computers with the specified name.

+ - '.*' matches all

+ - 'ApplicationName' matches only IIS apps with the specified name.

+Events are collected, printed to the console in real-time, and saved to an ETL file. You can open the output ETL file with [PerfView](https://github.com/microsoft/perfview) for further investigation.

+This cmdlet runs until it reaches the timeout duration (default 5 minutes) or is stopped manually (`Ctrl + C`).

+The codeless attach runtime emits ETW events when IIS starts up and when your application starts up.

+1. In a cmd console with admin privileges, execute `iisreset /stop` to stop IIS and all web apps.

+3. In a cmd console with admin privileges, execute `iisreset /start` to start IIS.

+4. By default, if no switch is specified both event types are collected.

+By default, this file is created in the PowerShell Modules directory.

+The full path is displayed during script execution.

+- Updated the Application Insights .NET/.NET Core SDK to `2.21.0-redfield`

+- Updated the Application Insights .NET/.NET Core SDK to `2.20.1-redfield`

+Updated the Application Insights .NET/.NET Core SDK to `2.18.1-redfield`

+ Yes. In [Application Insights Agent 2.0.0](https://www.powershellgallery.com/packages/Az.ApplicationMonitor/2.0.0) and later, ASP.NET Core applications hosted in IIS are supported.

+ <!-- IMPORTANT: If you're updating this code example, please remember to also update it in: 1) articles\azure-monitor\app\javascript-sdk.md and 2) articles\azure-monitor\app\api-filtering-sampling.md -->

+ !(function (cfg){function e(){cfg.onInit&&cfg.onInit(i)}var S,u,D,t,n,i,C=window,x=document,w=C.location,I="script",b="ingestionendpoint",E="disableExceptionTracking",A="ai.device.";"instrumentationKey"[S="toLowerCase"](),u="crossOrigin",D="POST",t="appInsightsSDK",n=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=n),i=C[n]||function(l){var d=!1,g=!1,f={initialize:!0,queue:[],sv:"7",version:2,config:l};function m(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[A+"id"]=i[S](),n[A+"type"]=i,n["ai.operation.name"]=w&&w.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(f.sv||f.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:4,seq:"1",aiDataContract:undefined}}var h=-1,v=0,y=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],k=l.url||cfg.src;if(k){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~k.indexOf("ai.3")&&(k=k.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<y.length;e++)if(0<k.indexOf(y[e])){h=e;break}var i=function(e){var a,t,n,i,o,r,s,c,p,u;f.queue=[],g||(0<=h&&v+1<y.length?(a=(h+v+1)%y.length,T(k.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+y[a]+i})),v+=1):(d=g=!0,o=k,c=(p=function(){var e,t={},n=l.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][S]()]=o[1])}return t[b]||(e=(n=t.endpointsuffix)?t.location:null,t[b]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l.instrumentationKey||"",p=(p=p[b])?p+"/v2/track":l.endpointUrl,(u=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=o,r=p,(s=(i=m(c,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(w&&w.pathname||"_unknown_")+"\nEndpoint: "+r,parsedStack:[]}],i)),u.push((s=o,t=p,(r=(n=m(c,"Message")).data).baseType="MessageData",(i=r.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',i.properties={endpoint:t},n)),o=u,c=p,JSON&&((r=C.fetch)&&!cfg.useXhr?r(c,{method:D,body:JSON.stringify(o),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(D,c),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(o))))))},a=function(e,t){g||setTimeout(function(){!t&&f.core||i()},500),d=!1},T=function(e){var n=x.createElement(I),e=(n.src=e,cfg[u]);return!e&&""!==e||"undefined"==n[u]||(n[u]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?x.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){x.getElementsByTagName(I)[0].parentNode.appendChild(n)},cfg.ld||0),n};T(k)}try{f.cookie=x.cookie}catch(p){}function t(e){for(;e.length;)!function(t){f[t]=function(){var e=arguments;d||f.queue.push(function(){f[t].apply(f,e)})}}(e.pop())}var r,s,n="track",o="TrackPage",c="TrackEvent",n=(t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+o,"stop"+o,"start"+c,"stop"+c,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),f.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[E]&&!0!==n[E]&&(t(["_"+(r="onerror")]),s=C[r],C[r]=function(e,t,n,i,a){var o=s&&s(e,t,n,i,a);return!0!==o&&f["_"+r]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},l.autoExceptionInstrumented=!0),f}(cfg.cfg),(C[n]=i).queue&&0===i.queue.length?(i.queue.push(e),i.trackPageView({})):e();})({

+ <!-- IMPORTANT: If you're updating this code example, please remember to also update it in: 1) articles\azure-monitor\app\javascript-feature-extensions.md and 2) articles\azure-monitor\app\api-filtering-sampling.md -->

+|No retention|Data persists while it's on the chart and is then discarded.|[Data retained for 90 days.](/previous-versions/azure/azure-monitor/app/data-retention-privacy#how-long-is-the-data-kept)|

+If the SDK detects that your application is crashing, it calls flush for you by using `appInsights.defaultClient.flush({ isAppCrashing: true })`. With the flush option `isAppCrashing`, your application is assumed to be in an abnormal state and isn't suitable to send telemetry. Instead, the SDK saves all buffered telemetry to [persistent storage](/previous-versions/azure/azure-monitor/app/data-retention-privacy#nodejs) and lets your application terminate. When your application starts again, it tries to send any telemetry that was saved to persistent storage.

+To improve reliability and resiliency, Azure Monitor OpenTelemetry-based offerings write to offline/local storage by default when an application loses its connection with Application Insights. It saves the application telemetry to disk and periodically tries to send it again for up to 48 hours. In high-load applications, telemetry is occasionally dropped for two reasons. First, when the allowable time is exceeded, and second, when the maximum file size is exceeded or the SDK doesn't have an opportunity to clear out the file. If we need to choose, the product saves more recent events over old ones. [Learn More](/previous-versions/azure/azure-monitor/app/data-retention-privacy#does-the-sdk-create-temporary-local-storage)

+ You can create a storage directory yourself and configure the channel to use it. In this case, you're responsible for ensuring that the directory is secured. Read more about [data protection and privacy](/previous-versions/azure/azure-monitor/app/data-retention-privacy#does-the-sdk-create-temporary-local-storage).

+- **ResourceGroupName**: Use a central IT resource group because many teams in the organization usually share clusters. For more design considerations, review [Design a Log Analytics workspace configuration](../logs/workspace-design.md).

+- Learn more about [how Application Insights collects, processes, and secures data](/previous-versions/azure/azure-monitor/app/data-retention-privacy).

+From the menu for the VM, select **Alerts** in the **Monitoring** section. Select **View + enable**.

+Expand each of the alert rules to inspect its details. By default, the severity for each is **Informational**. You might want to change to another severity such as **Error**.

+Application-insights|[Enable Application Insights for ASP.NET Core applications](/previous-versions/azure/azure-monitor/app/tutorial-asp-net-core)|The Azure Café sample app is now hosted and linked on Git.|

+|[Capture Application Insights custom metrics with .NET and .NET Core](/previous-versions/azure/azure-monitor/app/tutorial-asp-net-custom-metrics)|Updated tutorial steps and images.|

+|[Enable Application Insights for ASP.NET Core applications](/previous-versions/azure/azure-monitor/app/tutorial-asp-net-core)|Updated tutorial steps and images.|

+|[Application Insights SDK for ASP.NET Core applications](/previous-versions/azure/azure-monitor/app/tutorial-asp-net-core)|Added a new tutorial with step-by-step instructions on how to use the Application Insights SDK with .NET Core applications.|

+|[Application Insights custom metrics with .NET and .NET Core](/previous-versions/azure/azure-monitor/app/tutorial-asp-net-custom-metrics)|Added a new tutorial with step-by-step instructions on how to enable custom metrics with .NET applications.|

+# Conditional deployments in Bicep with the if expression

+To optionally deploy a resource or module in Bicep, use the `if` expression. An `if` expression includes a condition that resolves to true or false. When the `if` condition is true, the resource is deployed. When the value is false, the resource isn't created. The value can only be applied to the whole resource or module.

+In Bicep, you can conditionally deploy a resource by passing in a parameter that specifies whether the resource is deployed. You test the condition with an `if` expression in the resource declaration. The following example shows the syntax for an `if` expression in a Bicep file. It conditionally deploys a DNS zone. When `deployZone` is `true`, it deploys the DNS zone. When `deployZone` is `false`, it skips deploying the DNS zone.

+You can add a decorator to a resource or module definition. The supported decorators are `batchSize(int)` and `description`. You can only apply it to a resource or module definition that uses a `for` expression.

+By default, resources are deployed in parallel. When you add the `batchSize(int)` decorator, you deploy instances serially.

+- Create one or more volumes based on the required throughput and capacity. See [Performance considerations](../azure-netapp-files/azure-netapp-files-performance-considerations.md) for Azure NetApp Files to understand how volume size, service level, and capacity pool QoS type will determine volume throughput. For assistance calculating workload capacity and performance requirements, contact your Azure VMware Solution or Azure NetApp Files field expert. The default maximum number of Azure NetApp Files datastores is 8, but it can be increased to a maximum of 256 by submitting a support ticket. To submit a support ticket, see [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+ The default maximum is 8 but it can be increased to 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+| Toll-Free |- | - | Public Preview | Public Preview\* |

+| National | - | - | Public Preview | Public Preview\* |

+4. You can Reclassify the job, which causes the Job Router to re-evaluate the current labels and Classification Policy.

+Azure Communication Services is a fully managed communication platform that enables developers to build real-time communication features into their applications. By using Managed Identity with Azure Communication Services, you can simplify the authentication process for your application, while also increasing its security. This document covers how to use Managed Identity with Azure Communication Services.

+## Using Managed Identity with Azure Communication Services

+Your Azure Communication Services resource can be assigned two types of identity:

+2. A **User Assigned Identity** which is an Azure resource that can be assigned to your Azure Communication Services resource. This identity isn't deleted when your resource is deleted. Your resource can have multiple user-assigned identities.

+2. Use the Managed Identity to authenticate with Azure Communication Services. Authentication can be done through the Azure SDKs or REST APIs that support Managed Identity.

+You can assign your managed identity to your Azure Communication Services resource using the Azure Communication Management SDK for .NET by setting the `Identity` property on the `CommunicationServiceResourceData `.

+ azurePowerShellVersion: 'LatestVersion'

+ pwsh: True

+ azurePowerShellVersion: 'LatestVersion'

+ pwsh: True

+ Title: Microsoft Defender for DevOps - DevOps security posture management overview

+description: Learn how to discover security posture violations in DevOps environments

+# Improve DevOps security posture

+With an increase of cyber attacks on source code management systems and continuous integration/continuous delivery pipelines, securing DevOps platforms against the diverse range of threats identified in the [DevOps Threat Matrix](https://www.microsoft.com/security/blog/2023/04/06/devops-threat-matrix/) is crucial. Such cyber attacks can enable code injection, privilege escalation, and data exfiltration, potentially leading to extensive impact.

+DevOps posture management is a feature in Microsoft Defender for Cloud that:

+- Provides insights into the security posture of the entire software supply chain lifecycle.

+- Uses advanced scanners for in-depth assessments.

+- Covers various resources, from organizations, pipelines, and repositories.

+- Allows customers to reduce their attack surface by uncovering and acting on the provided recommendations.

+## DevOps scanners

+To provide findings, DevOps posture management uses DevOps scanners to identify weaknesses in source code management and continuous integration/continuous delivery pipelines by running checks against the security configurations and access controls.

+Azure DevOps and GitHub scanners are used internally within Microsoft to identify risks associated with DevOps resources, reducing attack surface and strengthening corporate DevOps systems.

+Once a DevOps environment is connected, Defender for Cloud autoconfigures these scanners to conduct recurring scans every eight hours across multiple DevOps resources, including:

+- Builds

+- Secure Files

+- Variable Groups

+- Service Connections

+- Organizations

+- Repositories

+## DevOps threat matrix risk reduction

+DevOps posture management assists organizations in discovering and remediating harmful misconfigurations in the DevOps platform. This leads to a resilient, zero-trust DevOps environment, which is strengthened against a range of threats defined in the DevOps threat matrix. The primary posture management controls include:

+- **Scoped secret access**: Minimize the exposure of sensitive information and reduce the risk of unauthorized access, data leaks, and lateral movements by ensuring each pipeline only has access to the secrets essential to its function.

+- **Restriction of self-hosted runners and high permissions**: prevent unauthorized executions and potential escalations by avoiding self-hosted runners and ensuring that pipeline permissions default to read-only.

+- **Enhanced branch protection**: Maintain the integrity of the code by enforcing branch protection rules and preventing malicious code injections.

+- **Optimized permissions and secure repositories**: Reduce the risk of unauthorized access, modifications by tracking minimum base permissions, and enablement of [secret push protection](https://docs.github.com/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations) for repositories.

+- Learn more about the [DevOps threat matrix](https://www.microsoft.com/security/blog/2023/04/06/devops-threat-matrix/).

+## DevOps posture management recommendations

+When the DevOps scanners uncover deviations from security best practices within source code management systems and continuous integration/continuous delivery pipelines, Defender for Cloud outputs precise and actionable recommendations. These recommendations have the following benefits:

+- **Enhanced visibility**: Obtain comprehensive insights into the security posture of DevOps environments, ensuring a well-rounded understanding of any existing vulnerabilities. Identify missing branch protection rules, privilege escalation risks, and insecure connections to prevent attacks.

+- **Priority-based action**: Filter results by severity to spend resources and efforts more effectively by addressing the most critical vulnerabilities first.

+- **Attack surface reduction**: Address highlighted security gaps to significantly minimize vulnerable attack surfaces, thereby hardening defenses against potential threats.

+- **Real-time notifications**: Ability to integrate with workflow automations to receive immediate alerts when secure configurations alter, allowing for prompt action and ensuring sustained compliance with security protocols.

+## Next steps

+- [Connect your GitHub repositories to Microsoft Defender for Cloud](quickstart-onboard-github.md).

+- [Connect your Azure DevOps repositories to Microsoft Defender for Cloud](quickstart-onboard-devops.md).

+| October 19 |[DevOps security posture management recommendations available in public preview](#devops-security-posture-management-recommendations-available-in-public-preview)

+## DevOps security posture management recommendations available in public preview

+October 19, 2023

+New DevOps posture management recommendations are now available in public preview for all customers with a connector for Azure DevOps or GitHub. DevOps posture management helps to reduce the attack surface of DevOps environments by uncovering weaknesses in security configurations and access controls. Learn more about [DevOps posture management](concept-devops-posture-management-overview.md).

+Microsoft Defender Cloud now supports the latest [CIS Azure Security Foundations Benchmark - version 2.0.0](https://www.cisecurity.org/benchmark/azure) in the Regulatory Compliance [dashboard](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/22), as well as a built-in policy initiative in Azure Policy. The release of version 2.0.0 in Microsoft Defender for Cloud is a joint collaborative effort between Microsoft, the Center for Internet Security (CIS), and the user communities. The version 2.0.0 significantly expands assessment scope which now includes 90+ built-in Azure policies and will succeed the prior versions 1.4.0 and 1.3.0 and 1.0 in Microsoft Defender for Cloud and Azure Policy. Please refer to this [blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-cloud-now-supports-cis-azure-security/ba-p/3944860) for more details.

+These controls were previously calculated as passed controls, so you might see a significant dip in your compliance score for NIST standards between April 2023 and May 2023.

+If you already have the Defender for Endpoint integration enabled, no further action is required. You might experience a decrease in your alerts volume in April 2023.

+[DevOps security posture](concept-devops-posture-management-overview.md) | Preview | NA | NA

+The managed identity that's attached to the dev center needs to be granted appropriate access to connect to the catalogs. You should grant Contributor and User Access Administrator access to the target deployment subscriptions that are configured at the project level. The Azure Deployment Environments service uses the specific managed identity to perform the deployment on behalf of the developer.

+The managed identity that's attached to a dev center should be [assigned both the Contributor role and the User Access Administrator in the deployment subscriptions](how-to-configure-managed-identity.md#assign-a-subscription-role-assignment-to-the-managed-identity) for each environment type. When an environment deployment is requested, the service grants appropriate permissions to the deployment identities that are set up for the environment type to deploy on behalf of the user.

+> At least one identity (system assigned or user assigned) must be enabled for deployment identity. It will be used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [granted Contributor and User Access Administrator access to the deployment subscription](how-to-configure-managed-identity.md) configured per environment type.

+- Azure role-based access control role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor).

+ |**Role**|Contributor|

+1. To give access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+

+ |Name |Value |

+ ||-|

+ |**Scope**|Subscription|

+ |**Subscription**|Select the subscription in which to use the managed identity.|

+ |**Role**|User Access Administrator|

+First, you create a project. Then, assign the dev center managed identity the Contributor and the User Access Administrator roles to the subscription. Then, you configure the project by creating a project environment type. Finally, you give the development team access to the project by assigning the [Deployment Environments User](how-to-configure-deployment-environments-user.md) role to the project.

+- Azure role-based access control role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor)

+> At least one identity (system-assigned or user-assigned) must be enabled for deployment identity. The identity is used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [assigned the Contributor and the User Access Admistrator roles](how-to-configure-managed-identity.md) for access to the deployment subscription for each environment type.

+1. On the Azure portal home page, select Support & troubleshooting from the top left, and then select **Help + support**.

+- Check the default quota for each resource type by subscription type: [Microsoft Dev Box limits](../azure-resource-manager/management/azure-subscription-service-limits.md#microsoft-dev-box-limits)

+ Title: Import and export a domain zone file - Azure portal

+description: Learn how to import and export a DNS (Domain Name System) zone file to Azure DNS by using Azure portal

+# Import and export a DNS zone file using the Azure portal

+In this article, you learn how to import and export a DNS zone file in Azure DNS using Azure portal. You can also [import and export a zone file using Azure PowerShell](dns-import-export.md).

+## Introduction to DNS zone migration

+A DNS zone file is a text file containing information about every DNS record in the zone. It follows a standard format, making it suitable for transferring DNS records between DNS systems. Using a zone file is a fast and convenient way to import DNS zones into Azure DNS. You can also export a zone file from Azure DNS to use with other DNS systems.

+Azure DNS supports importing and exporting zone files via the Azure CLI and the Azure portal.

+## Obtain your existing DNS zone file

+Before you import a DNS zone file into Azure DNS, you need to obtain a copy of the zone file. The source of this file depends on where the DNS zone is hosted.

+* If your DNS zone is hosted by a partner service, the service should provide a way for you to download the DNS zone file. Partner services include domain registrar, dedicated DNS hosting provider, or an alternative cloud provider.

+* If your DNS zone is hosted on Windows DNS, the default folder for the zone files is **%systemroot%\system32\dns**. The full path to each zone file is also shown on the **General** tab of the DNS console.

+* If your DNS zone is hosted using BIND, the location of the zone file for each zone gets specified in the BIND configuration file **named.conf**.

+> [!IMPORTANT]

+> If the zone file that you import contains CNAME entries that point to names in a private zone, Azure DNS resolution of the CNAME fails unless the other zone is also imported, or the CNAME entries are modified.

+## Import a DNS zone file into Azure DNS

+Importing a zone file creates a new zone in Azure DNS if the zone doesn't already exist. If the zone exists, then the record sets in the zone file are merged with the existing record sets.

+### Merge behavior

+* By default, the new record sets get merged with the existing record sets. Identical records within a merged record set aren't duplicated.

+* When record sets are merged, the time to live (TTL) of pre-existing record sets is used.

+* Start of Authority (SOA) parameters, except `host` are always taken from the imported zone file. The name server record set at the zone apex also always uses the TTL taken from the imported zone file.

+* An imported CNAME record doesn't replace an existing CNAME record with the same name.

+* When a conflict happens between a CNAME record and another record with the same name of different type, the existing record gets used.

+### Additional information about importing

+The following notes provide more details about the zone import process.

+* The `$TTL` directive is optional, and is supported. When no `$TTL` directive is given, records without an explicit TTL are imported set to a default TTL of 3600 seconds. When two records in the same record set specify different TTLs, the lower value is used.

+* The `$ORIGIN` directive is optional, and is supported. When no `$ORIGIN` is set, the default value used is the zone name as specified on the command line, including the ending dot (.).

+* The `$INCLUDE` and `$GENERATE` directives aren't supported.

+* The following record types are supported: A, AAAA, CAA, CNAME, MX, NS, SOA, SRV, and TXT.

+* The SOA record is created automatically by Azure DNS when a zone is created. When you import a zone file, all SOA parameters are taken from the zone file *except* the `host` parameter. This parameter uses the value provided by Azure DNS because it needs to refer to the primary name server provided by Azure DNS.

+* The name server record set at the zone apex is also created automatically by Azure DNS when the zone is created. Only the TTL of this record set is imported. These records contain the name server names provided by Azure DNS. The record data isn't overwritten by the values contained in the imported zone file.

+* Azure DNS supports only single-string TXT records. Multistring TXT records are to be concatenated and truncated to 255 characters.

+* The zone file to be imported must contain 10k or fewer lines with no more than 3k record sets.

+## Import a zone file

+1. Obtain a copy of the zone file for the zone you wish to import.

+ The following small zone file and resource records are used in this example:

+ ```text

+ $ORIGIN adatum.com.

+ $TTL 86400

+ @ IN SOA dns1.adatum.com. hostmaster.adatum.com. (

+ 2023091201 ; serial

+ 21600 ; refresh after 6 hours

+ 3600 ; retry after 1 hour

+ 604800 ; expire after 1 week

+ 86400 ) ; minimum TTL of 1 day

+

+ IN NS dns1.adatum.com.

+ IN NS dns2.adatum.com.

+ IN MX 10 mail.adatum.com.

+ IN MX 20 mail2.adatum.com.

+ dns1 IN A 5.4.3.2

+ dns2 IN A 4.3.2.1

+ server1 IN A 4.4.3.2

+ server2 IN A 5.5.4.3

+ ftp IN A 3.3.2.1

+ IN A 3.3.3.2

+ mail IN CNAME server1

+ mail2 IN CNAME server2

+ www IN CNAME server1

+ ```

+ Names used:

+ - Origin zone name:ΓÇ»**adatum.com**ΓÇ»

+ - Destination zone name: **adatum.com**

+ - Zone filename:ΓÇ»**adatum.com.txt**ΓÇ»

+ - Resource group:ΓÇ»**myresourcegroup**

+2. Open the **DNS zones** overview page and select **Create**.

+3. On the **Create DNS zone** page, type or select the following values:

+ - **Resource group**: Choose an existing resource group, or select **Create new**, enter **myresourcegroup**, and select **OK**. The resource group name must be unique within the Azure subscription.

+ - **Name**: Type **adatum.com** for this example. The DNS zone name can be any value that is not already configured on the Azure DNS servers. A real-world value would be a domain that you bought from a domain name registrar.

+4. Select **Review create** and then select **Create**.

+5. When deployment is complete, select **Go to resource**. NS and SOA records compatible with Azure public DNS are automatically added to the zone. See the following example:

+ 

+6. Select **Import** and then on the **Import DNS zone** page, select **Browse**.

+7. Select the **adatum.com.txt** file and then select **Open**. The zone file is displayed in the DNS Zone Editor. See the following example:

+ 

+8. Edit the zone data values before proceeding to the next step.

+ > [!NOTE]

+ > If old NS records are present in the zone file, a non-blocking error is displayed during zone import. Azure NS records are not overwritten. Ideally the old NS records are removed prior to import.<br>

+ > If you wish to reset the zone serial number, delete the old serial number from the SOA prior to import.

+9. Select **Review Create** and review information in the DNS Zone Diff Viewer. See the following example:

+ 

+10. Select **Create**. The zone data is imported and the zone is displayed. See the following example:

+ [  ](./media/dns-import-export-portal/adatum-imported.png#lightbox)

+## Export a zone file

+1. Open the **DNS zones** overview page and select the zone you wish to export. For example, **adatum.com**. See the following example:

+ [  ](./media/dns-import-export-portal/adatum-export.png#lightbox)

+2. Select **Export**. The file is downloaded to your default downloads directory as a text file with the name AzurePublicDnsZone-adatum.com`number`.txt where `number` is an autogenerated index number.

+3. Open the file to view the contents. See the following example:

+ ```text

+ ; Exported zone file from Azure DNS

+ ; Zone name: adatum.com

+ ; Date and time (UTC): Tue, 12 Sep 2023 21:33:17 GMT

+ $TTL 86400

+ $ORIGIN adatum.com

+ ; SOA Record

+ @ 3600 IN SOA SOA dns1.adatum.com. (

+ 0 ;serial

+ 21600 ;refresh

+ 3600 ;retry

+ 604800 ;expire

+ 86400 ;minimum ttl

+ )

+ ; NS Records

+ @ 172800 IN NS ns1-36.azure-dns.com.

+ @ 172800 IN NS ns2-36.azure-dns.net.

+ @ 172800 IN NS ns3-36.azure-dns.org.

+ @ 172800 IN NS ns4-36.azure-dns.info.

+ ; MX Records

+ @ 3600 IN MX 10 mail.adatum.com.

+ @ 3600 IN MX 20 mail2.adatum.com.

+ ; A Records

+ dns1 3600 IN A 5.4.3.2

+ dns2 3600 IN A 4.3.2.1

+ ftp 3600 IN A 3.3.2.1

+ ftp 3600 IN A 3.3.3.2

+ server1 3600 IN A 4.4.3.2

+ server2 3600 IN A 5.5.4.3

+ ; AAAA Records

+ ; CNAME Records

+ mail 3600 IN CNAME server1

+ mail2 3600 IN CNAME server2

+ www 3600 IN CNAME server1

+ ; PTR Records

+ ; TXT Records

+ ; SRV Records

+ ; SPF Records

+ ; CAA Records

+ ; DS Records

+ ; Azure Alias Records

+ ```

+## Next steps

+* Learn how to [manage record sets and records](./dns-getstarted-cli.md) in your DNS zone.

+* Learn how to [delegate your domain to Azure DNS](dns-domain-delegation.md).

+In this article, you learn how to import and export a DNS zone file in Azure DNS using Azure CLI. You can also [import and export a zone file using the Azure portal](dns-import-export-portal.md).

+Azure DNS supports importing and exporting zone files via the Azure CLI and the Azure portal.

+Before you import a DNS zone file into Azure DNS, you need to obtain a copy of the zone file. The source of this file depends on where the DNS zone is hosted.

+* If your DNS zone is hosted by a partner service, the service should have a way for you to download the DNS zone file. Partner services include domain registrar, dedicated DNS hosting provider, or an alternative cloud provider.

+> If the zone file that you import contains CNAME entries that point to names in another private zone, Azure DNS resolution of the CNAME fails unless the other zone is also imported, or the CNAME entries are modified.

+Importing a zone file creates a new zone in Azure DNS if the zone doesn't already exist. If the zone exists, then the record sets in the zone file are merged with the existing record sets.

+* Start of Authority (SOA) parameters, except `host` are always taken from the imported zone file. The name server record set at the zone apex also always uses the TTL taken from the imported zone file.

+* The `$ORIGIN` directive is optional, and is supported. When no `$ORIGIN` is set, the default value used is the zone name as specified on the command line, including the ending dot (.).

+* The name server record set at the zone apex is also created automatically by Azure DNS when the zone is created. Only the TTL of this record set is imported. These records contain the name server names provided by Azure DNS. The record data isn't overwritten by the values contained in the imported zone file.

+If a zone with this name doesn't already exist in the resource group, one is created for you. For an existing zone, the imported record sets are merged with existing record sets.

+1. To import the zone **contoso.com** from the file **contoso.com.txt** into a new DNS zone in the resource group **myresourcegroup**, run the command `az network dns zone import`.

+ This command loads the zone file and parses it. The command executes a series of operations on the Azure DNS service to create the zone and all the record sets in the zone. The command reports the progress in the console window along with any errors or warnings. Since record sets are created in series, it could take a few minutes to import a large zone file.

+* Azure DNS supports only single-string TXT records. Multistring TXT records will be concatenated and truncated to 255 characters.

+> [Azure Firewall Manager policy overview](policy-overview.md)

+> [Learn about security partner providers](trusted-security-partners.md)

+Web categories let administrators allow or deny user access to web site categories such as gambling websites, social media websites, and others. The categories are organized based on severity under Liability, High-Bandwidth, Business use, Productivity loss, General surfing, and Uncategorized.

+|Nudity | Sites that contain full or partial nudity that aren't necessarily overtly sexual in intent.|

+|Forums + newsgroups | Sites for sharing information in the form of newsgroups, forums, bulletin boards. Doesn't include personal blogs. |

+|Nonprofits + NGOs | Sites devoted to clubs, communities, unions, and non-profit organizations. Many of these groups exist for educational or charitable purposes. |

+|Private IP addresses | Sites that are private IP addresses as defined in RFC 1918, that is, hosts that don't require access to hosts in other enterprises (or require limited access) and whose IP address might be ambiguous between enterprises but are well-defined within a certain enterprise. |

+|Translators | Sites that translate Web pages or phrases from one language to another. These sites bypass the proxy server, presenting the risk that unauthorized content might be accessed, similar to using an anonymizer. |

+|Cults | Sites relating to nontraditional religious practice typically known as "cults," that is, considered to be false, unorthodox, extremist, or coercive, with members often living under the direction of a charismatic leader. |

+|General | Sites that don't clearly fall into other categories, for example, blank web pages. |

+|Uncategorized |Sites that haven't been categorized, such as new websites, personal sites, and so on. |

+- To learn why devices should always use the Device Provisioning Service to connect to IoT Central, see [Device implementation and best practices for IoT central](concepts-device-implementation.md).

+- To learn how to monitor the status of a device, see [Monitor your devices](howto-manage-devices-individually.md#monitor-your-devices).

+> [!NOTE]

+> If you're using a managed identity to authorize the connection to an export destination, IoT Central doesn't export data from simulated devices.

+kubectl get memberclusters

+kubectl get crd memberclusters.fleet.azure.com -o yaml

+> If you have configured any of your load tests with secrets or certificates from Azure Key Vault, make sure to [grant the new resource access to the Key Vault](./how-to-parameterize-load-tests.md#grant-access-to-your-azure-key-vault).

+You can use Azure Key Vault to pass secret values to your test script in Azure Load Testing. You add a reference to the secret in the Azure Load Testing configuration. Azure Load Testing then uses this reference to retrieve the secret value in the Apache JMeter script.

+You also need to grant Azure Load Testing access to your Azure key vault to retrieve the secret value.

+#### Create a secret in Azure Key Vault

+1. Retrieve the key vault **secret identifier** for your secret. You use this secret identifier to configure your load test.

+#### Add the secret to your load test

+ :::image type="content" source="media/how-to-parameterize-load-tests/key-vault-reference-identity.png" alt-text="Screenshot that shows how to select key vault reference identity.":::

+#### Grant access to your Azure key vault

+Now that you've added a secret in Azure Key Vault, configured a secret for your load test, you can now move to [Use secrets in Apache JMeter](#jmeter_secrets).

+### <a name="cicd_secrets"></a> Use the CI/CD secret store to save load test secrets

+To use secrets in the CI/CD secret store and pass them to your load test in CI/CD:

+Next, you update the Apache JMeter script to use the secret that you specified earlier.

+ The `System.getenv("<my-variable-name>")` function takes the environment variable name as an argument. You use this same name when you configure the load test.

+No. The Azure Load Testing service doesn't store the values of secrets. When you use a key vault secret URI, the service stores only the secret URI, and it fetches the value of the secret for each test run. If you provide the value of secrets in a CI/CD workflow, the secret values aren't available after the test run. You provide these values for each test run.

+If a parameter exists in both the YAML configuration file and the Azure Load Testing action or Azure Pipelines task, the value from the CI/CD workflow is used for the test run.

+The values of the parameters aren't stored when they're passed from the CI/CD workflow. You have to provide the parameter values again when you run the test from the Azure portal. You get a prompt to enter the missing values. For secret values, you enter the key vault secret URI. The values that you enter at the test run or rerun page are valid only for that test run. For making changes at the test level, go to **Configure Test** and enter your parameter values.

+Follow the steps in [Import a certificate](/azure/key-vault/certificates/tutorial-import-certificate) to store your certificate in Azure Key Vault.

+> [!IMPORTANT]

+> Azure Load Testing only supports PKCS12 certificates. Upload the client certificate in PFX file format.

+### Grant access to your Azure key vault

+ Title: Use managed identities for Azure Load Testing

+description: Learn how to enable a managed identity for Azure Load Testing. You can use managed identities for reading secrets or certificates from Azure Key Vault in your JMeter test script.

+This article shows how to create a managed identity for Azure Load Testing. You can use a managed identity to securely access other Azure resources. For example, you use a managed identity to read secrets or certificates from Azure Key Vault in your load test.

+1. In the **System assigned** tab, switch **Status** to **On**, and then select **Save**.

+1. After this operation completes, the page shows the **Object ID** of the managed identity, and lets you assign permissions to it.

+# [Azure CLI](#tab/cli)

+Run the `az load update` command with `--identity-type SystemAssigned` to add a system-assigned identity to your load testing resource:

+```azurecli-interactive

+az load update --name <load-testing-resource-name> --resource-group <group-name> --identity-type SystemAssigned

+```

+# [Azure CLI](#tab/cli)

+1. Create a user-assigned identity.

+ ```azurecli-interactive

+ az identity create --resource-group <group-name> --name <identity-name>

+ ```

+1. Run the `az load update` command with `--identity-type UserAssigned` to add a user-assigned identity to your load testing resource:

+ ```azurecli-interactive

+ az load update --name <load-testing-resource-name> --resource-group <group-name> --identity-type UserAssigned --user-assigned <identity-id>

+ ```

+## Configure target resource

+You might need to configure the target resource to allow access from your load testing resource. For example, if you [read a secret or certificate from Azure Key Vault](./how-to-parameterize-load-tests.md), or if you [use customer-managed keys for encryption](./how-to-configure-customer-managed-keys.md), you must also add an access policy that includes the managed identity of your resource. Otherwise, your calls to Azure Key Vault are rejected, even if you use a valid token.

+## Related content

+* [Use secrets or certificates in your load test](./how-to-parameterize-load-tests.md)

+* [Configure customer-managed keys for encryption](how-to-configure-customer-managed-keys.md)

+When you use a JMeter plugin in your test script, the plugin needs to be uploaded onto the test engine instances in Azure Load Testing. You have two options for using JMeter plugins with Azure Load Testing:

+- **Plugins from https://jmeter-plugins.org**. Azure Load Testing automatically preinstalls plugins from https://jmeter-plugins.org.

+- **Other plugins**. When you create the load test, you need to add the JMeter plugin Java archive (JAR) file to your load test configuration. Azure Load Testing uploads the plugin JAR file onto the test engine instances when the load test starts.

+> [!NOTE]

+> If you use your own plugin code, we recommend that you build the executable JAR using Java 17.

+## Reference the JMeter plugin in your test script

+To use a JMeter plugin in your load test, you have to author the JMX test script and reference the plugin. There are no special instructions for referencing plugins in your script when you use Azure Load Testing.

+Follow these steps to use the JMeter GUI to install and reference the plugin in your test script:

+1. Install the JMeter plugin on your local JMeter instance in either of two ways:

+ - Use the [Plugins Manager](https://jmeter-plugins.org/wiki/PluginsManager/), if the plugin is available.

+ - To use your own plugin code, copy the plugin JAR file to the `lib/ext` folder of your local JMeter installation.

+ After you install the plugin, the plugin functionality appears in the Apache JMeter user interface.

+1. You can now reference the plugin functionality in your test script.

+ The following screenshot shows an example of how to use an *Example Sampler* plugin. Depending on the type of plugin, you might have different options in the user interface.

+ :::image type="content" source="media/how-to-use-jmeter-plugins/jmeter-add-custom-sampler.png" alt-text="Screenshot that shows how to add a custom sampler to a test plan by using the JMeter user interface.":::

+> You can also reference the JMeter plugin directly by editing the JMX file. In this case you don't have to install the plugin locally.

+## Create a load test that uses JMeter plugins

+If you only reference plugins from https://jmeter-plugins.org, you can [create a load test by uploading your JMX test script](./how-to-create-and-run-load-test-with-jmeter-script.md). Azure Load Testing preinstalls the plugin JAR files onto the test engine instances.

+If you use your own plugins in your test script, you have to add the plugin JAR file to your load test configuration. Azure Load Testing then installs your plugin on the load test engines when the test starts.

+You can add a plugin JAR file when you create a new load test, or anytime when you update an existing test.

+# [GitHub Actions / Azure Pipelines](#tab/github+pipelines)

+* [Enable idle shutdown](how-to-create-compute-instance.md#configure-idle-shutdown) to save on cost when the VM has been idle for a specified time period.

+* Or [set up a schedule](how-to-create-compute-instance.md#schedule-automatic-start-and-stop) to automatically start and stop the compute instance to save cost when you aren't planning to use it.

+On the option to retrieve the token via REST API, see [Invoke the endpoint to score data with your model](how-to-deploy-with-rest.md#invoke-the-endpoint-to-score-data-with-your-model).

+| Application Insights | You | Create Application Insights for the workspace in both regions. To adjust the data-retention period and details, see [Data collection, retention, and storage in Application Insights](/previous-versions/azure/azure-monitor/app/data-retention-privacy#how-long-is-the-data-kept). |

+Use the following sections to keep your MySQL databases running smoothly and use this information as guiding principles for ensuring that the schemas are designed optimally and provide the best performance for your applications.

+In a busy database environment, you might observe high I/O usage, which can be an indicator of poor data access patterns. Unused indexes can have a negative impact on performance as they consume disk space and cache, and slow down write operations (INSERT / DELETE / UPDATE). Unused indexes unnecessarily consume more storage space and increase the backup size.

+Before you remove any index, be sure to gather enough information to verify that it's no longer in use. This verification can help you avoid inadvertently removing an index that is critical for a query that runs only quarterly or annually. Also, be sure to consider whether an index is used to enforce uniqueness or ordering.

+## List the busiest indexes on the server

+The output from the following query provides information about the most used indexes across all tables and schemas on the database server. This information is helpful in identifying the ratio of writes to reads against each index and the latency numbers for reads as well as individual write operations, which can indicate that further tuning is required against the underlying table and dependent queries.

+```

+SELECT

+object_schema AS table_schema,

+object_name AS table_name,

+index_name, count_star AS all_accesses,

+count_read,

+count_write,

+Concat(Truncate(count_read / count_star * 100, 0), ':',

+Truncate(count_write / count_star * 100, 0)) AS read_write_ratio,

+ count_fetch AS rows_selected ,

+ count_insert AS rows_inserted,

+ count_update AS rows_updated,

+ count_delete AS rows_deleted,

+ Concat(Round(sum_timer_wait / 1000000000000, 2), ' s') AS total_latency ,

+ Concat(Round(sum_timer_fetch / 1000000000000, 2), ' s') AS select_latency,

+ Concat(Round(sum_timer_insert / 1000000000000, 2), ' s') AS insert_latency,

+Concat(Round(sum_timer_update / 1000000000000, 2), ' s') AS update_latency,

+ Concat(Round(sum_timer_delete / 1000000000000, 2), ' s') AS delete_latency

+FROM performance_schema.table_io_waits_summary_by_index_usage

+WHERE index_name IS NOT NULL AND count_star > 0

+ORDER BY sum_timer_wait DESC

+```

+Azure Database for MySQL uses the InnoDB storage engine for all nontemporary tables. With InnoDB, data is stored within a clustered index using a B-Tree structure. The table is physically organized based on primary key values, which means that rows are stored in the primary key order.

+If a key is derived from actual data (e.g., username, email, SSN, etc.), itΓÇÖs called a *natural key*. If a key is artificial and not derived from data (e.g., an autoincremented integer), itΓÇÖs referred to as a *synthetic key* or *surrogate key*.

+ItΓÇÖs generally recommended to avoid using natural primary keys. These keys are often very wide and contain long values from one or multiple columns. This in turn can introduce severe storage overhead with the primary key value being copied into each secondary key entry. Moreover, natural keys donΓÇÖt usually follow a predetermined order, which dramatically reduces performance and provokes page fragmentation when rows are inserted or updated. To avoid these issues, use monotonically increasing surrogate keys instead of natural keys. An autoincrement (big)integer column is a good example of a monotonically increasing surrogate key. If you require a certain combination of columns, be unique, declare those columns as a unique secondary key.

+During the initial stages of building an application, you might not think ahead to imagine a time when your table begins to approach having two billion rows. As a result, you might opt to use a signed 4-byte integer for the data type of an ID (primary key) column. Be sure to check all table primary keys and switch to use 8-byte integer (BIGINT) columns to accommodate the potential for a high volume or growth.

+The previous section explains how indexes in MySQL are organized as B-Trees and in a clustered index, the leaf nodes contain the data pages of the underlying table. Secondary indexes have the same B-tree structure as clustered indexes, and you can define them on a table or view with a clustered index or a heap. Each index row in the secondary index contains the nonclustered key value and a row locator. This locator points to the data row in the clustered index or heap having the key value. As a result, any lookup involving a secondary index must navigate starting from the root node through the branch nodes to the correct leaf node to take the primary key value. The System then executes a random IO read on the primary key index (once again navigating from the root node through the branch nodes to the correct leaf node) to get the data row.

+However, if you added an index that covers the column in the where clause, along with the projected columns you would see that the index is being used to locate the columns much more quickly and efficiently.

+For example, consider a sudden surge in connections that initiates surge of database queries that cause CPU utilization to shoot up.

+When necessary, it might be required to terminate a query, such as a reporting or HTAP query that has caused your production workload CPU usage to spike. However, always consider the potential consequences of terminating a query before taking the action in an attempt to reduce CPU utilization. Other times if there are any long running queries identified that are leading to CPU spikes, tune these queries so the resources are optimally utilized.

+The following example query that combines process list information with some of the important pieces of InnoDB transaction metadata:

+The following example shows the output from this query below:

+## Listing open transactions

+The output from the following query provides a list of all the transactions currently running against the database server in order of transaction start time so that you can easily identify if there are any long running and blocking transactions exceeding their expected runtime.

+```

+SELECT trx_id, trx_mysql_thread_id, trx_state, Unix_timestamp() - ( To_seconds(trx_started) - To_seconds('1970-01-01 00:00:00') ) AS trx_age_seconds, trx_weight, trx_query, trx_tables_in_use, trx_tables_locked, trx_lock_structs, trx_rows_locked, trx_rows_modified, trx_isolation_level, trx_unique_checks, trx_is_read_only FROM information_schema.innodb_trx ORDER BY trx_started ASC;

+```

+This state indicates that the thread is waiting for a second lock. In most cases, it might be a metadata lock. You should review all other threads and see who is taking the lock.

+ItΓÇÖs important to understand the underlying wait events in MySQL engine, because long waits or a large number of waits in a database can lead to increased CPU utilization. The following example shows the appropriate command and sample output.

+* Ensure that your database has enough resources allocated to run your queries. At times, you might need to scale up the instance size to get more CPU cores to accommodate your workload.

+After youΓÇÖve identified a specific slow running query, you can use the EXPLAIN command and profiling to gather more detail.

+## Listing the 10 most expensive queries by total execution time

+The output from the following query provides information about the top 10 queries running against the database server and their number of executions on the database server. It also provides other useful information such as the query latencies, their lock times, the number of temp tables created as part of query runtime, etc. Use this query output to keep track of the top queries on the database and changes to factors such as latencies, which might indicate a chance to fine tune the query further to help avoid any future risks.

+```

+SELECT REPLACE(event_name, 'statement/sql/', '') AS statement,

+ count_star AS all_occurrences ,

+ Concat(Round(sum_timer_wait / 1000000000000, 2), ' s') AS total_latency,

+ Concat(Round(avg_timer_wait / 1000000000000, 2), ' s') AS avg_latency,

+ Concat(Round(sum_lock_time / 1000000000000, 2), ' s') AS total_lock_time ,

+ sum_rows_affected AS sum_rows_changed,

+ sum_rows_sent AS sum_rows_selected,

+ sum_rows_examined AS sum_rows_scanned,

+ sum_created_tmp_tables, sum_created_tmp_disk_tables,

+ IF(sum_created_tmp_tables = 0, 0, Concat( Truncate(sum_created_tmp_disk_tables /

+ sum_created_tmp_tables * 100, 0))) AS

+ tmp_disk_tables_percent,

+ sum_select_scan,

+ sum_no_index_used,

+ sum_no_good_index_used

+FROM performance_schema.events_statements_summary_global_by_event_name

+WHERE event_name LIKE 'statement/sql/%'

+ AND count_star > 0

+ORDER BY sum_timer_wait DESC

+LIMIT 10;

+```

+| Between ~10,000 and ~1,000,000 | These values indicate a minor lag in garbage collection. Such values might be acceptable if they remain steady and don't increase. |

+| Greater than ~1,000,000 | These values should be investigated and might require corrective actions |

+* Ensure that your database has enough resources allocated to run your queries. At times, you might need to scale up the instance size to get more CPU cores and additional memory to accommodate your workload.

+TCP keepalives can be used to provide a pattern of refreshing long idle connections and endpoint liveness detection. For more information, see these [.NET examples](/dotnet/api/system.net.servicepoint.settcpkeepalive). TCP keepalives appear as duplicate ACKs to the endpoints, are low overhead, and invisible to the application layer.

+> [!NOTE]

+> To enable the Kubernetes `LoadBalancer` service to have a dual-stack address, make sure that the IP pool configuration includes both IPv4 and IPv6 CIDR/addresses.

+ Title: Azure Orbital Ground Stations - About Microsoft and partner ground stations

+description: Provides specs on Microsoft ground stations and outlines partner ground station network.

+#Customer intent: As a satellite operator or user, I want to learn about Microsoft and partner ground stations.

+# About Microsoft and partner ground stations

+## Microsoft ground stations

+Microsoft owns and operates five ground stations around the world.

+Our antennas are 6.1 meters in diameter and support X-band and S-band.

+### X-bank

+| Downlink Frequencies (MHz) | G/T (dB/K) |

+|-||

+| 8000-8400 | 30.0 |

+### S-band

+| Uplink Frequencies (MHz) | EIRP (dBW) | Downlink Frequencies (MHz) | G/T (dB/K) |

+|--||-||

+| 2025-2120 | 52.0 | 2200-2300 | 15.0 |

+## Partner ground stations

+Azure Orbital Ground Station offers a common data plane and API to access all antenna in the global network. An active contract with the partner network(s) you wish to integrate with Azure Orbital Ground Station is required to onboard with a partner.

+ Title: Azure Orbital Ground Station - contact profile

+description: Learn more about the contact profile resource, including how to create, modify, and delete the profile.

+#Customer intent: As a satellite operator or user, I want to understand how to use the contact profile so that I can take passes using Azure Orbital Ground Station.

+The contact profile resource stores pass requirements such as links and endpoint details. Use this resource along with the spacecraft resource during contact scheduling to view and schedule available passes.

+You can create many contact profiles to represent different types of passes depending on your mission operations. For example, you can create a contact profile for a command and control pass or a contact profile for a downlink-only pass.

+These resources are mutable and do not undergo an authorization process like the spacecraft resources do. One contact profile can be used with many spacecraft resources.

+See [how to configure a contact profile](contact-profile.md) for a full list of parameters.

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+Specify a minimum pass time to ensure passes are a certain duration. Specify a minimum elevation to ensure passes are above a certain elevation.

+The minimum pass time and minimum elevation parameters are used by Azure Orbital Ground Station during the contact scheduling. Avoid changing these on a pass-by-pass basis and instead create multiple contact profiles if you require flexibility.

+You can modify or delete the contact profile via the [Azure portal](https://aka.ms/orbital/portal) or [Azure Orbital Ground Station API](/rest/api/orbital/).

+## Configuring a contact profile for third party ground stations

+When you onboard a third party network, you will receive a token that identifies your profile. Use this token in the contact profile resource to link a contact profile to the third party network.

+ Title: Azure Orbital Ground Station - Mission Phases

+description: Points users to relevant resources depending on the phase of their mission.

+#Customer intent: As a satellite operator or user, I want to know how to use AOGS at each phase in my satellite mission.

+# Mission Phases

+Azure Orbital Ground Station provides easy and secure access to communication products and services required to support all phases of satellite missions.

+## Pre-launch

+- Initiate ground station licensing ahead of launch to ensure you can communicate with your spacecraft.

+- [Create and authorize a spacecraft](register-spacecraft.md) resource for your satellite.

+- [Configure a contact profile](contact-profile.md) with links and channels.

+- [Prepare your network](prepare-network.md) to send and receive data between the spacecraft and Azure Orbital Ground Station.

+- [Add a modem configuration file](modem-chain.md) to the contact profile.

+- Prepare for launch with RF compatibility testing and enrollment in Launch Window Scheduling (in preview).

+## Launch and nominal operations

+- Keep the [spacecraft TLE](update-tle.md) up to date.

+- [Receive real-time telemetry](receive-real-time-telemetry.md) from the contact.

+- [Use sample queries](resource-graph-samples.md) for Azure Resource Graph.

+ Title: Azure Orbital Ground Station - schedule a contact

+# Customer intent: As a satellite operator, I want to schedule a contact to ingest data from my satellite into Azure.

+## Cancel a contact

+To cancel a scheduled contact, you must delete the contact resource. Learn more at [contact resource](concepts-contact.md).

+ Title: Spacecraft resource - Azure Orbital Ground Station

+description: Learn about how you can represent your spacecraft details in Azure Orbital Ground Station.

+#Customer intent: As a satellite operator or user, I want to understand what the spacecraft resource does so I can manage my mission.

+# Spacecraft resource

+The spacecraft resource captures three types of information:

+- **Licensing** - Authorizations are held on a per-link, per-site basis.

+Make sure to capture each link that you wish to use with Azure Orbital Ground Station when you create the spacecraft resource. The following details are required:

+In order to uphold regulatory requirements across the world, the spacecraft resource contains authorizations for specific links and sites that permit usage of the Azure Orbital Ground Station sites.

+The platform will deny scheduling or execution of contacts if the spacecraft resource links aren't authorized. The platform will also deny contact if a profile contains links that aren't included in the spacecraft resource authorized links.

+## Managing spacecraft resources

+Spacecraft resources can be created and deleted via the Portal and Azure Orbital Ground Station APIs. Once the resource is created, modification to the resource is dependent on the authorization status.

+When the spacecraft is unauthorized, then the spacecraft resource can be modified. The API is the best way to make changes to the spacecraft resource as the Portal only allows TLE updates.

+You can delete the spacecraft resource via the Azure portal or the Azure Orbital Ground Station API. You must first delete all scheduled contacts associated with that spacecraft resource. See [contact resource](concepts-contact.md) for more information.

+| Service Bus | Yes | Yes | - |

+## Additional resource

+* [A blog post that describes techniques for reordering messages that arrive out of order](https://particular.net/blog/you-dont-need-ordered-delivery)

+# Integrate Azure Cosmos DB for Cassandra with Service Connector

+## Default environment variable names or application properties and Sample code

+Reference the connection details and sample code in the following tables, according to your connection's authentication type and client type, to connect your compute services to Azure Cosmos DB for Apache Cassandra. **Please go to beginning of the documentation to choose authentication type.**

+### Connect with System-assigned Managed Identity

+#### Sample code

+Refer to the steps and code below to connect to Azure Cosmos DB for Cassandra using a system-assigned managed identity.

+### Connect with User-assigned Managed Identity

+#### Sample code

+Refer to the steps and code below to connect to Azure Cosmos DB for Cassandra using a user-assigned managed identity.

+### Connect with Connection String

+#### SpringBoot client type

+| Default environment variable name | Description | Example value |

+|-|--|--|

+| spring.data.cassandra.contact-points | Azure Cosmos DB for Apache Cassandra contact point | `<Azure-Cosmos-DB-account>.cassandra.cosmos.azure.com` |

+| spring.data.cassandra.port | Cassandra connection port | 10350 |

+| spring.data.cassandra.keyspace-name | Cassandra keyspace | `<keyspace>` |

+| spring.data.cassandra.username | Cassandra username | `<username>` |

+| spring.data.cassandra.password | Cassandra password | `<password>` |

+| spring.data.cassandra.local-datacenter | Azure Region | `<Azure-region>` |

+| spring.data.cassandra.ssl | SSL status | true |

+#### Other client types

+| Default environment variable name | Description | Example value |

+|--|--||

+| AZURE_COSMOS_CONTACTPOINT | Azure Cosmos DB for Apache Cassandra contact point | `<Azure-Cosmos-DB-account>.cassandra.cosmos.azure.com` |

+| AZURE_COSMOS_PORT | Cassandra connection port | 10350 |

+| AZURE_COSMOS_KEYSPACE | Cassandra keyspace | `<keyspace>` |

+| AZURE_COSMOS_USERNAME | Cassandra username | `<username>` |

+| AZURE_COSMOS_PASSWORD | Cassandra password | `<password>` |

+#### Sample code

+Refer to the steps and code below to connect to Azure Cosmos DB for Cassandra using a connection string.

+#### Sample code

+Refer to the steps and code below to connect to Azure Cosmos DB for Cassandra using a service principal.

+This page shows the supported authentication types, client types and sample code of Azure Database for MySQL - Flexible Server using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection. Also detail steps with sample code about how to make connection to the database. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).

+## Default environment variable names or application properties and Sample code

+Reference the connection details and sample code in following tables, according to your connection's authentication type and client type, to connect compute services to Azure Database for MySQL.

+#### Sample code

+Refer to the steps and code below to connect to Azure Database for MySQL.

+#### Sample code

+Refer to the steps and code below to connect to Azure Database for MySQL.

+#### Sample code

+Refer to the steps and code below to connect to Azure Database for MySQL.

+#### Sample code

+Refer to the steps and code below to connect to Azure Database for MySQL.

+## Default environment variable names or application properties and Sample code

+Reference the connection details and sample code in the following tables, according to your connection's authentication type and client type, to connect compute services to Azure Database for PostgreSQL.

+### Sample code

+Refer to the steps and code below to connect to Azure Database for PostgreSQL.

+### Sample code

+Refer to the steps and code below to connect to Azure Database for PostgreSQL.

+### Sample code

+Refer to the steps and code below to connect to Azure Database for PostgreSQL.

+### Sample code

+Refer to the steps and code below to connect to Azure Database for PostgreSQL.

+This page shows the supported authentication types, client types and sample code of Azure Blob Storage using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection. Also detail steps with sample code about how to make connection to the blob storage. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).

+## Default environment variable names or application properties and sample code

+Reference the connection details and sample code in the following tables, according to your connection's authentication type and client type, to connect compute services to Azure Blob Storage.

+For default environment variables and sample code of other authentication type, please choose from beginning of the documentation.

+#### Sample code

+Refer to the steps and code below to connect to Azure Blob Storage using a system-assigned managed identity.

+For default environment variables and sample code of other authentication type, please choose from beginning of the documentation.

+#### Sample code

+Refer to the steps and code below to connect to Azure Blob Storage using a user-assigned managed identity.

+For default environment variables and sample code of other authentication type, please choose from beginning of the documentation.

+#### Sample code

+Refer to the steps and code below to connect to Azure Blob Storage using a connection string.

+For default environment variables and sample code of other authentication type, please choose from beginning of the documentation.

+#### Sample code

+Refer to the steps and code below to connect to Azure Blob Storage using a service principal.

+ Title: Use Application Gateway in a Service Fabric managed cluster

+description: This article describes how to use Application Gateway in a Service Fabric managed cluster.

+# Use Azure Application Gateway in a Service Fabric managed cluster

+[Azure Application Gateway](../application-gateway/overview.md) is a web traffic load balancer that enables you to manage traffic to your web applications. There are [several benefits to using Application Gateway](https://azure.microsoft.com/products/application-gateway/#overview). Service Fabric managed cluster supports Azure Application Gateway and allows you to connect your node types to an Application Gateway. You can [create an Azure Application Gateway](../application-gateway/quick-create-portal.md) and pass the resource ID to the service fabric managed cluster ARM template.

+## How to use Application Gateway in a Service Fabric managed cluster

+### Requirements

+ Use Service Fabric API version 2022-08-01-Preview (or newer).

+### Steps

+The following section describes the steps that should be taken to use Azure Application Gateway in a Service Fabric managed cluster:

+1. Follow the steps in the [Quickstart: Direct web traffic using the portal - Azure Application Gateway](../application-gateway/quick-create-portal.md). Note the resource ID for use in a later step.

+2. Link your Application Gateway to the node type of your Service Fabric managed cluster. To do this, you must grant SFMC permission to join the application gateway. This permission is granted by assigning SFMC the ΓÇ£Network ContributorΓÇ¥ role on the application gateway resource as described in steps below:

+ A. Get the service `Id` from your subscription for Service Fabric Resource Provider application.

+ ```powershell

+ Login-AzAccount

+ Select-AzSubscription -SubscriptionId <SubId>

+ Get-AzADServicePrincipal -DisplayName "Azure Service Fabric Resource Provider"

+ ```

+ > [!NOTE]

+ > Make sure you are in the correct subscription, the principal ID will change if the subscription is in a different tenant.

+ ```powershell

+ ServicePrincipalNames : {74cb6831-0dbb-4be1-8206-fd4df301cdc2}

+ ApplicationId : 74cb6831-0dbb-4be1-8206-fd4df301cdc2

+ ObjectType : ServicePrincipal

+ DisplayName : Azure Service Fabric Resource Provider

+ Id : 00000000-0000-0000-0000-000000000000

+ ```

+ Note the **Id** of the previous output as **principalId** for use in a later step

+ |Role definition name|Role definition ID|

+ |-|-|

+ |Network Contributor|4d97b98b-1d4f-4787-a291-c67834d212e7|

+ Note the `Role definition name` and `Role definition ID` property values for use in a later step

+ B. The [sample ARM deployment template](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-1-NT-DDoSNwProtection) adds a role assignment to the application gateway with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](../role-based-access-control/built-in-roles.md#all). This role assignment is defined in the resources section of template with PrincipalId and a role definition ID determined from the first step.

+ ```json

+ "variables": {

+ "sfApiVersion": "2022-08-01-preview",

+ "networkApiVersion": "2020-08-01",

+ "clusterResourceId": "[resourceId('Microsoft.ServiceFabric/managedclusters', parameters('clusterName'))]",

+ "rgRoleAssignmentId": "[guid(resourceGroup().id, 'SFRP-NetworkContributor')]",

+ "auxSubnetName": "AppGateway",

+ "auxSubnetNsgName": "AppGatewayNsg",

+ "auxSubnetNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('auxSubnetNsgName'))]",

+ "frontendIPName": "[concat(parameters('clusterName'), '-AppGW-IP')]",

+ "appGatewayName": "[concat(parameters('clusterName'), '-AppGW')]",

+ "appGatewayDnsName": "[concat(parameters('clusterName'), '-appgw')]",

+ "appGatewayResourceId": "[resourceId('Microsoft.Network/applicationGateways', variables('appGatewayName'))]",

+ "appGatewayFrontendPort": 80,

+ "appGatewayBackendPort": 8000,

+ "appGatewayBackendPool": "AppGatewayBackendPool",

+ "frontendConfigAppGateway": [

+ {

+ "applicationGatewayBackendAddressPoolId": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('appGatewayName'), variables('appGatewayBackendPool'))]"

+ }

+ ],

+ "primaryNTFrontendConfig": "[if(parameters('enableAppGateway'), variables('frontendConfigAppGateway'), createArray())]",

+ "secondaryNTFrontendConfig": "[if(parameters('enableAppGateway'), variables('frontendConfigAppGateway'), createArray())]"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Authorization/roleAssignments",

+ "apiVersion": "2020-04-01-preview",

+ "name": "[variables('rgRoleAssignmentId')]",

+ "properties": {

+ "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7')]",

+ "principalId": "[parameters('sfrpPrincipalId')]"

+ }

+ },

+ ```

+ or you can also add role assignment via PowerShell using PrincipalId determined from the first step and role definition name as "Contributor" where applicable.

+ ```powershell

+ New-AzRoleAssignment -PrincipalId "sfrpPrincipalId" `

+ -RoleDefinitionId "4d97b98b-1d4f-4787-a291-c67834d212e7" `

+ -ResourceName <resourceName> `

+ -ResourceType <resourceType> `

+ -ResourceGroupName <resourceGroupName>

+ ```

+4. Use a [sample ARM deployment template](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-1-NT-DDoSNwProtection) that assigns roles and adds application gateway configuration as part of the service fabric managed cluster creation. Update the template with `principalId`, `appGatewayName`, and `appGatewayBackendPoolId` obtained above.

+5. You can also modify your existing ARM template and add new property `appGatewayBackendPoolId` under Microsoft.ServiceFabric/managedClusters resource that takes the resource ID of the application gateway.

+ #### ARM template:

+

+ ```JSON

+ "frontendConfigurations": [

+ {

+ "applicationGatewayBackendAddressPoolId": "<appGatewayBackendPoolId>"

+ }

+ ]

+ ```

+ B. The [sample ARM deployment template](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-1-NT-DDoSNwProtection) adds a role assignment to the DDoS Protection Plan with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](../role-based-access-control/built-in-roles.md#all). This role assignment is defined in the resources section of template with PrincipalId and a role definition ID determined from the first step.

+* [Azure Cosmos DB for Cassandra](../service-connector/how-to-integrate-cosmos-cassandra.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code)

+For the default environment variable names, see [Integrate Azure Database for MySQL with Service Connector](../service-connector/how-to-integrate-mysql.md#default-environment-variable-names-or-application-properties-and-sample-code).

+For the default environment variable names, see [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code).

+You can find the default environment variable names in this doc: [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code)

+The recommended location for the _staticwebapp.config.json_ is in the folder set as the `app_location` in the [workflow file](./build-configuration.md). However, the file may be placed in any subfolder within the folder set as the `app_location`. Additionally, if there is a build step, you must ensure that the build step outputs the file to the root of the output_location.

+### Bulk tiering

+To move blobs to another tier in a container or a folder, enumerate blobs and call the Set Blob Tier operation on each one. The following example shows how to perform this operation:

+#### [Portal](#tab/azure-portal)

+N/A

+#### [PowerShell](#tab/azure-powershell)

+```azurepowershell

+# Initialize these variables with your values.

+ $rgName = "<resource-group>"

+ $accountName = "<storage-account>"

+ $containerName = "<container>"

+ $folderName = "<folder>/"

+ $ctx = (Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).Context

+ $blobCount = 0

+ $Token = $Null

+ $MaxReturn = 5000

+ do {

+ $Blobs = Get-AzStorageBlob -Context $ctx -Container $containerName -Prefix $folderName -MaxCount $MaxReturn -ContinuationToken $Token

+ if($Blobs -eq $Null) { break }

+ #Set-StrictMode will cause Get-AzureStorageBlob returns result in different data types when there is only one blob

+ if($Blobs.GetType().Name -eq "AzureStorageBlob")

+ {

+ $Token = $Null

+ }

+ else

+ {

+ $Token = $Blobs[$Blobs.Count - 1].ContinuationToken;

+ }

+ $Blobs | ForEach-Object {

+ if($_.BlobType -eq "BlockBlob") {

+ $_.BlobClient.SetAccessTier("Cold", $null)

+ }

+ }

+ }

+ While ($Token -ne $Null)

+

+```

+#### [Azure CLI](#tab/azure-cli)

+```azurecli

+az storage blob list --account-name $accountName --account-key $key \

+ --container-name $containerName --prefix $folderName \

+ --query "[?properties.blobTier == 'Cool'].name" --output tsv \

+ | xargs -I {} -P 10 \

+ az storage blob set-tier --account-name $accountName --account-key $key \

+ --container-name $containerName --tier Cold --name "{}"

+```

+#### [AzCopy](#tab/azcopy)

+N/A

+When moving a large number of blobs to another tier, use a batch operation for optimal performance. A batch operation sends multiple API calls to the service with a single request. The suboperations supported by the [Blob Batch](/rest/api/storageservices/blob-batch) operation include [Delete Blob](/rest/api/storageservices/delete-blob) and [Set Blob Tier](/rest/api/storageservices/set-blob-tier).

+> [!NOTE]

+> The [Set Blob Tier](/rest/api/storageservices/set-blob-tier) suboperation of the [Blob Batch](/rest/api/storageservices/blob-batch) operation is not yet supported in accounts that have a hierarchical namespace.

+To change access tier of blobs with a batch operation, use one of the Azure Storage client libraries. The following code example shows how to perform a basic batch operation with the .NET client library:

+For an in-depth sample application that shows how to change tiers with a batch operation, see [AzBulkSetBlobTier](/samples/azure/azbulksetblobtier/azbulksetblobtier/).

+# Optimize the performance of your Elastic SAN Preview

+ Title: Create an Azure Elastic SAN Preview

+description: Learn how to deploy an Azure Elastic SAN Preview with the Azure portal, Azure PowerShell module, or Azure CLI.

+# Deploy an Elastic SAN Preview

+ Title: Azure Elastic SAN Preview networking concepts

+# Learn about networking configurations for Elastic SAN Preview

+# How performance works when Virtual Machines are connected to Elastic SAN Preview volumes

+# Scale targets for Elastic SAN Preview

+ Title: Use clustered applications on Azure Elastic SAN Preview

+description: Learn more about using clustered applications on an Elastic SAN Preview volume and sharing volumes between compute clients.

+# Use clustered applications on Azure Elastic SAN Preview

+Azure Files offers two industry-standard file system protocols for mounting Azure file shares: the [Server Message Block (SMB)](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) protocol and the [Network File System (NFS)](https://en.wikipedia.org/wiki/Network_File_System) protocol, allowing you to pick the protocol that is the best fit for your workload. Azure file shares don't support accessing an individual Azure file share with both the SMB and NFS protocols, although you can create SMB and NFS file shares within the same FileStorage storage account. Azure Files offers enterprise-grade file shares that can scale up to meet your storage needs and can be accessed concurrently by thousands of clients.

+The status of items that appear in this table might change over time as support continues to expand.

+| [Azure file share snapshots](storage-snapshots-files.md)| ✔️ (preview) |

+NFS Azure file shares are only offered on premium file shares, which store data on solid-state drives (SSD). The IOPS and throughput of NFS shares scale with the provisioned capacity. See the [provisioned model](understanding-billing.md#provisioned-model) section of the **Understanding billing** article to understand the formulas for IOPS, IO bursting, and throughput. The average IO latencies are low-single-digit-millisecond for small IO size, while average metadata latencies are high-single-digit-millisecond. Metadata heavy operations such as untar and workloads like WordPress might face additional latencies due to the high number of open and close operations.

+## Applies to

+| File share type | SMB | NFS |

+|-|:-:|:-:|

+| Standard file shares (GPv2), LRS/ZRS |  |  |

+| Standard file shares (GPv2), GRS/GZRS |  |  |

+| Premium file shares (FileStorage), LRS/ZRS |  |  |

+<YourStorageAccountName>.file.core.windows.net:/<YourStorageAccountName>/<FileShareName> /media/<YourStorageAccountName>/<FileShareName> nfs vers=4,minorversion=1,sec=sys 0 0

+## NFS file share snapshots (preview)

+Customers using NFS Azure file shares can now create, list, and delete NFS Azure file share snapshots. This capability allows users to roll back entire file systems or recover files that were accidentally deleted or corrupted.

+> [!IMPORTANT]

+> You should mount your file share before creating snapshots. If you create a new NFS file share and take snapshots before mounting the share, attempting to list the snapshots for the share will return an empty list. We recommend deleting any snapshots taken before the first mount and re-creating them after you've mounted the share.

+### Limitations

+Only file management APIs (`AzRmStorageShare`) are supported for NFS Azure file shares. File data plane APIs (`AzStorageShare`) aren't supported.

+Azure Backup isn't currently supported for NFS file shares.

+AzCopy isn't currently supported for NFS file shares. To copy data from an NFS Azure file share or share snapshot, use file system copy tools such as rsync or fpsync.

+### Regional availability for NFS Azure file share snapshots

+### Create a snapshot

+You can create a snapshot of an NFS Azure file share using Azure PowerShell or Azure CLI. A share can support the creation of up to 200 share snapshots.

+# [Azure PowerShell](#tab/powershell)

+To create a snapshot of an existing file share, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+New-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Snapshot

+```

+# [Azure CLI](#tab/cli)

+To create a snapshot of an existing file share, run the following Azure CLI command. Replace `<file-share-name>` and `<storage-account-name>` with your own values.

+```azurecli

+az storage share snapshot --name <file-share-name> --account-name <storage-account-name>

+```

+### List file shares and snapshots

+You can list all file shares in a storage account, including the share snapshots, using Azure PowerShell or Azure CLI.

+# [Azure PowerShell](#tab/powershell)

+To list all file shares and snapshots in a storage account, run the following PowerShell command. Replace `<resource-group-name>` and `<storage-account-name>` with your own values.

+```azurepowershell

+Get-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -IncludeSnapshot

+```

+# [Azure CLI](#tab/cli)

+To list all file shares and snapshots in a storage account, run the following Azure CLI command. Replace `<storage-account-name>` with your own value.

+```azurecli

+az storage share list --account-name <storage-account-name> --include-snapshots

+```

+### Delete snapshots

+Existing share snapshots are never overwritten. They must be deleted explicitly. You can delete share snapshots using Azure PowerShell or Azure CLI.

+# [Azure PowerShell](#tab/powershell)

+To delete a file share snapshot, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values. The `SnapshotTime` parameter must follow the correct name format, such as `2021-05-10T08:04:08Z`.

+```azurepowershell

+Remove-AzRmStorageShare -ResourceGroupName "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -SnapshotTime "<snapshot-time>"

+```

+To delete a file share and all its snapshots, run the following PowerShell command. Replace `<resource-group-name>`, `<storage-account-name>`, and `<file-share-name>` with your own values.

+```azurepowershell

+Remove-AzRmStorageShare "<resource-group-name>" -StorageAccountName "<storage-account-name>" -Name "<file-share-name>" -Include Snapshots

+```

+# [Azure CLI](#tab/cli)

+To delete a file share snapshot, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values. The `--snapshot` parameter must follow the correct name format, such as `2021-05-10T08:04:08Z`.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --snapshot <snapshot-time>

+```

+To delete a file share and all its snapshots, run the following Azure CLI command. Replace `<storage-account-name>` and `<file-share-name>` with your own values.

+```azurecli

+az storage share delete --account-name <storage-account-name> --name <file-share-name> --delete-snapshots include

+```

+### Mount an NFS Azure file share snapshot

+To mount an NFS Azure file share snapshot to a Linux VM (NFS client) and restore files, follow these steps.

+1. Run the following command in a console. See [Mount options](#mount-options) for other recommended mount options. To improve copy performance, mount the snapshot with [nconnect](nfs-performance.md#nconnect) to use multiple TCP channels.

+

+ ```bash

+ sudo mount -o vers=4,minorversion=1,proto=tcp,sec=sys $server:/nfs4account/share /media/nfs

+ ```

+

+1. Change the directory to `/media/nfs/.snapshots` so you can view the available snapshots. The `.snapshots` directory is hidden by default, but you can access and read from it like any directory.

+

+ ```bash

+ cd /media/nfs/.snapshots

+ ```

+

+1. List the contents of the `.snapshots` folder.

+

+ ```bash

+ ls

+ ```

+

+1. Each snapshot has its own directory that serves as a recovery point. Change to the snapshot directory for which you want to restore files.

+

+ ```bash

+ cd <snapshot-name>

+ ```

+

+1. List the contents of the directory to view a list of files and directories that can be recovered.

+

+ ```bash

+ ls

+ ```

+

+1. Copy all files and directories from the snapshot to a *restore* directory to complete the restore.

+

+ ```bash

+ cp -r <snapshot-name> ../restore

+ ```

+

+The files and directories from the snapshot should now be available in the `/media/nfs/restore` directory.

+# Login to Azure using a credential that has either storage account owner or contributor Azure role

+Snapshots for NFS file shares are currently in [public preview](storage-files-how-to-mount-nfs-shares.md#nfs-file-share-snapshots-preview) with limited regional availability.

+| Premium file shares (FileStorage), LRS/ZRS |  |  |

+A share snapshot is a point-in-time, read-only copy of your data. Share snapshot capability is provided at the file share level. Retrieval is provided at the individual file level, to allow for restoring individual files. You can restore a complete file share by using SMB, NFS (preview), REST API, the Azure portal, the client library, or PowerShell/CLI.

+You can view snapshots of a share by using the REST API, SMB, or NFS (preview). You can retrieve the list of versions of the directory or file, and you can mount a specific version directly as a drive (only available on Windows - see [Limits](#limits)).

+The maximum number of share snapshots that Azure Files allows today is 200 per share. After 200 share snapshots, you must delete older share snapshots in order to create new ones. You can retain snapshots for up to 10 years.

+There's no limit to the simultaneous calls for creating share snapshots. There's no limit to the amount of space that share snapshots of a particular file share can consume.

+Taking snapshots of NFS Azure file shares is currently in [public preview](storage-files-how-to-mount-nfs-shares.md#nfs-file-share-snapshots-preview) with limited regional availability. The preview only supports management APIs (`AzRmStorageShare`), not data plane APIs (`AzStorageShare`), allowing users to create, list, and delete snapshots of NFS Azure file shares.

+Automate backups for data recovery whenever possible. Automated actions are more reliable than manual processes, helping to improve data protection and recoverability. You can use Azure file share backup (SMB file shares only), the REST API, the Client SDK, or scripting for automation.

+ Title: Nasuni configuration guide for Microsoft Azure

+description: Deployment guide for Nasuni and Azure Blob Storage

+# Nasuni Configuration Guide for Microsoft Azure

+Nasuni® enables organizations to store, protect, synchronize, and collaborate on unstructured file data across all locations. Built for the cloud and powered by UniFS, the world’s only global file system, the Nasuni File Data Platform couples the performance of local file servers with the infinite scale of the cloud to provide a global file-sharing platform at half the cost of traditional file infrastructures.

+How Nasuni works:

+- Stores all files and metadata in private (on-premises) or public cloud object storage.

+- Provides unlimited primary or archive file storage capacity.

+- Intelligently caches just the active data on lightweight Nasuni Edge Appliances.

+- Intelligently caches just the active data on lightweight Nasuni Edge Appliances.

+Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.

+Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data.

+> [!TIP]

+> For Microsoft Azure configuration suggestions to prevent accidental or malicious deletion of data, see [Deletion Security](https://b.link/Nasuni_Deletion_Security)

+## Creating an Azure storage account (using Azure portal)

+> [!NOTE]

+> You must have at least one subscription for this purpose.

+> [!NOTE]

+> Selecting the ΓÇ£Secure transfer requiredΓÇ¥ feature for an Azure Storage account does not affect the operation of the Nasuni Edge Appliance

+> [!TIP]

+> In the Nasuni model, customers provide their own cloud accounts for the storage of their data. Customers should leverage their cloud provider's role-based access and identity access management features as part of their overall security strategy. Such features can be used to limit or prohibit administrative access to the cloud account, based on customer policies

+### Introduction

+This document describes how to deploy a Nasuni environment in Microsoft Azure, using Azure Blob storage to store your file data.

+### Creating a storage account using the Azure portal.

+If you don't already have a storage account in Microsoft Azure, create a storage account in Microsoft Azure by following these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com). The Microsoft Azure dashboard page appears.

+2. On the top left of the page, select ΓÇ£Create a resource." The ΓÇ£Create a resourceΓÇ¥ dialog appears.

+3. In the Search box, enter ΓÇ£storage account" then select Storage account from the list of results. The Storage account pane appears.

+4. Select Create. The ΓÇ£Create a storage accountΓÇ¥ pane appears.

+5. If there is more than one subscription, from the Subscription drop-down list, select the subscription to use for this storage account.

+6. To select an existing Resource Group, select an existing Resource Group from the Resource Group drop-down list.

+ Alternatively, create a new Resource Group by clicking ΓÇ£Create newΓÇ¥ and then entering a name for the new Resource Group and clicking OK.

+7. Select Next: Advanced. The Advanced pane appears.

+8. If your security policy requires it, enable ΓÇ£Require secure transfer for REST API operations."

+9. For ΓÇ£Access tier,ΓÇ¥ select Cool for production data.

+> [!NOTE]

+> Nasuni also supports [Azure Cold Storage](/azure/storage/blobs/access-tiers-overview). To use Azure Cold Storage, configure Lifecycle Management rules that are based on access tracking. When enabled, access tracking checks when a blob was last accessed. A rule can be defined to move objects that have not been accessed for 90 days or longer. Enabling this feature may incur additional cost.

+10. Set ΓÇ£Azure FilesΓÇ¥ to disabled.

+11. Configure other features according to your needs.

+12. Select ΓÇ£Next: Networking >.ΓÇ¥ The Networking pane appears.

+13. Select the ΓÇ£Connectivity methodΓÇ¥ to match your security requirements.

+> [!NOTE]

+> Consider where Edge Appliances will be deployed and how they will access the storage account, for example, via the Internet, Azure ExpressRoute, or a VPN connection to Azure. Most customers select the default ΓÇ£Public endpoint (all networks)ΓÇ¥.

+14. Configure other features according to your needs

+15. Select ΓÇ£Next: Data protection.ΓÇ¥ The Data protection pane appears.

+ **Nasuni recommends enabling Soft Delete for all storage accounts being used for Nasuni volumes. If data is deleted, instead of the data being permanently lost, the data changes to a ΓÇ£soft deletedΓÇ¥ state and remains available for a configurable number of days.**

+16. Select ΓÇ£Enable soft delete for blobs."

+17. Specify ΓÇ£Days to retain deleted blobsΓÇ¥ by entering or selecting the number of days to retain data. (You can retain soft-deleted data for between 1 and 365 days.)

+ - Nasuni recommends specifying at least 30 days.

+ **Nasuni recommends enabling Soft Delete for containers. Containers marked for deletion remain available for a configurable number of days.**

+18. After configuring your storage account, select ΓÇ£Enable soft delete for containers.ΓÇ¥

+19. Specify ΓÇ£Days to retain deleted containersΓÇ¥ by entering or selecting the number of days to retain data. (You can retain soft-deleted data for between 1 and 365 days.)

+ - Nasuni recommends specifying at least 30 days.

+ - For details see [soft delete for containers](/azure/storage/blobs/soft-delete-container-overview)

+20. Configure other features according to your needs

+21. Select ΓÇ£Next: Tags >." The Tags pane appears.

+22. Define any Tags based on your internal policies.

+23. Select ΓÇ£Next: Review + create >ΓÇ¥

+24. Select Create.

+ - The storage account starts being created. When the storage account is created, select Storage Accounts in the left-hand list. The new storage account appears in the list of storage accounts.

+25. Select the name of your storage account. The pane for your storage account settings appears.

+> [!TIP]

+> It is possible to recover a deleted storage account. For details, see [Recovering a deleted storage account](/azure/storage/blobs/soft-delete-container-overview).

+## Configuring storage account firewalls

+Storage account firewalls must be configured to allow connections from the internal customer network or any other networks that Nasuni Edge Appliances either exist on or are using.

+To configure storage account firewalls, follow these steps:

+1. Select the storage account.

+2. In the left-hand column, select Networking, then select the ΓÇ£Firewalls and virtual networksΓÇ¥ tab. The ΓÇ£Firewalls and virtual networksΓÇ¥ pane appears.

+3. Select ΓÇ£Selected networks.ΓÇ¥

+ Alternatively, if allowing access from all networks, select ΓÇ£All networksΓÇ¥ and skip to step 7.

+4. To add an existing virtual network, in the Virtual Networks area, select ΓÇ£Add existing virtual network.ΓÇ¥ Select Virtual networks and Subnets options, and then select Add.

+5. To create a new virtual network and grant it access, in the Virtual Networks area, select ΓÇ£Add new virtual network.ΓÇ¥ Provide the information necessary to create the new virtual network, and then select Create.

+6. To grant access to an IP range, in the Firewall area, enter the IP address or address range (in CIDR format) in Address Range. Include the internal customer network and other networks that Edge Appliances exist on or are using. Take network routing into account. For example, if connecting to the storage account over a private connection, use internal subnets; if connecting to the storage account over the public Internet, use public IPs.

+7. Select Save to apply your changes.

+## Finding Microsoft Azure User Credentials

+> [!NOTE]

+> You must have at least one subscription for this purpose

+> [!NOTE]

+> Confirm with Nasuni Sales or Support that your Nasuni account is configured for supplying your own Microsoft Azure credentials.

+To locate Microsoft Azure credentials, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com). The Microsoft Azure dashboard page appears.

+2. Select Storage Accounts in the left-hand list.

+3. Select your storage account. The pane for your storage account settings appears.

+4. Select Access keys. Your account access key information appears.

+5. Record the Microsoft Azure Storage Account Name for later use

+6. Select ΓÇ£Show keysΓÇ¥ to view key values. Key values appear.

+7. Under key1, find the Key value. Select the copy button to copy the Microsoft Azure Primary Access Key. Save this value for creating Microsoft Azure cloud credentials

+8. Under key1, find the ΓÇ£Connection stringΓÇ¥ value. Select the copy button to copy the Connection string. Save this value for possible later use.

+## Configuration

+Nasuni provides a Nasuni Connector for Microsoft Azure.

+> [!TIP]

+> If you have a requirement to change Cloud Credentials on a regular basis, use the following procedure, preferably outside office hours:

+> - Obtain new credentials. Credentials typically consist of a pair of values, such as Access Key ID and Secret Access Key, Account Name and Primary Access Key, or User and Secret.

+> - On the Cloud Credentials page, edit the cloud credentials to use the new credentials.

+> - The change in cloud credentials is registered on the next snapshot that contains unprotected data.

+> - Manually performing a snapshot also causes the change in cloud credentials to be registered, even if there is no unprotected data for the volume.

+> - After each Edge Appliance has performed such a snapshot, the original credentials can be retired with the cloud provider

+> [!WARNING]

+> Do not retire the original credentials with the cloud provider until you are certain that they are no longer necessary. Otherwise, data might become unavailable

+To configure Nasuni for Microsoft Azure, follow these steps:

+1. Ensure that port 443 (HTTPS) is open between the Nasuni Edge Appliance and the object storage solution.

+2. Select Configuration. On NMC, select Account.

+3. Select Cloud Credentials.

+4. Select Add New Credentials, then select "Windows Azure Platform" from the drop-down menu

+5. Enter credentials information:

+ - For Microsoft Azure, enter the following information:

+ - Name: A name for this set of credentials, which is used for display purposes, such as ObjectStorageCluster1.

+ - Account Name: The Microsoft Azure Storage Account Name for this set of credentials, obtained in step 5 on page 9 above.

+ - Primary Access Key: The Microsoft Azure Primary Access Key for this set of credentials, obtained in step 7 on page 9 above.

+ - Hostname: The hostname for the location of the object storage solution. Use the default setting: blob.core.windows.net.

+ - Verify SSL Certificates: Use the default On setting.

+ - Filers (on NMC only): The target Nasuni Edge Appliance(s).

+ - For Microsoft Azure Gov Cloud, enter the following information:

+ - Name: A name for this set of credentials, which is used for display purposes, such as ObjectStorageCluster1.

+ - Account Name: The Microsoft Azure Storage Account Name for this set of credentials, obtained in step 5 on page 9 above.

+ - Primary Access Key: The Microsoft Azure Primary Access Key for this set of credentials, obtained in step 7 on page 9 above.

+ - Hostname: The hostname for the location of the object storage solution. Use: blob.core.usgovcloudapi.net.

+ - Verify SSL Certificates: Use the default On setting.

+ - Filers (on NMC only): The target Nasuni Edge Appliance(s).

+> [!WARNING]

+> Be careful changing existing credentials. The connection between the Nasuni Edge Appliance and the container could become invalid, causing loss of data access. Credential editing is to update access after changes to the account name or the access key on the Microsoft Azure system.

+6. Select Save Credentials.

+You're now ready to add volumes to the Nasuni Edge Appliance.

+## Adding volumes

+To add volumes to your Nasuni system, follow these steps:

+1. Select Volumes, then select Add New Volume. The Add New Volume page appears.

+2. Enter the following information for the new volume:

+ - Name: Enter a human-readable name for the volume.

+ - Cloud Provider: Select Windows Azure Platform.

+ - Credentials: Select the Cloud Credentials that you defined in step 5 for this volume, such as ObjectStorageCluster1

+ - For the remaining options, select what is appropriate for this volume.

+3. Select Save.

+You have successfully created a new volume on your Nasuni Filer.

+## Recovering a deleted storage account

+It's possible to recover a deleted storage account, if the following conditions are true:

+- It has been less than 14 days since the storage account was deleted.

+- You created the storage account with the Azure Resource Manager deployment model. Storage accounts created using the Azure portal satisfy this requirement. The older ΓÇ£classicΓÇ¥ storage accounts don't.

+- A new storage account with the same name hasn't been created since the original storage account was deleted.

+For details, review [Recover a Deleted Storage Account](/azure/storage/common/storage-account-recover)

+## Azure Private Endpoints

+Nasuni supports Azure Private Endpoints relying on the DNS layer to resolve the

+private endpoint IP.

+It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

+Existing Microsoft Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.

+The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.

+You can use the following options to configure your DNS settings for private endpoints:

+- Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.

+- Use your DNS forwarder (optional). You can use your DNS forwarder to override the DNS resolution for a private link resource. Create a DNS forwarding rule to use a private DNS zone on your DNS server hosted in a virtual network.

+> [!NOTE]

+> Using the Host file on the Nasuni Edge Appliance is not supported.

+> [!NOTE]

+> NasuniΓÇÖs default Host URL endpoint for NasuniΓÇÖs Azure Cloud Credentials should not be changed.

+### Azure services DNS zone configuration

+Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints. Your applications don't need to change the connection URL. When resolving names via a public DNS service, the DNS server resolves to your private endpoints. The process doesn't affect Nasuni Edge Appliances.

+For Azure services, use the recommended zone names as described [here](/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration)

+### DNS configuration scenarios

+The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.

+DNS is a critical component to make the application work correctly by successfully resolving the private endpoint IP address.

+Based on your configuration requirements, the following scenarios are available with DNS resolution integrated:

+- [Virtual network workloads without custom DNS server](/azure/private-link/private-endpoint-dns#virtual-network-workloads-without-custom-dns-server)

+- [On-premises workloads using a DNS forwarder](/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder)

+- [Virtual network and on-premises workloads using a DNS forwarder](/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder)

+> [!IMPORTANT]

+> If the CosmosDB account is not configured to accept connections from **All networks**, you must select **Accept connections from within public Azure datacenters**.

+ Title: Assessment options in Update Manager.

+description: The article describes the assessment options available in Update Manager.

+# Assessment options in Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides an overview of the assessment options available by Update Manager.

+Update Manager provides you the flexibility to assess the status of available updates and manage the process of installing required updates for your machines.

+## Periodic assessment

+

+ Periodic assessment is an update setting on a machine that allows you to enable automatic periodic checking of updates by Update Manager. We recommend that you enable this property on your machines as it allows Update Manager to fetch latest updates for your machines every 24 hours and enables you to view the latest compliance status of your machines. You can enable this setting using update settings flow as detailed [here](manage-update-settings.md#configure-settings-on-a-single-vm) or enable it at scale by using [Policy](periodic-assessment-at-scale.md).

+## Check for updates now/On-demand assessment

+Update Manager allows you to check for latest updates on your machines at any time, on-demand. You can view the latest update status and act accordingly. Go to **Updates** blade on any VM and select **Check for updates** or select multiple machines from Update Manager and check for updates for all machines at once. For more information, see [check and install on-demand updates](view-updates.md).

+## Update assessment scan

+ You can initiate a software updates compliance scan on a machine to get a current list of operating system updates available.

+ - **On Windows** - the software update scan is actually performed by the Windows Update Agent.

+ - **On Linux** - the software update scan is performed using OVAL-compatible tools to test for the presence of vulnerabilities based on the OVAL Definitions for that platform, which is retrieved from a local or remote repository.

+ In the **Updates** page, after you initiate an assessment, a notification is generated to inform you the activity has started and another is displayed when it is finished.

+ :::image type="content" source="media/assessment-options/updates-preview-page.png" alt-text="Screenshot of the Updates page.":::

+The **Recommended updates** section is updated to reflect the OS updates applicable. You can also select **Refresh** to update the information on the page and review the assessment details of the selected machine.

+In the **History** section, you can view:

+- **Total deployments**ΓÇöthe total number of deployments.

+- **Failed deployments**ΓÇöthe number out of the total deployments that failed.

+- **Successful deployments**ΓÇöthe number out of the total deployments that were successful.

+A list of the deployments created are shown in the update deployment grid and include relevant information about the deployment. Every update deployment has a unique GUID, represented as **Activity ID**, which is listed along with **Status**, **Updates Installed**, and **Time details**. You can filter the results listed in the grid in the following ways:

+- Select one of the tile visualizations

+- Select a specific time period. Options are: **Last 30 Days**, **Last 15 Days**, **Last 7 Days**, and **Last 24 hrs**. By default, deployments from the last 30 days are shown.

+- Select a specific deployment status. Options are: **Succeeded**, **Failed**, **CompletedWithWarnings**, **InProgress**, and **NotStarted**. By default, all status types are selected.

+Selecting any one of the update deployments from the list will open the **Assessment run** page. Here, it shows a detailed breakdown of the updates and the installation results for the Azure VM or Arc-enabled server.

+In the **Scheduling** section, you can either **create a maintenance configuration** or **attach existing maintenance configuration**. See the section for more information on [how to create a maintenance configuration](scheduled-patching.md#create-a-new-maintenance-configuration) and [how to attach existing maintenance configuration](scheduled-patching.md#attach-a-maintenance-configuration).

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager.

+ Title: Configure Windows Update settings in Azure Update Manager

+description: This article tells how to configure Windows update settings to work with Azure Update Manager.

+# Configure Windows update settings for Azure Update Manager

+Azure Update Manager relies on the [Windows Update client](/windows/deployment/update/windows-update-overview) to download and install Windows updates. There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. Many of these settings can be managed by:

+- Local Group Policy Editor

+- Group Policy

+- PowerShell

+- Directly editing the Registry

+The Update Manager respects many of the settings specified to control the Windows Update client. If you use settings to enable non-Windows updates, the Update Manager will also manage those updates. If you want to enable downloading of updates before an update deployment occurs, update deployment can be faster, more efficient, and less likely to exceed the maintenance window.

+For additional recommendations on setting up WSUS in your Azure subscription and to secure your Windows virtual machines up to date, review [Plan your deployment for updating Windows virtual machines in Azure using WSUS](/azure/architecture/example-scenario/wsus).

+## Pre-download updates

+To configure the automatic downloading of updates without automatically installing them, you can use Group Policy to [configure the Automatic Updates setting](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates) to 3. This setting enables downloads of the required updates in the background, and notifies you that the updates are ready to install. In this way, Update Manager remains in control of schedules, but allows downloading of updates outside the maintenance window. This behavior prevents `Maintenance window exceeded` errors in Update Manager.

+You can enable this setting in PowerShell:

+```powershell

+$WUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings

+$WUSettings.NotificationLevel = 3

+$WUSettings.Save()

+```

+## Configure reboot settings

+The registry keys listed in [Configuring Automatic Updates by editing the registry](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry) and [Registry keys used to manage restart](/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart) can cause your machines to reboot, even if you specify **Never Reboot** in the **Update Deployment** settings. Configure these registry keys to best suit your environment.

+## Enable updates for other Microsoft products

+By default, the Windows Update client is configured to provide updates only for Windows operating system. In Windows update, select **Check online for Windows updates**. It will check updates for other Microsoft products to enable the **Give me updates for other Microsoft products when I update Windows** to receive updates for other Microsoft products, including security patches for Microsoft SQL Server and other Microsoft software.

+Use one of the following options to perform the settings change at scale:

+- For Servers configured to patch on a schedule from Update Manager (that has the VM PatchSettings set to AutomaticByPlatform = Azure-Orchestrated), and for all Windows Servers running on an earlier operating system than server 2016, Run the following PowerShell script on the server you want to change.

+ ```powershell

+ $ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")

+ $ServiceManager.Services

+ $ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"

+ $ServiceManager.AddService2($ServiceId,7,"")

+ ```

+- For servers running Server 2016 or later which are not using Update Manager scheduled patching (that has the VM PatchSettings set to AutomaticByOS = Azure-Orchestrated) you can use Group Policy to control this by downloading and using the latest Group Policy [Administrative template files](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).

+## Configure a Windows server for Microsoft updates

+The Windows update client on Windows servers can get their patches from either of the following Microsoft hosted patch repositories:

+- Windows update - hosts operating system patches.

+- Microsoft update - hosts operating system and other Microsoft patches. For example MS Office, SQL Server and so on.

+> [!NOTE]

+> For the application of patches, you can choose the update client at the time of installation, or later using Group policy or by directly editing the registry.

+> To get the non-operating system Microsoft patches or to install only the OS patches, we recommend you to change the patch repository as this is an operating system setting and not an option that you can configure within Update management center (preview).

+### Edit the registry

+If scheduled patching is configured on your machine using the Update management center (preview), the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md#first-party-updates-on-windows).

+### Patching using group policy on Azure Update management

+If your machine is patched using Automation Update management, and has Automatic updates enabled on the client, you can use the group policy to have complete control. To patch using group policy, follow these steps:

+1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage end user experience**.

+1. Select **Configure Automatic Updates**.

+1. Select or deselect the **Install updates for other Microsoft products** option.

+ :::image type="content" source="./media/configure-wu-agent/configure-updates-group-policy-inline.png" alt-text="Screenshot of selection or deselection of install updates for other Microsoft products." lightbox="./media/configure-wu-agent/configure-updates-group-policy-expanded.png":::

+## Make WSUS configuration settings

+Update Manager supports WSUS settings. You can specify sources for scanning and downloading updates using instructions in [Specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings#specify-intranet-microsoft-update-service-location). By default, the Windows Update client is configured to download updates from Windows Update. When you specify a WSUS server as a source for your machines, the update deployment fails, if the updates aren't approved in WSUS.

+To restrict machines to the internal update service, see [do not connect to any Windows Update Internet locations](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#do-not-connect-to-any-windows-update-internet-locations).

+## Next steps

+Configure an update deployment by following instructions in [Deploy updates](deploy-updates.md).

+ Title: Deploy updates and track results in Azure Update Manager

+description: This article details how to use Azure Update Manager in the Azure portal to deploy updates and view results for supported machines.

+# Deploy updates now and track results with Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes how to perform an on-demand update on a single virtual machine (VM) or multiple VMs by using Azure Update Manager.

+See the following sections for more information:

+- [Install updates on a single VM](#install-updates-on-a-single-vm)

+- [Install updates at scale](#install-updates-at-scale)

+## Supported regions

+Update Manager is available in all [Azure public regions](support-matrix.md#supported-regions).

+## Configure reboot settings

+The registry keys listed in [Configure automatic updates by editing the registry](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry) and [Registry keys used to manage restart](/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart) can cause your machines to reboot. A reboot can happen even if you specify **Never Reboot** in the **Schedule** settings. Configure these registry keys to best suit your environment.

+## Install updates on a single VM

+You can install updates from **Overview** or **Machines** on the **Update Manager** page or from the selected VM.

+# [From Overview pane](#tab/install-single-overview)

+To install one-time updates on a single VM:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On **Update Manager** > **Overview**, select your subscription and select **One-time update** to install updates.

+ :::image type="content" source="./media/deploy-updates/install-updates-now-inline.png" alt-text="Screenshot that shows an example of installing one-time updates." lightbox="./media/deploy-updates/install-updates-now-expanded.png":::

+1. Select **Install now** to proceed with the one-time updates:

+ - **Install one-time updates**: Select **Add machine** to add the machine for deploying one time.

+ - **Select resources**: Choose the machine and select **Add**.

+1. On the **Updates** pane, specify the updates to include in the deployment. For each product, select or clear all supported update classifications and specify the ones to include in your update deployment.

+ If your deployment is meant to apply only for a select set of updates, it's necessary to clear all the preselected update classifications when you configure the **Inclusion/exclusion** updates described in the following steps. This action ensures only the updates you've specified to include in this deployment are installed on the target machine.

+ > [!NOTE]

+ > - **Selected Updates** shows a preview of OS updates that you can install based on the last OS update assessment information available. If the OS update assessment information in Update Manager is obsolete, the actual updates installed would vary. Especially if you've chosen to install a specific update category, where the OS updates applicable might vary as new packages or KB IDs might be available for the category.

+ > - Update Manager doesn't support driver updates.

+ - Select **Include update classification**. Select the appropriate classifications that must be installed on your machines.

+

+ :::image type="content" source="./media/deploy-updates/include-update-classification-inline.png" alt-text="Screenshot that shows update classification." lightbox="./media/deploy-updates/include-update-classification-expanded.png":::

+

+ - Select **Include KB ID/package** to include in the updates. Enter a comma separated list of Knowledge Base article ID numbers to include or exclude for Windows updates. For example, use `3103696` or `3134815`. For Windows, you can refer to the [MSRC webpage](https://msrc.microsoft.com/update-guide/deployments) to get the details of the latest Knowledge Base release. For supported Linux distros, you specify a comma separated list of packages by the package name, and you can include wildcards. For example, use `kernel*`, `glibc`, or `libc=1.0.1`. Based on the options specified, Update Manager shows a preview of OS updates under the **Selected Updates** section.

+ - To exclude updates that you don't want to install, select **Exclude KB ID/package**. We recommend selecting this option because updates that aren't displayed here might be installed, as newer updates might be available.

+ - To ensure that the updates published are on or before a specific date, select **Include by maximum patch publish date**. Select the date and select **Add** > **Next**.

+

+ :::image type="content" source="./media/deploy-updates/include-patch-publish-date-inline.png" alt-text="Screenshot that shows the patch publish date." lightbox="./media/deploy-updates/include-patch-publish-date-expanded.png":::

+1. On the **Properties** pane, specify the reboot and maintenance window:

+ - Use the **Reboot** option to specify the way to handle reboots during deployment. The following options are available:

+ * Reboot if required

+ * Never reboot

+ * Always reboot

+ - Use **Maximum duration (in minutes)** to specify the amount of time allowed for updates to install. The maximum limit supported is 235 minutes. Consider the following details when you specify the window:

+ * It controls the number of updates that must be installed.

+ * New updates continue to install if the maintenance window limit is approaching.

+ * In-progress updates aren't terminated if the maintenance window limit is exceeded.

+ * Any remaining updates that aren't yet installed aren't attempted. We recommend that you reevaluate the maintenance window if this issue is consistently encountered.

+ * If the limit is exceeded on Windows, it's often because of a service pack update that's taking a long time to install.

+1. After you're finished configuring the deployment, verify the summary in **Review + install** and select **Install**.

+# [From Machines pane](#tab/install-single-machine)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On **Update Manager** > **Machine**, select your subscription, select your machine, and select **One-time update** to install updates.

+1. Select **Install now** to proceed with installing updates.

+1. On the **Install one-time updates** page, the selected machine appears. Choose the machine, select **Next**, and follow the procedure from step 4 listed in **From Overview pane** of [Install updates on a single VM](#install-updates-on-a-single-vm).

+ A notification informs you when the activity starts, and another tells you when it's finished. After it's successfully finished, you can view the installation operation results in **History**. You can view the status of the operation at any time from the [Azure activity log](../azure-monitor/essentials/activity-log.md).

+# [From a selected VM](#tab/singlevm-deploy-home)

+1. Select your virtual machine and the **virtual machines | Updates** page opens.

+1. Under **Operations**, select **Updates**.

+1. In **Updates**, select **Go to Updates using Azure Update Manager**.

+1. In **Updates**, select **One-time update** to install the updates.

+1. In **Install one-time updates** page, the selected machine appears. Choose the machine, select **Next** and follow the procedure from step 4 listed in **From Overview blade** of [Install updates on single VM](#install-updates-on-a-single-vm).

+

+## Install updates at scale

+Follow these steps to create a new update deployment for multiple machines.

+> [!NOTE]

+> You can check the updates from **Overview** or **Machines**.

+You can schedule updates.

+# [From Overview pane](#tab/install-scale-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On **Update Manager** > **Overview**, select your subscription and select **One-time update** > **Install now** to install updates.

+ :::image type="content" source="./media/deploy-updates/install-updates-now-inline.png" alt-text="Screenshot that shows installing one-time updates." lightbox="./media/deploy-updates/install-updates-now-expanded.png":::

+1. On the **Install one-time updates** pane, you can select the resources and machines to install the updates.

+1. On the **Machines** page, you can view all the machines available in your subscription. You can also use **Add machine** to add the machines for deploying one-time updates. You can add up to 20 machines. Choose **Select all** and select **Add**.

+**Machines** displays a list of machines for which you can deploy a one-time update. Select **Next** and follow the procedure from step 6 listed in **From Overview pane** of [Install updates on a single VM](#install-updates-on-a-single-vm).

+# [From Machines pane](#tab/install-scale-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Go to **Machines**, select your subscription, and choose your machines. You can choose **Select all** to select all the machines.

+1. Select **One-time update** > **Install now** to deploy one-time updates.

+1. On the **Install one-time updates** pane, you can select the resources and machines to install the updates.

+1. On the **Machines** page, you can view all the machines available in your subscription. You can also select by using **Add machine** to add the machines for deploying one-time updates. You can add up to 20 machines. Choose **Select all** and select **Add**.

+**Machines** displays a list of machines for which you want to deploy a one-time update. Select **Next** and follow the procedure from step 6 listed in **From Overview pane** of [Install updates on a single VM](#install-updates-on-a-single-vm).

+-

+A notification informs you when the activity starts, and another tells you when it's finished. After it's successfully finished, you can view the installation operation results in **History**. You can view the status of the operation at any time from the [Azure activity log](../azure-monitor/essentials/activity-log.md).

+## View update history for a single VM

+You can browse information about your Azure VMs and Azure Arc-enabled servers across your Azure subscriptions. For more information, see [Update deployment history](manage-multiple-machines.md#update-deployment-history).

+After your scheduled deployment starts, you can see its status on the **History** tab. It displays the total number of deployments, including the successful and failed deployments.

+**Windows update history** currently doesn't show the updates that are installed from Azure Update Management. To view a summary of the updates applied on your machines, go to **Update Manager** > **Manage** > **History**.

+> [!NOTE]

+> The **Windows update history** currently doesn't show the updates summary that are installed from Azure Update Management. To view a summary of the updates applied on your machines, go to **Update manager** > **Manage** > **History**.

+

+A list of the deployments created are shown in the update deployment grid and include relevant information about the deployment. Every update deployment has a unique GUID, represented as **Operation ID**, which is listed along with **Status**, **Updates Installed** and **Time** details. You can filter the results listed in the grid.

+Select any one of the update deployments from the list to open the **Update deployment run** page. Here, you can see a detailed breakdown of the updates and the installation results for the Azure VM or Azure Arc-enabled server.

+ The available values are:

+- **Not attempted**: The update wasn't installed because insufficient time was available, based on the defined maintenance window duration.

+- **Not selected**: The update wasn't selected for deployment.

+- **Succeeded**: The update succeeded.

+- **Failed**: The update failed.

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot issues with Azure Update Manager](troubleshoot.md).

+ Title: An overview of Dynamic Scoping

+description: This article provides information about Dynamic Scoping, its purpose and advantages.

+# About Dynamic Scoping

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure VMs :heavy_check_mark: Azure Arc-enabled servers.

+Dynamic Scoping is an advanced capability of schedule patching that allows users to:

+- Group machines based on criteria such as subscription, resource group, location, resource type, OS Type, and Tags. This becomes the definition of the scope.

+- Associate the scope to a schedule/maintenance configuration to apply updates at scale as per a pre-defined scope.

+The criteria will be evaluated at the scheduled run time, which will be the final list of machines that will be patched by the schedule. The machines evaluated during create or edit phase may differ from the group at schedule run time.

+## Key benefits

+**At Scale and simplified patching** - You don't have to manually change associations between machines and schedules. For example, if you want to remove a machine from a schedule and your scope was defined based on tag(s) criteria, removing the tag on the machine will automatically drop the association. These associations can be dropped and added for multiple machines at scale.

+ > [!NOTE]

+ > Subscription is mandatory for the creation of dynamic scope and you can't edit it after the dynamic scope is created.

+**Reusability of the same schedule** - You can associate a schedule to multiple machines dynamically, statically, or both.

+ > [!NOTE]

+ > You can associate one dynamic scope to one schedule.

+## Permissions

+For Dynamic Scoping and configuration assignment, ensure that you have the following permissions:

+- Write permissions to create or modify a schedule.

+- Read permissions to assign or read a schedule.

+## Service limits

+The following are the Dynamic scope limits for **each dynamic scope**.

+| Resource | Limit |

+|-|-|

+| Resource associations | 1000 |

+| Number of tag filters | 50 |

+| Number of Resource Group filters | 50 |

+> [!NOTE]

+> The above limits are for Dynamic scope in the Guest scope only.

+## Next steps

+ Learn about deploying updates to your machines to maintain security compliance by reading [deploy updates](deploy-updates.md)

+ Title: Guidance to move virtual machines from Automation Update Management to Azure Update Manager

+description: Guidance overview on migration from Automation Update Management to Azure Update Manager

+# Guidance to move virtual machines from Automation Update Management to Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides guidance to move virtual machines from Automation Update Management to Azure Update Manager.

+Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multicloud environments. It is an evolution of [Azure Automation Update management solution](../automation/update-management/overview.md) with new features and functionality, for assessment and deployment of software updates on a single machine or on multiple machines at scale.

+For the Azure Update Manager, both AMA and MMA aren't a requirement to manage software update workflows as it relies on the Microsoft Azure VM Agent for Azure VMs and Azure connected machine agent for Arc-enabled servers. When you perform an update operation for the first time on a machine, an extension is pushed to the machine and it interacts with the agents to assess missing updates and install updates.

+> [!NOTE]

+> - If you are using Azure Automation Update Management Solution, we recommend that you don't remove MMA agents from the machines without completing the migration to Azure Update Manager for the machine's patch management needs. If you remove the MMA agent from the machine without moving to Azure Update Manager, it would break the patching workflows for that machine.

+>

+> - All capabilities of Azure Automation Update Management will be available on Azure Update Manager before the deprecation date.

+## Guidance to move virtual machines from Automation Update Management to Azure Update Manager

+Guidance to move various capabilities is provided in table below:

+**S.No** | **Capability** | **Automation Update Management** | **Azure Update Manager** | **Steps using Azure portal** | **Steps using API/script** |

+ | | | | | |

+1 | Patch management for Off-Azure machines. | Could run with or without Arc connectivity. | Azure Arc is a prerequisite for non-Azure machines. | 1. [Create service principal](../app-service/quickstart-php.md#1get-the-sample-repository) </br> 2. [Generate installation script](../azure-arc/servers/onboard-service-principal.md#generate-the-installation-script-from-the-azure-portal) </br> 3. [Install agent and connect to Azure](../azure-arc/servers/onboard-service-principal.md#install-the-agent-and-connect-to-azure) | 1. [Create service principal](../azure-arc/servers/onboard-service-principal.md#azure-powershell) <br> 2. [Generate installation script](../azure-arc/servers/onboard-service-principal.md#generate-the-installation-script-from-the-azure-portal) </br> 3. [Install agent and connect to Azure](../azure-arc/servers/onboard-service-principal.md#install-the-agent-and-connect-to-azure) |

+2 | Enable periodic assessment to check for latest updates automatically every few hours. | Machines automatically receive the latest updates every 12 hours for Windows and every 3 hours for Linux. | Periodic assessment is an update setting on your machine. If it's turned on, the Update Manager fetches updates every 24 hours for the machine and shows the latest update status. | 1. [Single machine](manage-update-settings.md#configure-settings-on-a-single-vm) </br> 2. [At scale](manage-update-settings.md#configure-settings-at-scale) </br> 3. [At scale using policy](periodic-assessment-at-scale.md) | 1. [For Azure VM](../virtual-machines/automatic-vm-guest-patching.md#azure-powershell-when-updating-a-windows-vm) </br> 2.[For Arc-enabled VM](/powershell/module/az.connectedmachine/update-azconnectedmachine?view=azps-10.2.0) |

+3 | Static Update deployment schedules (Static list of machines for update deployment). | Automation Update management had its own schedules. | Azure Update Manager creates a [maintenance configuration](../virtual-machines/maintenance-configurations.md) object for a schedule. So, you need to create this object, copying all schedule settings from Automation Update Management to Azure Update Manager schedule. | 1. [Single VM](scheduled-patching.md#schedule-recurring-updates-on-a-single-vm) </br> 2. [At scale](scheduled-patching.md#schedule-recurring-updates-at-scale) </br> 3. [At scale using policy](scheduled-patching.md#onboard-to-schedule-by-using-azure-policy) | [Create a static scope](manage-vms-programmatically.md) |

+4 | Dynamic Update deployment schedules (Defining scope of machines using resource group, tags, etc. which is evaluated dynamically at runtime).| Same as static update schedules. | Same as static update schedules. | [Add a dynamic scope](manage-dynamic-scoping.md#add-a-dynamic-scope | [Create a dynamic scope]( tutorial-dynamic-grouping-for-scheduled-patching.md#create-a-dynamic-scope) |

+5 | Deboard from Azure Automation Update management. | After you complete the steps 1, 2, and 3, you need to clean up Azure Update management objects. | | 1. [Remove machines from solution](../automation/update-management/remove-feature.md#remove-management-of-vms) </br> 2. [Remove Update Management solution](../automation/update-management/remove-feature.md#remove-updatemanagement-solution) </br> 3. [Unlink workspace from Automation account](../automation/update-management/remove-feature.md#unlink-workspace-from-automation-account) </br> 4. [Cleanup Automation account](../automation/update-management/remove-feature.md#cleanup-automation-account) | NA |

+6 | Reporting | Custom update reports using Log Analytics queries. | Update data is stored in Azure Resource Graph (ARG). Customers can query ARG data to build custom dashboards, workbooks etc. | The old Automation Update Management data stored in Log analytics can be accessed, but there's no provision to move data to ARG. You can write ARG queries to access data that will be stored to ARG after virtual machines are patched via Azure Update Manager. With ARG queries you can, build dashboards and workbooks using following instructions: </br> 1. [Log structure of Azure Resource graph updates data](query-logs.md) </br> 2. [Sample ARG queries](sample-query-logs.md) </br> 3. [Create workbooks](manage-workbooks.md) | NA |

+7 | Customize workflows using pre and post scripts. | Available as Automation runbooks. | We recommend that you use Automation runbooks once they are available. | | |

+8 | Create alerts based on updates data for your environment | Alerts can be set up on updates data stored in Log Analytics. |We recommend that you use alerts once they are available. | | |

+

+## Next steps

+- [An overview on Azure Update Manager](overview.md)

+- [Check update compliance](view-updates.md)

+- [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+ Title: Patching guidance overview for Microsoft Configuration Manager to Azure

+description: Patching guidance overview for Microsoft Configuration Manager to Azure. View on how to get started with Azure Update Manager, mapping capabilities of MCM software and FAQs.

+# Guidance on migrating Azure VMs from Microsoft Configuration Manager to Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides a guide to start using Azure Update Manager (for update management) for Azure virtual machines that are currently using Microsoft Configuration Manager (MCM).

+Microsoft Configuration Manager (MCM), previously known as System Center Configuration Manager (SCCM), helps you to manage PCs and servers, keep software up to date, set configuration and security policies, and monitor system status.

+MCM supports several [cloud services](/mem/configmgr/core/understand/use-cloud-services) that can supplement on-premises infrastructure and can help solve business problems such as:

+- How to manage clients that roam onto the internet.

+- How to provide content resources to isolated clients or resources on the intranet, outside your firewall.

+- How to scale out infrastructure when the physical hardware isn't available or isn't logically placed to support your needs.

+Customers [extend and migrate an on-premises site to Azure](/mem/configmgr/core/support/azure-migration-tool) and create Azure virtual machines (VMs) for Configuration Manager and install the various site roles with default settings. The validation of new roles and removal of the on-premises site system role enables MCM to provide all the on-premises capabilities and experiences in Azure. For more information, see [Configuration Manager on Azure FAQ](/mem/configmgr/core/understand/configuration-manager-on-azure).

+## Migrate to Azure Update Manager

+MCM offers [multiple features and capabilities](/mem/configmgr/core/plan-design/changes/features-and-capabilities) and software [update management](/mem/configmgr/sum/understand/software-updates-introduction) is one of these.By using MCM in Azure, you can continue with the existing investments in MCM and processes to manage update cycle for Windows VMs.

+**Specifically for update management or patching**, as per your requirements, you can also use the native [Azure Update Manager](overview.md) to manage and govern update compliance for Windows and Linux machines across your deployments in a consistent manner. Unlike MCM that needs maintaining Azure virtual machines for hosting the different Configuration Manager roles. Azure Update Manager is designed as a standalone Azure service to provide SaaS experience on Azure to manage hybrid environments. You don't need license to use Azure Update Manager.

+> [!NOTE]

+> Azure Update Manager does not provide migration support for Azure VMs in MCM. For example, configurations.

+## Software update management capability map

+The following table maps the **software update management capabilities** of MCM to Azure Update Manager.

+**Capability** | **Microsoft Configuration Manager** | **Azure Update Manager** |

+ | | |

+Synchronize software updates between sites (Central Admin site, Primary, Secondary sites) | The top site (either central admin site or stand-alone primary site) connects to Microsoft Update to retrieve software update. [Learn more](/mem/configmgr/sum/understand/software-updates-introduction). After the top sites are synchronized, the child sites are synchronized. | There's no hierarchy of machines in Azure and therefore all machines connected to Azure receive updates from the source repository.

+Synchronize software updates/check for updates (retrieve patch metadata) | You can scan for updates periodically by setting configuration on the Software update point. [Learn more](/mem/configmgr/sum/get-started/synchronize-software-updates#to-schedule-software-updates-synchronization) | You can enable periodic assessment to enable scan of patches every 24 hours. [Learn more](assessment-options.md)|

+Configuring classifications/products to synchronize/scan/assess | You can choose the update classifications (security or critical updates) to synchronize/scan/assess. [Learn more](/mem/configmgr/sum/get-started/configure-classifications-and-products) | There's no such capability here. The entire software metadata is scanned. |

+Deploy software updates (install patches) | Provides three modes of deploying updates: </br> Manual deployment </br> Automatic deployment </br> Phased deployment [Learn more](/mem/configmgr/sum/deploy-use/deploy-software-updates) | Manual deployment is mapped to deploy [one-time updates](deploy-updates.md) and Automatic deployment is mapped to [scheduled updates](scheduled-patching.md) (The [Automatic Deployment Rules (ADRs)](/mem/configmgr/sum/deploy-use/automatically-deploy-software-updates#BKMK_CreateAutomaticDeploymentRule)) can be mapped to schedules. There's no phased deployment option.

+## Manage software updates using Azure Update Manager

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for **Azure Update Manager**.

+ :::image type="content" source="./media/guidance-migration-azure/update-manager-service-selection-inline.png" alt-text="Screenshot of selecting the Azure Update Manager from Azure portal." lightbox="./media/guidance-migration-azure/update-manager-service-selection-expanded.png":::

+1. In the **Azure Update Manager** home page, under **Manage** > **Machines**, select your subscription to view all your machines.

+1. Filter as per the available options to know the status of your specific machines.

+ :::image type="content" source="./media/guidance-migration-azure/filter-machine-status-inline.png" alt-text="Screenshot of selecting the filters in Azure Update Manager to view the machines." lightbox="./media/guidance-migration-azure/filter-machine-status-expanded.png":::

+1. Select the suitable [assessment](assessment-options.md) and [patching](updates-maintenance-schedules.md) options as per your requirement.

+### Patch machines

+After you set up configuration for assessment and patching, you can deploy/install either through [on-demand updates](deploy-updates.md) (One-time or manual update)or [schedule updates](scheduled-patching.md) (automatic update) only. You can also deploy updates using [Azure Update Manager's API](manage-vms-programmatically.md).

+## Limitations in Azure Update Manager

+The following are the current limitations:

+- **Orchestration groups with Pre/Post scripts** - [Orchestration groups](/mem/configmgr/sum/deploy-use/orchestration-groups) can't be created in Azure Update Manager to specify a maintenance sequence, allow some machines for updates at the same time and so on. (The orchestration groups allow you to use the pre/post scripts to run tasks before and after a patch deployment).

+## Frequently asked questions

+### Where does Azure Update Manager get its updates from?

+Azure Update Manager refers to the repository that the machines point to. Most Windows machines by default point to the Windows Update catalog and Linux machines are configured to get updates from the `apt` or `yum` repositories. If the machines point to another repository such as [WSUS](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or a local repository then Azure Update Manager gets the updates from that repository.

+### Can Azure Update Manager patch OS, SQL and Third party software?

+Azure Update Manager refers to the repositories (or endpoints) that the VMs point to. If the repository (or endpoints) contains updates for Microsoft products, third party software etc. then Azure Update Manager can install these patches.

+By default, Windows VMs point to Windows Update server. Windows Update server doesn't contain updates for Microsoft products, and third party software. If the VMs point to Microsoft Update, Azure Update Manager patches OS and Microsoft products.

+For the third party software patching, Azure Update Manager should be connected to WSUS and you must publish the third party updates. We can't patch third party software for Windows VMs unless they're available in WSUS.

+### Do I need to configure WSUS to use Azure Update Manager?

+WSUS is a way to manage patches. Azure Update Manager will refer to whichever endpoint it's pointed to. (Windows Update, Microsoft Update, or WSUS).

+

+## Next steps

+- [An overview on Azure Update Manager](overview.md)

+- [Check update compliance](view-updates.md)

+- [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+ Title: Guidance on patching for SQL Server on Azure VMs (preview) using Azure Update Manager.

+description: An overview on patching guidance for SQL Server on Azure VMs (preview) using Azure Update Manager

+# Guidance on patching for SQL Server on Azure VMs (preview) using Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides the details on how to integrate [Azure Update Manager](overview.md) with your [SQL virtual machines](/azure/azure-sql/virtual-machines/windows/manage-sql-vm-portal) resource for your [SQL Server on Azure Virtual Machines (VMs)](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview)

+## Overview

+[Azure Update Manager](overview.md) is a unified service that allows you to manage and govern updates for all your Windows and Linux virtual machines across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard.

+Azure Update Manager designed as a standalone Azure service to provide SaaS experience to manage hybrid environments in Azure.

+Using Azure Update Manager you can manage and govern updates for all your SQL Server instances at scale. Unlike with [Automated Patching](/azure/azure-sql/virtual-machines/windows/automated-patching), Update Manager installs cumulative updates for SQL server.

+

+## Next steps

+- [An overview on Azure Update Manager](overview.md)

+- [Check update compliance](view-updates.md)

+- [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+ Title: Programmatically manage updates for Azure Arc-enabled servers in Azure Update Manager

+description: This article tells how to use Azure Update Manager using REST API with Azure Arc-enabled servers.

+# How to programmatically manage updates for Azure Arc-enabled servers

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure Arc-enabled servers with Azure Update Manager in Azure. If you're new to Azure Update Manager and you want to learn more, see [overview of Update Manager](overview.md). To use the Azure REST API to manage Azure virtual machines, see [How to programmatically work with Azure virtual machines](manage-vms-programmatically.md).

+Update Manager in Azure enables you to use the [Azure REST API](/rest/api/azure) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure) and [Azure CLI](/cli/azure).

+Support for Azure REST API to manage Azure Arc-enabled servers is available through the Update Manager virtual machine extension.

+## Update assessment

+To trigger an update assessment on your Azure Arc-enabled server, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.HybridCompute/machines/machineName/assessPatches?api-version=2020-08-15-preview`

+{

+}

+```

+# [Azure CLI](#tab/cli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.HybridCompute/machines/machineName/assessPatches?api-version=2020-08-15-preview --body @body.json

+```

+The format of the request body for version 2020-08-15 is as follows:

+```json

+{

+}

+```

+# [Azure PowerShell](#tab/powershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod-Path](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod-Path

+ "/subscriptions/subscriptionId/resourceGroups/resourcegroupname/providers/Microsoft.HybridCompute/machines/machinename/assessPatches?api-version=2020-08-15-preview"

+ -Payload '{}' -Method POST

+```

+## Update deployment

+To trigger an update deployment to your Azure Arc-enabled server, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.HybridCompute/machines/machineName/installPatches?api-version=2020-08-15-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `maximumDuration` | Maximum amount of time in minutes the OS update operation can take. It must be an ISO 8601-compliant duration string such as `PT100M`. |

+| `rebootSetting` | Flag to state if you should reboot the machine and if the Guest OS update installation needs it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters` | Parameter options for Guest OS update on machine running a supported Microsoft Windows Server operating system. |

+| `windowsParameters - classificationsToInclude` | List of categories or classifications of OS updates to apply, as supported and provided by Windows Server OS. Acceptable values are: `Critical, Security, UpdateRollUp, FeaturePack, ServicePack, Definition, Tools, Update` |

+| `windowsParameters - kbNumbersToInclude` | List of Windows Update KB IDs that are available to the machine and that you need install. If you've included any 'classificationsToInclude', the KBs available in the category are installed. 'kbNumbersToInclude' is an option to provide list of specific KB IDs over and above that you want to get installed. For example: `1234` |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that are available to the machine and that should **not** be installed. If you've included any 'classificationsToInclude', the KBs available in the category will be installed. 'kbNumbersToExclude' is an option to provide list of specific KB IDs that you want to ensure don't get installed. For example: `5678` |

+| `linuxParameters` | Parameter options for Guest OS update when machine is running supported Linux distribution |

+| `linuxParameters - classificationsToInclude` | List of categories or classifications of OS updates to apply, as supported & provided by Linux OS's package manager used. Acceptable values are: `Critical, Security, Others`. For more information, see [Linux package manager and OS support](./support-matrix.md#supported-operating-systems). |

+| `linuxParameters - packageNameMasksToInclude` | List of Linux packages that are available to the machine and need to be installed. If you've included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToInclude' is an option to provide list of packages over and above that you want to get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `linuxParameters - packageNameMasksToExclude` | List of Linux packages that are available to the machine and should **not** be installed. If you've included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToExclude' is an option to provide list of specific packages that you want to ensure don't get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+POST on 'subscriptions/subscriptionI/resourceGroups/resourceGroupName/providers/Microsoft.HybridCompute/machines/machineName/installPatches?api-version=2020-08-15-preview

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/Test/providers/Microsoft.HybridCompute/machines/WIN-8/installPatches?api-version=2020-08-15-preview @body.json

+```

+The format of the request body for version 2020-08-15 is as follows:

+```json

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod

+-Path "/subscriptions/subscriptionId/resourceGroups/resourcegroupname/providers/Microsoft.HybridCompute/machines/machinename/installPatches?api-version=2020-08-15-preview"

+-Payload '{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+ -Method POST

+```

+## Create a maintenance configuration schedule

+To create a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `id` | Fully qualified identifier of the resource |

+| `location` | Gets or sets location of the resource |

+| `name` | Name of the resource |

+| `properties.extensionProperties` | Gets or sets extensionProperties of the maintenanceConfiguration |

+| `properties.maintenanceScope` | Gets or sets maintenanceScope of the configuration |

+| `properties.maintenanceWindow.duration` | Duration of the maintenance window in HH:mm format. If not provided, default value will be used based on maintenance scope provided. Example: 05:00. |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:MM format. The window is created in the time zone provided to daylight savings according to that time zone. You must set the expiration date to a future date. If not provided, it will be set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a Maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. You can format daily schedules as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedule are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday, Sunday. You can format monthly schedules as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23, day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. You can set the start date to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. You can obtain the list of timezones by executing [System.TimeZoneInfo]:GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+| `properties.namespace` | Gets or sets namespace of the resource |

+| `properties.visibility` | Gets or sets the visibility of the configuration. The default value is 'Custom' |

+| `systemData` | Azure Resource Manager metadata containing createdBy and modifiedBy information. |

+| `tags` | Gets or sets tags of the resource |

+| `type` | Type of the resource |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {

+ "InGuestPatchMode" : "User"

+ },

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+# [Azure CLI](#tab/azurecli)

+```azurecli-interactive

+az maintenance configuration create \

+ --resource-group myMaintenanceRG \

+ --resource-name myConfig \

+ --maintenance-scope InGuestPatch \

+ --location eastus \

+ --maintenance-window-duration "02:00" \

+ --maintenance-window-recur-every "20days" \

+ --maintenance-window-start-date-time "2022-12-30 07:00" \

+ --maintenance-window-time-zone "Pacific Standard Time" \

+ --install-patches-linux-parameters package-name-masks-to-exclude="ppt" package-name-masks-to-include="apt" classifications-to-include="Other" \

+ --install-patches-windows-parameters kb-numbers-to-exclude="KB123456" kb-numbers-to-include="KB123456" classifications-to-include="FeaturePack" \

+ --reboot-setting "IfRequired" \

+ --extension-properties InGuestPatchMode="User"

+```

+# [Azure PowerShell](#tab/azurepowershell)

+You can use the `New-AzMaintenanceConfiguration` cmdlet to create your configuration.

+```azurepowershell-interactive

+New-AzMaintenanceConfiguration

+ -ResourceGroup $RGName `

+ -Name $configName `

+ -MaintenanceScope $scope `

+ -Location $location `

+ -StartDateTime $startDateTime `

+ -TimeZone $timeZone `

+ -Duration $duration `

+ -RecurEvery $recurEvery `

+ -WindowParameterClassificationToInclude $WindowsParameterClassificationToInclude `

+ -WindowParameterKbNumberToInclude $WindowParameterKbNumberToInclude `

+ -WindowParameterKbNumberToExclude $WindowParameterKbNumberToExclude `

+ -InstallPatchRebootSetting $RebootOption `

+ -LinuxParameterPackageNameMaskToInclude $LinuxParameterPackageNameMaskToInclude `

+ -LinuxParameterClassificationToInclude $LinuxParameterClassificationToInclude `

+ -LinuxParameterPackageNameMaskToExclude $LinuxParameterPackageNameMaskToExclude `

+ -ExtensionProperty @{"InGuestPatchMode"="User"}

+```

+## Associate a VM with a schedule

+To associate a VM with a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+# [Azure REST API](#tab/rest)

+To specify the PUT request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+# [Azure CLI](#tab/azurecli)

+```azurecli-interactive

+az maintenance assignment create \

+ --resource-group myMaintenanceRG \

+ --location eastus \

+ --resource-name myVM \

+ --resource-type virtualMachines \

+ --provider-name Microsoft.Compute \

+ --configuration-assignment-name myConfig \

+ --maintenance-configuration-id "/subscriptions/{subscription ID}/resourcegroups/myMaintenanceRG/providers/Microsoft.Maintenance/maintenanceConfigurations/myConfig"

+```

+# [Azure PowerShell](#tab/azurepowershell)

+```azurepowershell-interactive

+New-AzConfigurationAssignment `

+ -ResourceGroupName "myResourceGroup" `

+ -Location "eastus" `

+ -ResourceName "myGuest" `

+ -ResourceType "VirtualMachines" `

+ -ProviderName "Microsoft.Compute" `

+ -ConfigurationAssignmentName "configName" `

+ -MaintenanceConfigurationId "configID"

+```

+## Remove machine from the schedule

+To remove a machine from the schedule, get all the configuration assignment names for the machine that you have created to associate the machine with the current schedule from the Azure Resource Graph as listed:

+```kusto

+maintenanceresources

+| where type =~ "microsoft.maintenance/configurationassignments"

+| where properties.maintenanceConfigurationId =~ "<maintenance configuration Resource ID>"

+| where properties.resourceId =~ "<Machine Resource Id>"

+| project name, id

+```

+After you obtain the name from above, delete the configuration assignment by following the DELETE request -

+```rest

+DELETE on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager.

+ Title: Manage various operations of Dynamic Scoping.

+description: This article describes how to manage Dynamic Scoping operations

+# Manage a Dynamic scope

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes how to view, add, edit and delete a dynamic scope.

+## Add a Dynamic scope

+To add a Dynamic scope to an existing configuration, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **Machines** > **Browse maintenance configurations** > **Maintenance configurations**.

+1. In the **Maintenance configurations** page, select the name of the maintenance configuration for which you want to add a Dynamic scope.

+1. In the given maintenance configuration page > select **Dynamic scopes** > **Add a dynamic scope**.

+1. In the **Add a dynamic scope** page, select **subscriptions**(mandatory).

+1. In **Filter by**, choose **Select** and in the **Select Filter by**, specify the Resource group, Resource type, Location, Tags and OS type and then select **Ok**. These filters are optional fields.

+1. In the **Preview of machines based on above scope**, you can view the list of machines for the selected criteria and then select **Add**.

+ > [!NOTE]

+ > The list of machines may be different at run time.

+1. In the **Configure Azure VMs for schedule updates** page, select any one of the following options to provide your consent:

+ 1. **Change the required options to ensure schedule supportability** - this option confirms that you want to update the patch orchestration from existing option to *Customer Managed Schedules*: This updates the following two properties on your behalf:

+

+ - *Patch mode = AutomaticByPlatform*

+ - *Set the BypassPlatformSafetyChecksOnUserSchedule = True*.

+ 1. **Continue with supported machines only** - this option confirms that you want to proceed with only the machines that already have patch orchestration set to *Customer Managed Schedules*.

+

+ > [!NOTE]

+ > In the **Preview of machines based on above scope** page, you can view only the machines that don't have patch orchestration set to *Customer Managed Schedules*.

+1. Select **Save** to go back to the Dynamic scopes tab. In this tab, you can view and edit the Dynamic scope that you have created.

+## View Dynamic scope

+To view the list of Dynamic scopes associated to a given maintenance configuration, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **Machines** > **Browse maintenance configurations** > **Maintenance configurations**.

+1. In the **Maintenance configurations** page, select the name of the maintenance configuration for which you want to view the Dynamic scope.

+1. In the given maintenance configuration page, select **Dynamic scopes** to view all the Dynamic scopes that are associated with the maintenance configuration.

+## Edit a Dynamic scope

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **Machines** > **Browse maintenance configurations** > **Maintenance configurations**.

+1. In the **Maintenance configurations** page, select the name of the maintenance configuration for which you want to edit an existing Dynamic scope.

+1. In the given maintenance configuration page > select **Dynamic scopes** and select the scope you want to edit. Under **Actions** column, select the edit icon.

+1. In the **Edit Dynamic scope**, select the edit icon in the **Filter By** to edit the filters as needed and select **Ok**.

+ > [!NOTE]

+ > Subscription is mandatory for the creation of dynamic scope and you can't edit it after the dynamic scope is created.

+1. Select **Save**.

+## Delete a Dynamic scope

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **Machines** > **Browse maintenance configurations** > **Maintenance configurations**.

+1. In the **Maintenance configurations** page, select the name of the maintenance configuration for which you want to edit an existing Dynamic scope.

+1. In the given maintenance configuration page > select **Dynamic scopes** and select the scope you want to delete. Select **Remove dynamic scope** and then select **Ok**.

+## View patch history of a Dynamic scope

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **History** > **Browse maintenance configurations** > **Maintenance configurations** to view the patch history of a dynamic scope.

+## Provide consent to apply updates

+Obtaining consent to apply updates is an important step in the workflow of dynamic scoping and listed are the various ways to provide consent.

+#### [From Virtual Machine](#tab/vm)

+1. In [Azure portal](https://portal.azure.com), go to **+Create a resource** > **Virtual machine** > **Create**.

+1. In **Create a virtual machine**, select **Management** tab and under the **Guest OS Updates**, in **Patch orchestration options**, you can do the following:

+ 1. Select **Azure-orchestrated with user managed schedules (Preview)** to confirm that:

+ - Patch Orchestration is set to *Azure orchestration*

+ - Set the Bypass platform safety checks on user schedule = *True*.

+ The selection allows you to provide consent to apply the update settings, ensures that auto patching isn't applied and that patching on the VM(s) runs as per the schedule you've defined.

+1. Complete the details under **Monitoring**, **Advanced** and **Tags** tabs.

+1. Select **Review + Create** and under the **Management** you can view the values as **Periodic assessment** - *Off* and **Patch orchestration options** - *Azure-orchestrated with user managed schedules (Preview)*.

+1. Select **Create**.

+

+#### [From Schedule updates tab](#tab/sc)

+1. Follow the steps from 1 to 5 listed in [Add a Dynamic scope](#add-a-dynamic-scope).

+1. In **Machines** tab, select **Add machine**, In **Select resources** page, select the machines and select **Add**

+1. In **Configure Azure VMs for schedule updates**, select **Continue to schedule updates** option to confirm that:

+ - Patch Orchestration is set to *Azure orchestration*

+ - Set the Bypass platform safety checks on user schedule = *True*.

+1. Select **Continue to schedule updates** to update the patch mode as **Azure-orchestrated** and enable the scheduled patching for the VMs after obtaining the consent.

+#### [From Update Settings](#tab/us)

+1. In **Azure Update Manager**, go to **Overview** > **Update settings**.

+1. In **Change Update settings**, select **+Add machine** to add the machines.

+1. In the list of machines sorted as per the operating system, go to the **Patch orchestration** option and select **Azure-orchestrated with user managed schedules (Preview)** to confirm that:

+ - Patch Orchestration is set to *Azure orchestration*

+ - Set the Bypass platform safety checks on user schedule = *True*

+1. Select **Save**.

+ The selection made in this workflow automatically applies the update settings and no consent is explicitly obtained.

+## Next steps

+* [View updates for single machine](view-updates.md)

+* [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+* [Schedule recurring updates](scheduled-patching.md)

+* [Manage update settings via Portal](manage-update-settings.md)

+* [Manage multiple machines using update Manager](manage-multiple-machines.md)

+ Title: Manage multiple machines in Azure Update Manager

+description: This article explains how to use Azure Update Manager in Azure to manage multiple supported machines and view their compliance state in the Azure portal.

+# Manage multiple machines with Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+> [!IMPORTANT]

+> - For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch orchestration to **Customer Managed Schedules**. If you fail to update the patch orchestration, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.[Learn more](prerequsite-for-schedule-patching.md).

+This article describes the various features that Azure Update Manager offers to manage the system updates on your machines. By using the Update Manager, you can:

+- Quickly assess the status of available operating system updates.

+- Deploy updates.

+- Set up a recurring update deployment schedule.

+- Get insights on the number of machines managed.

+- Obtain information on how they're managed and other relevant details.

+Instead of performing these actions from a selected Azure VM or Azure Arc-enabled server, you can manage all your machines in the Azure subscription.

+## View update Manager status

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. To view update assessment across all machines, including Azure Arc-enabled servers navigate to **Azure Update Manager**.

+ :::image type="content" source="./media/manage-multiple-machines/overview-page-inline.png" alt-text="Screenshot that shows the Update Manager Overview page in the Azure portal." lightbox="./media/manage-multiple-machines/overview-page-expanded.png":::

+

+ On the **Overview** page, the summary tiles show the following status:

+ - **Filters**: Use filters to focus on a subset of your resources. The selectors above the tiles return **Subscription**, **Resource group**, **Resource type** (Azure VMs and Azure Arc-enabled servers), **Location**, and **OS** type (Windows or Linux) based on the Azure role-based access rights you've been granted. You can combine filters to scope to a specific resource.

+ - **Update status of machines**: Shows the update status information for assessed machines that had applicable or needed updates. You can filter the results based on classification types. By default, all [classifications](../automation/update-management/overview.md#update-classifications) are selected. According to the classification selection, the tile is updated.

+ The graph provides a snapshot for all your machines in your subscription, regardless of whether you've used Update Manager for that machine. This assessment data comes from Azure Resource Graph, and it stores the data for seven days.

+ From the assessment data available, machines are classified into the following categories:

+ - **No updates available**: No updates are pending for these machines and these machines are up to date.

+ - **Updates available**: Updates are pending for these machines and these machines aren't up to date.

+ - **Reboot required**: Pending a reboot for the updates to take effect.

+ - **No updates data**: No assessment data is available for these machines.

+

+ The following reasons could explain why there's no assessment data:

+ - No assessment has been done over the last seven days.

+ - The machine has an unsupported OS.

+ - The machine is in an unsupported region and you can't perform an assessment.

+ - **Patch orchestration configuration of Azure virtual machines**: All the Azure machines inventoried in the subscription are summarized by each update orchestration method. Values are:

+ - **Customer Managed Schedules**ΓÇöenables schedule patching on your existing VMs.

+ - **Azure Managed - Safe Deployment**ΓÇöthis mode enables automatic VM guest patching for the Azure virtual machine. Subsequent patch installation is orchestrated by Azure.

+ - **Image Default**ΓÇöfor Linux machines, it uses the default patching configuration.

+ - **OS orchestrated**ΓÇöthe OS automatically updates the machine.

+ - **Manual updates**ΓÇöyou control the application of patches to a machine by applying patches manually inside the machine. In this mode, automatic updates are disabled for Windows OS.

+

+

+

+ For more information about each orchestration method see, [automatic VM guest patching for Azure VMs](../virtual-machines/automatic-vm-guest-patching.md#patch-orchestration-modes).

+ For more information about each orchestration method, see [Automatic VM guest patching for Azure VMs](../virtual-machines/automatic-vm-guest-patching.md#patch-orchestration-modes).

+ - **Update installation status**: By default, the tile shows the status for the last 30 days. By using the **Time** picker, you can choose a different range. The values are:

+ - **Failed**: One or more updates in the deployment have failed.

+ - **Completed**: The deployment ends successfully by the time range selected.

+ - **Completed with warnings**: The deployment is completed successfully but had warnings.

+ - **In progress**: The deployment is currently running.

+- Select **Update status of machines** or **Patch orchestration configuration of Azure virtual machines** to go to the **Machines** page.

+- Select **Update installation status** to go to the **History** page.

+- **Pending Windows updates**: Status of pending updates for Windows machines in your subscription.

+- **Pending Linux updates**: Status of pending updates for Linux machines in your subscription.

+## Summary of machine status

+Update Manager in Azure enables you to browse information about your Azure VMs and Arc-enabled servers across your Azure subscriptions relevant to Update Manager. The section shows how you can filter information to understand the update status of your machine resources, and for multiple machines, initiate an update assessment, update deployment, and manage their update settings.

+ In the Azure Update Manager page, select **Machines** from the left menu.

+ On the **Update Manager** page, select **Machines** from the left menu.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-machines-page-inline.png" alt-text="Screenshot that shows the Update Manager Machines page in the Azure portal." lightbox="./media/manage-multiple-machines/update-center-machines-page-expanded.png":::

+ The table lists all the machines in the specified subscription, and for each machine it helps you understand the following details that show up based on the latest assessment:

+ * **Customer Managed Schedules**ΓÇöenables schedule patching on your existing VMs. The new patch orchestration option enables the two VM properties - **Patch mode = Azure-orchestrated** and **BypassPlatformSafetyChecksOnUserSchedule = TRUE** on your behalf after receiving your consent.

+ * **Azure Managed - Safe Deployment**ΓÇöfor a group of virtual machines undergoing an update, the Azure platform will orchestrate updates. The VM is set to [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md).(i.e), the patch mode is **AutomaticByPlatform**.

+ * **Automatic by OS**ΓÇöthe machine is automatically updated by the OS.

+ * **Image Default**ΓÇöfor Linux machines, its default patching configuration is used.

+ * **Manual**ΓÇöyou control the application of patches to a machine by applying patches manually inside the machine. In this mode automatic updates are disabled for Windows OS.

+

+The **Patch orchestration** column in the machine's patch mode has the following values:

+ * **Customer Managed Schedules (preview)**: Enables schedule patching on your existing VMs. The new patch orchestration option enables the two VM properties: `Patch mode = Azure-orchestrated` and `BypassPlatformSafetyChecksOnUserSchedule = TRUE` on your behalf after receiving your consent.

+ * **Azure Managed - Safe Deployment**: For a group of virtual machines undergoing an update, the Azure platform orchestrates updates. The VM is set to [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md). For example, the patch mode is `AutomaticByPlatform`.

+ * **Automatic by OS**: The machine is automatically updated by the OS.

+ * **Image default**: For Linux machines, its default patching configuration is used.

+ * **Manual**: You control the application of patches to a machine by applying patches manually inside the machine. In this mode, automatic updates are disabled for Windows OS.

+**The machine's status**: For an Azure VM, it shows its [power state](../virtual-machines/states-billing.md#power-states-and-billing). For an Azure Arc-enabled server, it shows if it's connected or not.

+Use filters to focus on a subset of your resources. The selectors above the tiles return subscriptions, resource groups, resource types (that is, Azure VMs and Azure Arc-enabled servers), and regions. They're based on the Azure role-based access rights you've been granted. You can combine filters to scope to a specific resource.

+The summary tiles at the top of the page summarize the number of machines that have been assessed and their update status.

+To manage the machine's update settings, see [Manage update configuration settings](manage-update-settings.md).

+### Check for updates

+For machines that haven't had a compliance assessment scan for the first time, you can select one or more of them from the list. Then select **Check for updates**. You receive status messages as the configuration is performed.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-assess-now-multi-selection-inline.png" alt-text="Screenshot that shows initiating a scan assessment for selected machines with the Check for updates option." lightbox="./media/manage-multiple-machines/update-center-assess-now-multi-selection-expanded.png":::

+ Otherwise, a compliance scan begins and the results are forwarded and stored in Azure Resource Graph. This process takes several minutes. When the assessment is finished, a confirmation message appears on the page.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-assess-now-complete-banner-inline.png" alt-text="Screenshot that shows an assessment banner on the Manage Machines page." lightbox="./media/manage-multiple-machines/update-center-assess-now-complete-banner-expanded.png":::

+Select a machine from the list to open Update Manager scoped to that machine. Here, you can view its detailed assessment status and update history, configure its patch orchestration options, and begin an update deployment.

+### Deploy the updates

+For assessed machines that are reporting updates available, select one or more of the machines from the list and begin an update deployment that starts immediately. Select the machine and go to **One-time update**.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-install-updates-now-multi-selection-inline.png" alt-text="Screenshot that shows installing one-time updates for machines on the Updates (Preview) page." lightbox="./media/manage-multiple-machines/update-center-install-updates-now-multi-selection-expanded.png":::

+ A notification confirms when an activity starts and another tells you when it's finished. After it's successfully finished, the installation operation results are available to view. You can use the **Update history** tab, when you select the machine from the **Machines** page. You can also select the **History** page. You're redirected to this page automatically after you begin the update deployment. You can view the status of the operation at any time from the [Azure activity log](../azure-monitor/essentials/activity-log.md).

+### Set up a recurring update deployment

+You can create a recurring update deployment for your machines. Select your machine and select **Scheduled updates**. A [Create new maintenance configuration](scheduled-patching.md) flow opens.

+## Update deployment history

+Update Manager enables you to browse information about your Azure VMs and Azure Arc-enabled servers across your Azure subscriptions relevant to Update Manager. You can filter information to understand the update assessment and deployment history for multiple machines. On the **Update Manager** page, select **History** from the left menu.

+## Update deployment history by machines

+The update deployment history provides a summarized status of update and assessment actions performed against your Azure VMs and Azure Arc-enabled servers. You can also drill into a specific machine to view update-related details and manage it directly. You can review the detailed update or assessment history for the machine and other related details in the table.

+Each record shows:

+ - **Machine Name**

+ - **Status**

+ - **Update installed**

+ - **Update operation**

+ - **Operation type**

+ - **Operation start time**

+ - **Resource Type**

+ - **Tags**

+ - **Last assessed time**

+## Update deployment history by maintenance run ID

+On the **History** page, select **By maintenance run ID** to view the history of the maintenance run schedules.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-history-by-maintenance-run-id-inline.png" alt-text="Screenshot that shows the update center History page By maintenance run ID in the Azure portal." lightbox="./media/manage-multiple-machines/update-center-history-by-maintenance-run-id-expanded.png":::

+Each record shows:

+- **Maintenance run ID**

+- **Status**

+- **Updated machines**

+- **Maintenance Configuration**

+- **Operation start time**

+- **Operation end time**

+When you select any one maintenance run ID record, you can view an expanded status of the maintenance run. It contains information about machines and updates. It includes the number of machines that were updated and updates installed on them. A pie chart shows the status of each of the machines. At the end of the page, a list view shows both machines and updates that were a part of this maintenance run.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-maintenance-run-record-inline.png" alt-text="Screenshot that shows a maintenance run ID record." lightbox="./media/manage-multiple-machines/update-center-maintenance-run-record-expanded.png":::

+### Resource Graph

+The update assessment and deployment data are available for querying in Azure Resource Graph. You can apply this data to scenarios that include security compliance, security operations, and troubleshooting. Select **Go to resource graph** to go to the Azure Resource Graph Explorer. It enables running Resource Graph queries directly in the Azure portal. Resource Graph supports the Azure CLI, Azure PowerShell, Azure SDK for Python, and more. For more information, see [First query with Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md).

+When the Resource Graph Explorer opens, it's automatically populated with the same query used to generate the results presented in the table on the **History** page in Update Manager. Ensure that you review [Overview of query logs in Azure Update Manager](query-logs.md) to learn about the log records and their properties, and the sample queries included.

+## Next steps

+* To set up and manage recurring deployment schedules, see [Schedule recurring updates](scheduled-patching.md).

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+ Title: Manage update configuration settings in Azure Update Manager

+description: The article describes how to manage the update settings for your Windows and Linux machines managed by Azure Update Manager.

+# Manage update configuration settings

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes how to configure update settings from Azure Update Manager to control the update settings on your Azure virtual machines (VMs) and Azure Arc-enabled servers for one or more machines.

+## Configure settings on a single VM

+To configure update settings on your machines on a single VM:

+You can schedule updates from **Overview** or **Machines** on the **Update Manager** page or from the selected VM.

+>[!NOTE]

+> You can schedule updates from the Overview blade or Machines blade in Update Manager page or from the selected VM.

+# [From Overview blade](#tab/manage-single-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Azure Update Manager**, select **Overview**, select your **Subscription**, and select **Update settings**.

+1. In **Change update settings**, select **+Add machine** to select the machine for which you want to change the update settings.

+1. In **Select resources**, select the machine and select **Add**.

+1. In the **Change update settings** page, you will see the machine classified as per the operating system with the list of following updates that you can select and apply.

+ :::image type="content" source="./media/manage-update-settings/update-setting-to-change.png" alt-text="Screenshot that shows highlighting the Update settings to change option in the Azure portal.":::

+

+ The following update settings are available for configuration for the selected machines:

+ - **Periodic assessment**: The periodic assessment is set to run every 24 hours. You can either enable or disable this setting.

+ - **Hotpatch**: You can enable [hotpatching](../automanage/automanage-hotpatch.md) for Windows Server Azure Edition VMs. Hotpatching is a new way to install updates on supported Windows Server Azure Edition VMs that doesn't require a reboot after installation. You can use Update Manager to install other patches by scheduling patch installation or triggering immediate patch deployment. You can enable, disable, or reset this setting.

+ - **Patch orchestration** option provides:

+

+ - **Customer Managed Schedules**ΓÇöenables schedule patching on your existing VMs. The new patch orchestration option enables the two VM properties - **Patch mode = Azure-orchestrated** and **BypassPlatformSafetyChecksOnUserSchedule = TRUE** on your behalf after receiving your consent.

+ - **Azure Managed - Safe Deployment**ΓÇöfor a group of virtual machines undergoing an update, the Azure platform will orchestrate updates. (not applicable for Arc-enabled server). The VM is set to [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md).(i.e), the patch mode is **AutomaticByPlatform**. There are different implications depending on whether customer schedule is attached to it or not. For more information, see the [user scenarios](prerequsite-for-schedule-patching.md#user-scenarios).

+ - Available *Critical* and *Security* patches are downloaded and applied automatically on the Azure VM using [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md). This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as required.

+ - **Windows Automatic Updates** (AutomaticByOS) - When the workload running on the VM doesn't have to meet availability targets, the operating system updates are automatically downloaded and installed. Machines are rebooted as needed.

+ - **Manual updates** - This mode disables Windows automatic updates on VMs. Patches are installed manually or using a different solution.

+ - **Image Default** - Only supported for Linux Virtual Machines, this mode uses the default patching configuration in the image used to create the VM.

+1. After you make the selection, select **Save**.

+# [From Machines pane](#tab/manage-single-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Azure Update Manager**, select **Machines** > your **subscription**.

+1. Select the checkbox of your machine from the list and select **Update settings**.

+1. Select **Update Settings** to proceed with the type of update for your machine.

+1. On the **Change update settings** pane, select **Add machine** to select the machine for which you want to change the update settings.

+1. On the **Select resources** pane, select the machine and select **Add**. Follow the procedure from step 5 listed in **From Overview pane** of [Configure settings on a single VM](#configure-settings-on-a-single-vm).

+# [From a selected VM](#tab/singlevm-schedule-home)

+1. Select your virtual machine and the **virtual machines | Updates** page opens.

+1. Under **Operations**, select **Updates**.

+1. In **Updates**, select **Update Settings**.

+1. In **Change update settings**, you can select the update settings that you want to change for your machine and follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-a-single-vm).

+A notification appears to confirm that the update settings are successfully changed.

+## Configure settings at scale

+Follow these steps to configure update settings on your machines at scale.

+> [!NOTE]

+> You can schedule updates from **Overview** or **Machines**.

+# [From Overview blade](#tab/manage-scale-overview)

+

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Azure Update Manager**, select **Overview**, select your **Subscription** and select **Update settings**.

+1. In **Change update settings**, select the update settings that you want to change for your machines. Follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-a-single-vm).

+# [From Machines blade](#tab/manage-scale-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Azure Update Manager**, select **Machines** > your **subscription**, and select the checkbox for all your machines from the list.

+1. Select **Update Settings** to proceed with the type of update for your machines.

+1. In **Change update settings**, you can select the update settings that you want to change for your machine. Follow the procedure from step 3 listed in **From Overview pane** of [Configure settings on a single VM](#configure-settings-on-a-single-vm).

+A notification appears to confirm that the update settings are successfully changed.

+## Next steps

+* [View assessment compliance](view-updates.md) and [deploy updates](deploy-updates.md) for a selected Azure VM or Azure Arc-enabled server, or across [multiple machines](manage-multiple-machines.md) in your subscription in the Azure portal.

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot issues with Update Manager](troubleshoot.md).

+ Title: Overview of customized images in Azure Update Manager

+description: This article describes customized image support, how to register and validate customized images for public preview, and limitations.

+# Manage updates for customized images

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes customized image support, how to enable a subscription, and limitations.

+> [!NOTE]

+> Currently, schedule patching and periodic assessment on [specialized images](../virtual-machines/linux/imaging.md) and **VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery** are supported in preview.

+## Asynchronous check to validate customized image support

+If you're using Azure Compute Gallery (formerly known as Shared Image Gallery) to create customized images, you can use Update Manager operations such as **Check for updates**, **One-time update**, **Schedule updates**, or **Periodic assessment** to validate if the VMs are supported for guest patching. If the VMs are supported, you can begin patching.

+With marketplace images, support is validated even before Update Manager operation is triggered. Here, there are no preexisting validations in place and the Update Manager operations are triggered. Only their success or failure determines support.

+For instance, an assessment call attempts to fetch the latest patch that's available from the image's OS family to check support. It stores this support-related data in an Azure Resource Graph table, which you can query to see the support status for your Azure Compute Gallery image.

+## Limitations

+The Azure Compute Gallery images are of two types:

+- [Generalized](../virtual-machines/linux/imaging.md#generalized-images) images

+- [Specialized](../virtual-machines/linux/imaging.md#specialized-images) images

+Currently, scheduled patching and periodic assessment on [specialized images](../virtual-machines/linux/imaging.md#specialized-images) and VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery are supported in preview.

+ The following supported scenarios are for both types.

+| Images | Currently supported scenarios | Unsupported scenarios |

+| | | |

+| Azure Compute Gallery: Generalized images | - On-demand assessment </br> - On-demand patching </br> - Periodic assessment </br> - Scheduled patching | Automatic VM guest patching |

+| Azure Compute Gallery: Specialized images | - On-demand assessment </br> - On-demand patching </br> - Periodic assessment (preview) </br> - Scheduled patching (preview) </br> | Automatic VM guest patching |

+| Non-Azure Compute Gallery images (non-SIG)| - On-demand assessment </br> - On-demand patching </br> - Periodic assessment (preview) </br> - Scheduled patching (preview) </br> | Automatic VM guest patching |

+Automatic VM guest patching doesn't work on Azure Compute Gallery images even if Patch orchestration mode is set to `Azure orchestrated/AutomaticByPlatform`. You can use scheduled patching to patch the machines and define your own schedules.

+## Next steps

+[Learn more](support-matrix.md) about supported operating systems.

+ Title: Programmatically manage updates for Azure VMs

+description: This article tells how to use Azure Update Manager in Azure using REST API with Azure virtual machines.

+# How to programmatically manage updates for Azure VMs

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure virtual machine with Azure Update Manager in Azure. If you're new to Update Manager and you want to learn more, see [overview of Azure Update Manager](overview.md). To use the Azure REST API to manage Arc-enabled servers, see [How to programmatically work with Arc-enabled servers](manage-arc-enabled-servers-programmatically.md).

+Azure Update Manager in Azure enables you to use the [Azure REST API](/rest/api/azure/) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure/) and [Azure CLI](/cli/azure/).

+Support for Azure REST API to manage Azure VMs is available through the Update Manager virtual machine extension.

+## Update assessment

+To trigger an update assessment on your Azure VM, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/virtualMachineName/assessPatches?api-version=2020-12-01`

+```

+# [Azure CLI](#tab/cli)

+To specify the POST request, you can use the Azure CLI [az vm assess-patches](/cli/azure/vm#az-vm-assess-patches) command.

+```azurecli

+az vm assess-patches -g MyResourceGroup -n MyVm

+```

+# [Azure PowerShell](#tab/powershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzVMPatchAssessment](/powershell/module/az.compute/invoke-azvmpatchassessment) cmdlet.

+```azurepowershell

+Invoke-AzVMPatchAssessment -ResourceGroupName "myRG" -VMName "myVM"

+```

+## Update deployment

+To trigger an update deployment to your Azure VM, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/virtualMachineName/installPatches?api-version=2020-12-01`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `maximumDuration` | Maximum amount of time that the operation runs. It must be an ISO 8601-compliant duration string such as `PT4H` (4 hours). |

+| `rebootSetting` | Flag to state if machine should be rebooted and if Guest OS update installation requires it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters` | Parameter options for Guest OS update on Azure VMs running a supported Microsoft Windows Server operating system. |

+| `windowsParameters - classificationsToInclude` | List of categories/classifications to be used for selecting the updates to be installed on the machine. Acceptable values are: `Critical, Security, UpdateRollUp, FeaturePack, ServicePack, Definition, Tools, Updates` |

+| `windowsParameters - kbNumbersToInclude` | List of Windows Update KB Ids that should be installed. All updates belonging to the classifications provided in `classificationsToInclude` list will be installed. `kbNumbersToInclude` is an optional list of specific KBs to be installed in addition to the classifications. For example: `1234` |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that should **not** be installed. This parameter overrides `windowsParameters - classificationsToInclude`, meaning a Windows Update KB ID specified here won't be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+| `linuxParameters` | Parameter options for Guest OS update on Azure VMs running a supported Linux server operating system. |

+| `linuxParameters - classificationsToInclude` | List of categories/classifications to be used for selecting the updates to be installed on the machine. Acceptable values are: `Critical, Security, Other` |

+| `linuxParameters - packageNameMasksToInclude` | List of Linux packages that should be installed. All updates belonging to the classifications provided in `classificationsToInclude` list will be installed. `packageNameMasksToInclude` is an optional list of package names to be installed in addition to the classifications. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `linuxParameters - packageNameMasksToExclude` | List of updates that should **not** be installed. This parameter overrides `linuxParameters - packageNameMasksToExclude`, meaning a package specified here won't be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+POST on 'subscriptions/{subscriptionId}/resourceGroups/acmedemo/providers/Microsoft.Compute/virtualMachines/ameacr/installPatches?api-version=2020-12-01

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the POST request, you can use the Azure CLI [az vm install-patches](/cli/azure/vm#az-vm-install-patches) command.

+```azurecli

+az vm install-patches -g MyResourceGroup -n MyVm --maximum-duration PT4H --reboot-setting IfRequired --classifications-to-include-linux Critical

+```

+The format of the request body for version 2020-12-01 is as follows:

+```json

+{

+ "maximumDuration"

+ "rebootSetting"

+ "windowsParameters": {

+ "classificationsToInclude": [

+ ],

+ "kbNumbersToInclude": [

+ ],

+ "kbNumbersToExclude": [

+ ]

+ }

+ }

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzVMInstallPatch](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzVmInstallPatch -ResourceGroupName 'MyRG' -VmName 'MyVM' -Windows -RebootSetting 'never' -MaximumDuration PT2H -ClassificationToIncludeForWindows Critical

+```

+## Create a maintenance configuration schedule

+To create a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `id` | Fully qualified identifier of the resource |

+| `location` | Gets or sets location of the resource |

+| `name` | Name of the resource |

+| `properties.extensionProperties` | Gets or sets extensionProperties of the maintenanceConfiguration |

+| `properties.maintenanceScope` | Gets or sets maintenanceScope of the configuration |

+| `properties.maintenanceWindow.duration` | Duration of the maintenance window in HH:MM format. If not provided, default value is used based on maintenance scope provided. Example: 05:00. |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:mm format. The window is created in the time zone provided to daylight savings according to that time zone. Expiration date must be set to a future date. If not provided, it's set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. Daily schedules are formatted as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedules are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday, Sunday. Monthly schedules are formatted as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23, day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. You can set the start date to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. List of timezones can be obtained by executing [System.TimeZoneInfo]:GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+| `properties.namespace` | Gets or sets namespace of the resource |

+| `properties.visibility` | Gets or sets the visibility of the configuration. The default value is 'Custom' |

+| `systemData` | Azure Resource Manager metadata containing createdBy and modifiedBy information. |

+| `tags` | Gets or sets tags of the resource |

+| `type` | Type of the resource |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {

+ "InGuestPatchMode" : "User"

+ },

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+# [Azure CLI](#tab/azurecli)

+```azurecli-interactive

+az maintenance configuration create \

+ --resource-group myMaintenanceRG \

+ --resource-name myConfig \

+ --maintenance-scope InGuestPatch \

+ --location eastus \

+ --maintenance-window-duration "02:00" \

+ --maintenance-window-recur-every "20days" \

+ --maintenance-window-start-date-time "2022-12-30 07:00" \

+ --maintenance-window-time-zone "Pacific Standard Time" \

+ --install-patches-linux-parameters package-name-masks-to-exclude="ppt" package-name-masks-to-include="apt" classifications-to-include="Other" \

+ --install-patches-windows-parameters kb-numbers-to-exclude="KB123456" kb-numbers-to-include="KB123456" classifications-to-include="FeaturePack" \

+ --reboot-setting "IfRequired" \

+ --extension-properties InGuestPatchMode="User"

+```

+# [Azure PowerShell](#tab/azurepowershell)

+You can use the `New-AzMaintenanceConfiguration` cmdlet to create your configuration.

+```azurepowershell-interactive

+New-AzMaintenanceConfiguration

+ -ResourceGroup $RGName `

+ -Name $configName `

+ -MaintenanceScope $scope `

+ -Location $location `

+ -StartDateTime $startDateTime `

+ -TimeZone $timeZone `

+ -Duration $duration `

+ -RecurEvery $recurEvery `

+ -WindowParameterClassificationToInclude $WindowsParameterClassificationToInclude `

+ -WindowParameterKbNumberToInclude $WindowParameterKbNumberToInclude `

+ -WindowParameterKbNumberToExclude $WindowParameterKbNumberToExclude `

+ -InstallPatchRebootSetting $RebootOption `

+ -LinuxParameterPackageNameMaskToInclude $LinuxParameterPackageNameMaskToInclude `

+ -LinuxParameterClassificationToInclude $LinuxParameterClassificationToInclude `

+ -LinuxParameterPackageNameMaskToExclude $LinuxParameterPackageNameMaskToExclude `

+ -ExtensionProperty @{"InGuestPatchMode"="User"}

+```

+## Associate a VM with a schedule

+To associate a VM with a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+# [Azure REST API](#tab/rest)

+To specify the PUT request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+# [Azure CLI](#tab/azurecli)

+```azurecli-interactive

+az maintenance assignment create \

+ --resource-group myMaintenanceRG \

+ --location eastus \

+ --resource-name myVM \

+ --resource-type virtualMachines \

+ --provider-name Microsoft.Compute \

+ --configuration-assignment-name myConfig \

+ --maintenance-configuration-id "/subscriptions/{subscription ID}/resourcegroups/myMaintenanceRG/providers/Microsoft.Maintenance/maintenanceConfigurations/myConfig"

+```

+# [Azure PowerShell](#tab/azurepowershell)

+```azurepowershell-interactive

+New-AzConfigurationAssignment `

+ -ResourceGroupName "myResourceGroup" `

+ -Location "eastus" `

+ -ResourceName "myGuest" `

+ -ResourceType "VirtualMachines" `

+ -ProviderName "Microsoft.Compute" `

+ -ConfigurationAssignmentName "configName" `

+ -MaintenanceConfigurationId "configID"

+```

+## Remove machine from the schedule

+To remove a machine from the schedule, get all the configuration assignment names for the machine that were created to associate the machine with the current schedule from the Azure Resource Graph as listed:

+```kusto

+maintenanceresources

+| where type =~ "microsoft.maintenance/configurationassignments"

+| where properties.maintenanceConfigurationId =~ "<maintenance configuration Resource ID>"

+| where properties.resourceId =~ "<Machine Resource Id>"

+| project name, id

+```

+After you obtain the name from above, delete the configuration assignment by following the DELETE request -

+```rest

+DELETE on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot](troubleshoot.md) Update Manager.

+ Title: Create reports by using workbooks in Azure Update Manager

+description: This article describes how to create and manage workbooks for VM insights.

+# Create reports in Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes how to create and edit a workbook and make customized reports.

+## Create a workbook

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Under **Monitoring**, selectΓÇ»**Update reports** to view the **Update Manager | Update reports | Gallery** page.

+1. Select **Quick start** tile > **Empty**. Alternatively, you can select **New** to create a workbook.

+1. Select **Add** to select any [elements](../azure-monitor/visualize/workbooks-create-workbook.md#create-a-new-azure-workbook) to add to the workbook.

+ :::image type="content" source="./media/manage-workbooks/create-workbook-elements.png" alt-text="Screenshot that shows how to create a workbook by using elements.":::

+1. Select **Done Editing**.

+## Edit a workbook

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Under **Monitoring**, selectΓÇ»**Update reports** to view **Azure Update Manager | Update reports | Gallery**.

+1. Select the **Azure Update Manager** tile > **Overview** to view the **Azure Update Manager | Update reports | Overview** page.

+1. Select your subscription, and select **Edit** to enable the edit mode for all four options:

+ - **Machines overall status & configuration**

+ - **Updates Data Overview**

+ - **Schedules/Maintenance configurations**

+ - **History of Installation runs**

+ :::image type="content" source="./media/manage-workbooks/edit-workbooks-inline.png" alt-text="Screenshot that shows enabling the edit mode for all the options in workbooks." lightbox="./media/manage-workbooks/edit-workbooks-expanded.png":::

+ You can customize the visualization to create interactive reports and edit the parameters, chart size, and chart settings to define how the chart must be rendered.

+ :::image type="content" source="./media/manage-workbooks/workbooks-edit-query-inline.png" alt-text="Screenshot that shows various edit options in workbooks." lightbox="./media/manage-workbooks/workbooks-edit-query-expanded.png":::

+1. Select **Done Editing**.

+## Next steps

+* [View updates for a single machine](view-updates.md)

+* [Deploy updates now (on-demand) for a single machine](deploy-updates.md)

+* [Schedule recurring updates](scheduled-patching.md)

+* [Manage update settings via portal](manage-update-settings.md)

+* [Manage multiple machines using Update Manager](manage-multiple-machines.md)

+ Title: Azure Update Manager overview

+description: This article tells what Azure Update Manager in Azure is and the system updates for your Windows and Linux machines in Azure, on-premises, and other cloud environments.

+# About Azure Update Manager

+> [!Important]

+> Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update Management solution relies on this agent and may encounter issues once the agent is retired as it does not work with Azure Monitoring Agent (AMA). Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. All the capabilities of Azure Automation Update management solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.

+Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on other cloud platforms from a single dashboard. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.

+You can use Update Manager in Azure to:

+- Oversee update compliance for your entire fleet of machines in Azure, on-premises, and in other cloud environments.

+- Instantly deploy critical updates to help secure your machines.

+- Use flexible patching options such as [automatic virtual machine (VM) guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hot patching](../automanage/automanage-hotpatch.md), and customer-defined maintenance schedules.

+We also offer other capabilities to help you manage updates for your Azure VMs that you should consider as part of your overall update management strategy. To learn more about the options that are available, see the Azure VM [update options](../virtual-machines/updates-maintenance-overview.md).

+Before you enable your machines for Update Manager, make sure that you understand the information in the following sections.

+## Key benefits

+Update Manager has been redesigned and doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [Azure Automation Update Management feature](../automation/update-management/overview.md). Update Manager offers many new features and provides enhanced functionality over the original version available with Azure Automation. Some of those benefits are listed here:

+- Provides native experience with zero on-boarding.

+ - Built as native functionality on Azure compute and the Azure Arc for Servers platform for ease of use.

+ - No dependency on Log Analytics and Azure Automation.

+ - Azure Policy support.

+ - Global availability in all Azure compute and Azure Arc regions.

+- Works with Azure roles and identity.

+ - Granular access control at the per-resource level instead of access control at the level of the Azure Automation account and Log Analytics workspace.

+ - Update Manager now has Azure Resource Manager-based operations. It allows role-based access control and roles based on Azure Resource Manager in Azure.

+- Offers enhanced flexibility.

+ - Ability to take immediate action either by installing updates immediately or scheduling them for a later date.

+ - Check updates automatically or on demand.

+ - Helps secure machines with new ways of patching, such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hot patching](../automanage/automanage-hotpatch.md), or custom maintenance schedules.

+ - Sync patch cycles in relation to "patch Tuesday," the unofficial term for Microsoft's scheduled security fix release on every second Tuesday of each month.

+The following diagram illustrates how Update Manager assesses and applies updates to all Azure machines and Azure Arc-enabled servers for both Windows and Linux.

+

+To support management of your Azure VM or non-Azure machine, Update Manager relies on a new [Azure extension](../virtual-machines/extensions/overview.md) designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. This extension is automatically installed when you initiate any Update Manager operations, such as **Check for updates**, **Install one-time update**, and **Periodic Assessment** on your machine. The extension supports deployment to Azure VMs or Azure Arc-enabled servers by using the extension framework. The Update Manager extension is installed and managed by using:

+- [Azure VM Windows agent](../virtual-machines/extensions/agent-windows.md) or the [Azure VM Linux agent](../virtual-machines/extensions/agent-linux.md) for Azure VMs.

+- [Azure Arc-enabled servers agent](../azure-arc/servers/agent-overview.md) for non-Azure Linux and Windows machines or physical servers.

+ Update Manager manages the extension agent installation and configuration. Manual intervention isn't required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The Update Manager extension runs code locally on the machine to interact with the operating system, and it includes:

+- Retrieving the assessment information about status of system updates for it specified by the Windows Update client or Linux package manager.

+- Initiating the download and installation of approved updates with the Windows Update client or Linux package manager.

+All assessment information and update installation results are reported to Update Manager from the extension and is available for analysis with [Azure Resource Graph](../governance/resource-graph/overview.md). You can view up to the last seven days of assessment data, and up to the last 30 days of update installation results.

+The machines assigned to Update Manager report how up to date they are based on what source they're configured to synchronize with. You can configure [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) on Windows machines to report to [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or Microsoft Update, which is by default. You can configure Linux machines to report to a local or public YUM or APT package repository. If the Windows Update Agent is configured to report to WSUS, depending on when WSUS last synchronized with Microsoft Update, the results in Update Manager might differ from what Microsoft Update shows. This behavior is the same for Linux machines that are configured to report to a local repository instead of a public package repository.

+You can manage your Azure VMs or Azure Arc-enabled servers directly or at scale with Update Manager.

+## Prerequisites

+Along with the following prerequisites, see [Support matrix](support-matrix.md) for Update Manager.

+### Role

+Resource | Role

+ |

+|Azure VM | [Azure Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) or Azure [Owner](../role-based-access-control/built-in-roles.md#owner)

+Azure Arc-enabled server | [Azure Connected Machine Resource Administrator](../azure-arc/servers/security-overview.md#identity-and-access-control)

+### Permissions

+You need the following permissions to create and manage update deployments. The table shows the permissions that are needed when you use Update Manager.

+Actions |Permission |Scope |

+ | | |

+|Install update on Azure VMs |Microsoft.Compute/virtualMachines/installPatches/action ||

+|Update assessment on Azure VMs |Microsoft.Compute/virtualMachines/assessPatches/action ||

+|Install update on Azure Arc-enabled server |Microsoft.HybridCompute/machines/installPatches/action ||

+|Update assessment on Azure Arc-enabled server |Microsoft.HybridCompute/machines/assessPatches/action ||

+|Register the subscription for the Microsoft.Maintenance resource provider| Microsoft.Maintenance/register/action | Subscription|

+|Create/modify maintenance configuration |Microsoft.Maintenance/maintenanceConfigurations/write |Subscription/resource group |

+|Create/modify configuration assignments |Microsoft.Maintenance/configurationAssignments/write |Machine |

+|Read permission for Maintenance updates resource |Microsoft.Maintenance/updates/read |Machine |

+|Read permission for Maintenance apply updates resource |Microsoft.Maintenance/applyUpdates/read |Machine |

+### VM images

+For more information, see the [list of supported operating systems and VM images](support-matrix.md#supported-operating-systems).

+Currently, Update Manager has the following limitations regarding operating system support:

+ - Marketplace images other than the [list of supported Marketplace OS images](../virtual-machines/automatic-vm-guest-patching.md#supported-os-images) are currently not supported.

+ - [Specialized images](../virtual-machines/linux/imaging.md#specialized-images) and *VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery* aren't fully supported for now. You can use on-demand operations such as **One-time update** and **Check for updates** in Update Manager.

+For the preceding limitations, we recommend that you use [Automation Update Management](../automation/update-management/overview.md) until support is available in Update Manager. To learn more, see [Supported operating systems](support-matrix.md#supported-operating-systems).

+## VM extensions

+Azure VM extensions and Azure Arc-enabled VM extensions are available.

+#### [Azure VM extensions](#tab/azure-vms)

+| Operating system| Extension

+|-|-|

+|Windows | Microsoft.CPlat.Core.WindowsPatchExtension|

+|Linux | Microsoft.CPlat.Core.LinuxPatchExtension |

+#### [Azure Arc-enabled VM extensions](#tab/azure-arc-vms)

+| Operating system| Extension

+|-|-|

+|Windows | Microsoft.CPlat.Core.WindowsPatchExtension (Periodic assessment) <br> Microsoft.SoftwareUpdateManagement.WindowsOsUpdateExtension (On-demand operations and Schedule patching) |

+|Linux | Microsoft.SoftwareUpdateManagement.LinuxOsUpdateExtension (On-demand operations and Schedule patching) <br> Microsoft.CPlat.Core.LinuxPatchExtension (Periodic assessment) |

+To view the available extensions for a VM in the Azure portal:

+1. Go to the [Azure portal](https://portal.azure.com) and select a VM.

+1. On the VM home page, under **Settings**, select **Extensions + applications**.

+1. On the **Extensions** tab, you can view the available extensions.

+### Network planning

+To prepare your network to support Update Manager, you might need to configure some infrastructure components.

+For Windows machines, you must allow traffic to any endpoints required by the Windows Update agent. You can find an updated list of required endpoints in [Issues related to HTTP/Proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy). If you have a local [WSUS](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment) deployment, you must also allow traffic to the server specified in your [WSUS key](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).

+For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../virtual-machines/workloads/redhat/redhat-rhui.md#the-ips-for-the-rhui-content-delivery-servers) for required endpoints. For other Linux distributions, see your provider documentation.

+## Next steps

+- [View updates for a single machine](view-updates.md)

+- [Deploy updates now (on-demand) for a single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+- [Manage update settings via the portal](manage-update-settings.md)

+- [Manage multiple machines by using Update Manager](manage-multiple-machines.md)

+ Title: Enable Periodic Assessment using policy

+description: This article shows how to manage update settings for your Windows and Linux machines managed by Azure Update Manager.

+# Automate assessment at scale by using Azure Policy

+This article describes how to enable Periodic Assessment for your machines at scale by using Azure Policy. **Periodic Assessment** is a setting on your machine that enables you to see the latest updates available for your machines and removes the hassle of performing assessment manually every time you need to check the update status. After you enable this setting, Update Manager fetches updates on your machine once every 24 hours.

+## Enable Periodic Assessment for your Azure machines by using Azure Policy

+1. Go to **Policy** in the Azure portal and select **Authoring** > **Definitions**.

+1. From the **Category** dropdown, select **Update Manager**. Select **[Preview]: Configure periodic checking for missing system updates on Azure virtual machines** for Azure machines.

+1. When **Policy definition** opens, select **Assign**.

+1. On the **Basics** tab, select your subscription as your scope. You can also specify a resource group within your subscription as the scope. Select **Next**.

+1. On the **Parameters** tab, clear **Only show parameters that need input or review** so that you can see the values of parameters. In **Assessment** mode, select **AutomaticByPlatform** > **Operating system** > **Next**. You need to create separate policies for Windows and Linux.

+1. On the **Remediation** tab, select **Create a remediation task** so that periodic assessment is enabled on your machines. Select **Next**.

+1. On the **Non-compliance message** tab, provide the message that you want to see if there was noncompliance. For example, use **Your machine doesn't have periodic assessment enabled.** Select **Review + Create.**

+1. On the **Review + Create** tab, select **Create** to trigger **Assignment and Remediation Task** creation, which can take a minute or so.

+You can monitor the compliance of resources under **Compliance** and remediation status under **Remediation** on the Azure Policy home page.

+## Enable Periodic Assessment for your Azure Arc-enabled machines by using Azure Policy

+1. Go to **Policy** in the Azure portal and select **Authoring** > **Definitions**.

+1. From the **Category** dropdown, select **Update Manager**. Select **[Preview]: Configure periodic checking for missing system updates on Azure Arc-enabled servers** for Azure Arc-enabled machines.

+1. When **Policy definition** opens, select **Assign**.

+1. On the **Basics** tab, select your subscription as your scope. You can also specify a resource group within your subscription as the scope. Select **Next**.

+1. On the **Parameters** tab, clear **Only show parameters that need input or review** so that you can see the values of parameters. In **Assessment** mode, select **AutomaticByPlatform** > **Operating system** > **Next**. You need to create separate policies for Windows and Linux.

+1. On the **Remediation** tab, select **Create a remediation task** so that periodic assessment is enabled on your machines. Select **Next**.

+1. On the **Non-compliance message** tab, provide the message that you want to see if there was noncompliance. For example, use **Your machine doesn't have periodic assessment enabled.** Select **Review + Create.**

+1. On the **Review + Create** tab, select **Create** to trigger **Assignment and Remediation Task** creation, which can take a minute or so.

+You can monitor compliance of resources under **Compliance** and remediation status under **Remediation** on the Azure Policy home page.

+## Monitor if Periodic Assessment is enabled for your machines

+This procedure applies to both Azure and Azure Arc-enabled machines.

+1. Go to **Policy** in the Azure portal and select **Authoring** > **Definitions**.

+1. From the **Category** dropdown, select **Update Manager**. Select **[Preview]: Machines should be configured to periodically check for missing system updates**.

+1. When **Policy definition** opens, select **Assign**.

+1. On the **Basics** tab, select your subscription as your scope. You can also specify a resource group within your subscription as the scope. Select **Next**.

+1. On the **Parameters** and **Remediation** tabs, select **Next**.

+1. On the **Non-compliance message** tab, provide the message that you want to see if there was noncompliance. For example, use **Your machine doesn't have periodic assessment enabled.** Select **Review + Create.**

+1. On the **Review + Create** tab, select **Create** to trigger **Assignment and Remediation Task** creation, which can take a minute or so.

+You can monitor compliance of resources under **Compliance** and remediation status under **Remediation** on the Azure Policy home page.

+## Next steps

+* [View assessment compliance](view-updates.md) and [deploy updates](deploy-updates.md) for a selected Azure VM or Azure Arc-enabled server, or across [multiple machines](manage-multiple-machines.md) in your subscription in the Azure portal.

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

+ Title: Configure schedule patching on Azure VMs for business continuity

+description: The article describes the new prerequisites to configure scheduled patching to ensure business continuity in Azure Update Manager.

+# Configure schedule patching on Azure VMs for business continuity

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: Azure VMs.

+This article is an overview on how to configure schedule patching and automatic guest virtual machine (VM) patching on Azure VMs by using the new prerequisite to ensure business continuity. The steps to configure both the patching options on Azure Arc VMs remain the same.

+Currently, you can enable [automatic guest VM patching](../virtual-machines/automatic-vm-guest-patching.md) (autopatch) by setting the patch mode to **Azure-orchestrated** in the Azure portal or **AutomaticByPlatform** in the REST API, where patches are automatically applied during off-peak hours.

+For customizing control over your patch installation, you can use [schedule patching](updates-maintenance-schedules.md#scheduled-patching) to define your maintenance window. You can [enable schedule patching](scheduled-patching.md#schedule-recurring-updates-on-a-single-vm) by setting the patch mode to **Azure-orchestrated** in the Azure portal or **AutomaticByPlatform** in the REST API and attaching a schedule to the Azure VM. So, the VM properties couldn't be differentiated between **schedule patching** or **Automatic guest VM patching** because both had the patch mode set to **Azure-orchestrated**.

+In some instances, when you remove the schedule from a VM, there's a possibility that the VM might be autopatched and rebooted. To overcome the limitations, we've introduced a new prerequisite, `ByPassPlatformSafetyChecksOnUserSchedule`, which can now be set to `true` to identify a VM by using schedule patching. It means that VMs with this property set to `true` are no longer autopatched when the VMs don't have an associated maintenance configuration.

+> [!IMPORTANT]

+> For a continued scheduled patching experience, you must ensure that the new VM property, `BypassPlatformSafetyChecksOnUserSchedule`, is enabled on all your Azure VMs (existing or new) that have schedules attached to them by **June 30, 2023**. This setting ensures that machines are patched by using your configured schedules and not autopatched. Failing to enable by June 30, 2023, gives an error that the prerequisites aren't met.

+## Schedule patching in an availability set

+All VMs in a common [availability set](../virtual-machines/availability-set-overview.md) aren't updated concurrently.

+VMs in a common availability set are updated within Update Domain boundaries. VMs across multiple Update Domains aren't updated concurrently.

+## Find VMs with associated schedules

+To identify the list of VMs with the associated schedules for which you have to enable a new VM property:

+1. Go to **Azure Update Manager** home page and select the **Machines** tab.

+1. In the **Patch orchestration** filter, select **Azure Managed - Safe Deployment**.

+1. Use the **Select all** option to select the machines and then select **Export to CSV**.

+1. Open the CSV file and in the column **Associated schedules**, select the rows that have an entry.

+ In the corresponding **Name** column, you can view the list of VMs to which you need to enable the `ByPassPlatformSafetyChecksOnUserSchedule` flag.

+## Enable schedule patching on Azure VMs

+To enable schedule patching on Azure VMs, follow these steps.

+# [Azure portal](#tab/new-prereq-portal)

+## Prerequisites

+Patch orchestration = Customer Managed Schedules

+Select the patch orchestration option as **Customer Managed Schedules**. The new patch orchestration option enables the following VM properties on your behalf after receiving your consent:

+ - Patch mode = `Azure-orchestrated`

+ - `BypassPlatformSafetyChecksOnUserSchedule` = TRUE

+### Enable for new VMs

+You can select the patch orchestration option for new VMs that would be associated with the schedules.

+To update the patch mode:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Virtual machine** and select **Create** to open the **Create a virtual machine** page.

+1. On the **Basics** tab, fill in all the mandatory fields.

+1. On the **Management** tab, under **Guest OS updates**, for **Patch orchestration options**, select **Azure-orchestrated**.

+1. Fill in the entries on the **Monitoring**, **Advanced**, and **Tags** tabs.

+1. Select **Review + Create**. Select **Create** to create a new VM with the appropriate patch orchestration option.

+To schedule patch the newly created VMs, follow the procedure from step 2 in the next section, "Enable for existing VMs."

+### Enable for existing VMs

+You can update the patch orchestration option for existing VMs that either already have schedules associated or will be newly associated with a schedule.

+If **Patch orchestration** is set as **Azure-orchestrated** or **Azure Managed - Safe Deployment (AutomaticByPlatform)**, `BypassPlatformSafetyChecksOnUserSchedule` is set to `false`, and there's no schedule associated, the VMs will be autopatched.

+To update the patch mode:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Update Manager** and select **Update Settings**.

+1. In **Change update settings**, select **Add machine**.

+1. In **Select resources**, select your VMs and then select **Add**.

+1. On the **Change update settings** pane, under **Patch orchestration**, select **Customer Managed Schedules** and then select **Save**.

+Attach a schedule after you finish the preceding steps.

+To check if `BypassPlatformSafetyChecksOnUserSchedule` is enabled, go to the **Virtual machine** home page and select **Overview** > **JSON View**.

+# [REST API](#tab/new-prereq-rest-api)

+## Prerequisites

+- Patch mode = `AutomaticByPlatform`

+- `BypassPlatformSafetyChecksOnUserSchedule` = TRUE

+### Enable on Windows VMs

+```

+PATCH on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01`

+```

+```json

+{

+ "location":"<location>",

+ "properties": {

+ "osProfile": {

+ "windowsConfiguration": {

+ "provisionVMAgent": true,

+ "enableAutomaticUpdates": true,

+ "patchSettings": {

+ "patchMode": "AutomaticByPlatform",

+ "automaticByPlatformSettings":{

+ "bypassPlatformSafetyChecksOnUserSchedule":true

+ }

+ }

+ }

+ }

+ }

+}

+```

+### Enable on Linux VMs

+```

+PATCH on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01`

+```

+```json

+{

+ "location":"<location>",

+ "properties": {

+ "osProfile": {

+ "linuxConfiguration": {

+ "provisionVMAgent": true,

+ "patchSettings": {

+ "patchMode": "AutomaticByPlatform",

+ "automaticByPlatformSettings":{

+ "bypassPlatformSafetyChecksOnUserSchedule":true

+ }

+ }

+ }

+ }

+ }

+}

+```

+> [!NOTE]

+> Currently, you can only enable the new prerequisite for schedule patching via the Azure portal and the REST API. It can't be enabled via the Azure CLI or PowerShell.

+## Enable automatic guest VM patching on Azure VMs

+To enable automatic guest VM patching on your Azure VMs now, follow these steps.

+# [Azure portal](#tab/auto-portal)

+## Prerequisite

+Patch mode = `Azure-orchestrated`

+### Enable for new VMs

+You can select the patch orchestration option for new VMs that would be associated with the schedules.

+To update the patch mode:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Virtual machine** and select **Create** to open the **Create a virtual machine** page.

+1. On the **Basics** tab, fill in all the mandatory fields.

+1. On the **Management** tab, under **Guest OS updates**, for **Patch orchestration options**, select **Azure-orchestrated**.

+1. Fill in the entries on the **Monitoring**, **Advanced**, and **Tags** tabs.

+1. Select **Review + Create**. Select **Create** to create a new VM with the appropriate patch orchestration option.

+### Enable for existing VMs

+To update the patch mode:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Update Manager** and select **Update settings**.

+1. On the **Change update settings** pane, select **Add machine**.

+1. On the **Select resources** pane, select your VMs and then select **Add**.

+1. On the **Change update settings** pane, under **Patch orchestration**, select **Azure Managed - Safe Deployment** and then select **Save**.

+# [REST API](#tab/auto-rest-api)

+## Prerequisites

+- Patch mode = `AutomaticByPlatform`

+- `BypassPlatformSafetyChecksOnUserSchedule` = FALSE

+### Enable on Windows VMs

+```

+PATCH on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01`

+```

+```json

+{

+ "location":"<location>",

+ "properties": {

+ "osProfile": {

+ "windowsConfiguration": {

+ "provisionVMAgent": true,

+ "enableAutomaticUpdates": true,

+ "patchSettings": {

+ "patchMode": "AutomaticByPlatform",

+ "automaticByPlatformSettings":{

+ "bypassPlatformSafetyChecksOnUserSchedule":false

+ }

+ }

+ }

+ }

+ }

+}

+```

+### Enable on Linux VMs

+```

+PATCH on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01`

+```

+```json

+{

+ "location":"<location>",

+ "properties": {

+ "osProfile": {

+ "linuxConfiguration": {

+ "provisionVMAgent": true,

+ "patchSettings": {

+ "patchMode": "AutomaticByPlatform",

+ "automaticByPlatformSettings":{

+ "bypassPlatformSafetyChecksOnUserSchedule":false

+ }

+ }

+ }

+ }

+ }

+}

+```

+## User scenarios

+Scenarios | Azure-orchestrated | BypassPlatformSafetyChecksOnUserSchedule | Schedule associated |Expected behavior in Azure |

+ | | | | |

+Scenario 1 | Yes | True | Yes | The schedule patch runs as defined by user. |

+Scenario 2 | Yes | True | No | Autopatch and schedule patch don't run.|

+Scenario 3 | Yes | False | Yes | Autopatch and schedule patch don't run. You get an error that the prerequisites for schedule patch aren't met.|

+Scenario 4 | Yes | False | No | The VM is autopatched.|

+Scenario 5 | No | True | Yes | Autopatch and schedule patch don't run. You get an error that the prerequisites for schedule patch aren't met. |

+Scenario 6 | No | True | No | Autopatch and schedule patch don't run.|

+Scenario 7 | No | False | Yes | Autopatch and schedule patch don't run. You get an error that the prerequisites for schedule patch aren't met.|

+Scenario 8 | No | False | No | Autopatch and schedule patch don't run.|

+## Next steps

+To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

+ Title: Query logs and results from Update Manager

+description: This article provides details on how you can review logs and search results from Azure Update Manager by using Azure Resource Graph.

+# Overview of query logs in Azure Update Manager

+Logs created from operations like update assessments and installations are stored by Azure Update Manager in [Azure Resource Graph](../governance/resource-graph/overview.md). Resource Graph is a service in Azure designed to be the store for Azure service details without any cost or deployment requirements. Update Manager uses Resource Graph to store its results. You can view the update history of the last 30 days from the resources.

+This article describes the structure of the logs from Update Manager and how you can use [Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md) to analyze them in support of your reporting, visualizing, and export needs.

+## Log structure

+Update Manager sends the results of all its operations into Azure Resource Graph as logs, which are available for 30 days. Listed here are the structure of logs being sent to Azure Resource Graph.

+### Patch assessment results

+The table `patchassessmentresources` includes resources related to machine patch assessment. The following table describes its properties.

+| Property | Description |

+|-|-|

+| `ID` | The Azure Resource Manager ID forwarding the result. It's similar to the [REST API](manage-vms-programmatically.md) path for Guest OS assessment. Typically, `<resourcePath>/patchAssessmentResults/latest` or `<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`. |

+| `NAME` | If the ID is of type `<resourcePath>/patchAssessmentResults/latest`, then the record contains the unique GUID for the assessment operation finished. If `<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`, then the record contains the update name or label. |

+| `TYPE` |Specifies the type of log for assessment. If the type is `patchassessmentresults`, then the record provides a summary of OS assessment with numerical aggregate statistics. If the type is `patchassessmentresults/softwarepatches`, then the record describes a specific OS update available for the resource. |

+| `TENANTID` | Azure tenant ID for the Azure VM or Azure Arc-enabled server resource.|

+| `KIND` | Intentionally left blank for future use. |

+| `LOCATION` | Azure cloud region where the Azure VM or Azure Arc-enabled server resource exists.|

+| `RESOURCEGROUP` | Azure resource group hosting the Azure VM or Azure Arc-enabled server resource.|

+| `SUBSCRIPTIONID` | Azure subscription ID for the Azure VM or Azure Arc-enabled server resource. |

+| `MANAGEDBY` | Intentionally left blank for future use. |

+| `SKU` | Intentionally left blank for future use. |

+| `PLAN` | Intentionally left blank for future use. |

+| `PROPERTIES` | Captures details of operation in JSON format. More information follows this table.|

+| `TAGS` | Azure tags defined for the Azure VM or Azure Arc-enabled servers resource. |

+| `IDENTITY` | Intentionally left blank for future use. |

+| `ZONES` | Intentionally left blank for future use. |

+| `EXTENDEDLOCATION` | Intentionally left blank for future use. |

+### Description of the patchassessmentresources property

+If the property for the resource type is `patchassessmentresources`, it includes the information in the following table.

+|Value |Description |

+|||

+| `rebootPending` |Flag to specify if the specific update requires the OS to reboot to finish installation. As provided by machine's OS update service or package manager. If your OS package manager or update service doesn't require a reboot, the value of the field is set to `false`.|

+|`patchServiceUsed` |OS service used on the machine to install updates. `WU-WSUS` for Windows Update service or Windows Server Update Service. For Linux, it's the OS package manager like `YUM`, `APT`, or `Zypper`.|

+|`osType` |Represents the type of operating system: `Windows` or `Linux`.|

+|`startDateTime` |Timestamp (UTC) representing when the OS update assessment task started execution on the machine.|

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated.|

+|`startedBy` |Identifies if a user or an Azure service triggered the OS update installation. For more information on the operation, see [Azure activity log](/azure/azure-resource-manager/management/view-activity-logs).|

+|`errorDetails` |First five error messages generated while executing update installation from the machine's OS package manager or update service.|

+|`availablePatchCountByClassification` |Number of OS updates by the category that the specific updates belong to based on the OS vendor. The machine's OS update service or package manager generates the information. If the OS package manager or update service doesn't provide the detail of category, the value is `Others` (for Linux) or `Updates` (for Windows Server).|

+|

+If the property for the resource type is `patchassessmentresults/softwarepatches`, it includes the information in the following table.

+|Value |Description |

+|||

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated.|

+|`publishedDateTime` |Timestamp representing when the specific update was made available by the OS vendor. The machine's OS update service or package manager generates the information. If your OS package manager or update service doesn't provide the detail of when an update was provided by OS vendor, the value is null.|

+|`classifications` |Category that the specific update belongs to according to the OS vendor. The machine's OS update service or package manager generates the information. If your OS package manager or update service doesn't provide the detail of category, the value is `Others` (for Linux) or `Updates` (for Windows Server). |

+|`rebootRequired` |Value indicates if the specific update requires the OS to reboot to finish the installation. The machine's OS update service or package manager generates the information. If your OS package manager or update service doesn't require a reboot, the value is `false`.|

+|`rebootBehavior` |Behavior set in the OS update installation runs the job when configuring the update deployment if Update Manager can reboot the target machine. |

+|`patchName` |Name or label for the specific update generated by the machine's OS package manager or update service.|

+|`Kbid` |If the machine's OS is Windows Server, the value includes the unique KB ID for the update provided by the Windows Update service.|

+|`version` |If the machine's OS is Linux, the value includes the version details for the update as provided by the Linux package manager. For example, `1.0.1.el7.3`.|

+### Patch installation results

+The table `patchinstallationresources` includes resources related to machine patch assessment. The following table describes its properties.

+| Property | Description |

+|-|-|

+| `ID` | The Azure Resource Manager ID forwarding the result. It's similar to the [REST API](manage-vms-programmatically.md) path for Guest OS assessment. Typically, `<resourcePath>/patchInstallationResults/<GUID>` or `<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`. |

+| `NAME` | If the ID is of type `<resourcePath>/patchInstallationResults`, then the record contains unique GUID for the update operation finished. If `<resourcePath>/patchInstallationResults/softwarePatches/<update>`, then the record contains the update name or label being installed on the machine. |

+| `TYPE` |Specifies the type of log for assessment. If type is `patchinstallationresults`, then the record provides a summary of OS installation with numerical aggregate statistics. If type is `patchinstallationresults/softwarepatches`, then the record describes a specific OS update installed for the resource. |

+| `TENANTID` | Azure tenant ID for the Azure VM or Azure Arc-enabled server resource. |

+| `KIND` | Intentionally left blank for future use. |

+| `LOCATION` | Azure cloud region where the Azure VM or Azure Arc-enabled server resource exists.|

+| `RESOURCEGROUP` | Azure resource group hosting the Azure VM or Azure Arc-enabled server resource.|

+| `SUBSCRIPTIONID` | Azure subscription ID for the Azure VM or Azure Arc-enabled server resource.|

+| `MANAGEDBY` | Intentionally left blank for future use. |

+| `SKU` | Intentionally left blank for future use. |

+| `PLAN` | Intentionally left blank for future use. |

+| `PROPERTIES` | Captures details of operation in JSON format. More information follows this table.|

+| `TAGS` | Azure tags defined for the Azure VM or Azure Arc-enabled servers resource. |

+| `IDENTITY` | Intentionally left blank for future use. |

+| `ZONES` | Intentionally left blank for future use. |

+| `EXTENDEDLOCATION` | Intentionally left blank for future use. |

+### Description of the patchinstallationresults property

+If the property for the resource type is `patchinstallationresults`, it includes the information in the following table.

+|Value |Description |

+|||

+|`installationActivityId` | Unique GUID for the OS update installation run. |

+|`maintenanceWindowExceeded` | Values are `True` or `False` if the update installation run exceeded the defined maintenance window. |

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated. |

+|`notSelectedPatchCount` |Number of OS updates available on the machine not selected for installation in an update deployment. |

+|`installedPatchCount` |Number of OS updates that were successfully installed that were specified in an update deployment. |

+|`excludedPatchCount` |Number of OS updates available on the machine and excluded for installation in an update deployment.|

+|`pendingPatchCount` |Number of OS updates still awaiting to be installed that were specified in an update deployment. |

+|`patchServiceUsed` |OS service used on the machine to install updates. `WU-WSUS` for Windows Update service or Windows Server Update Service. For Linux, it's the OS package manager like `YUM`, `APT`, or `Zypper`. |

+|`failedPatchCount` |Number of OS updates that failed to successfully get installed that were specified in an update deployment. |

+|`startDateTime` |Timestamp (UTC) representing when the OS update installation task started execution on the machine. |

+|`rebootStatus` |Information from the OS update service or package manager if the OS needs to be restarted to finish the update installation. Status values are `NotNeeded` (no restart is needed), `Required` (OS restart is needed for completion), `Started` (restart was initiated), `Failed` (OS couldn't be restarted), and `Completed` (restart was done successfully). |

+|`startedBy` |Identifies if a user or an Azure service triggered the OS update installation. For more information on the operation, see [Azure activity log](/azure/azure-resource-manager/management/view-activity-logs). |

+|`status` |Status of the OS update installation run. Values can be `NotStarted`, `InProgress`, `Failed`, `Succeeded`, and `CompletedWithWarnings`. The update installation run is deemed `Failed` status if one or more OS update installations is unsuccessful. |

+|`osType` |Represents the type of operating system: `Windows` or `Linux`. |

+|`errorDetails` |Includes the first five error messages generated while running update installation from the machine's OS package manager or update service. |

+|`maintenanceRunId` | This value is used as a maintenance run identifier for Auto VM Guest Patching or schedule run ID instead of recurring updates. |

+If the property for the resource type is `patchinstallationresults/softwarepatches`, it includes the information in the following table.

+|Value |Description |

+|||

+|`installationState` |Installation status for the specific OS update. Values are `Installed`, `Failed`, `Pending`, `NotSelected`, and `Excluded`. |

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated. |

+|`publishedDateTime` |Timestamp representing when the specific update was made available by the OS vendor. The machine's OS update service or package manager generates the information. If your OS package manager or update service doesn't provide the detail of when an update was provided by the OS vendor, the value is null. |

+|`classifications` |Category that the specific update belongs to according to the OS vendor as provided by the machine's OS update service or package manager. If your OS package manager or update service doesn't provide the detail of category, the value of the field is `Others` (for Linux) and `Updates` (for Windows Server). |

+|`rebootRequired` |Flag to specify if the specific update requires the OS to reboot to finish the installation, as provided by the machine's OS update service or package manager. If your OS package manager or update service doesn't provide information regarding need of OS reboot, the value of the field is set to `false`. |

+|`rebootBehavior` |Behavior set in the OS update installation runs the job by user, regarding allowing Update Manager to reboot the OS. |

+|`patchName` |Name or label for the specific update as provided by the machine's OS package manager or update service. |

+|`Kbid` |If the machine's OS is Windows Server, the value includes the unique KB ID for the update provided by the Windows Update service. |

+|`version` |If the machine's OS is Linux, the value includes the version details for the update as provided by the Linux package manager. For example, `1.0.1.el7.3`. |

+### Maintenance resources

+The table `maintenanceresources` includes resources related to maintenance configuration. The following table describes its properties.

+| Property | Description |

+|-|-|

+| `ID` | The Azure Resource Manager ID forwarding the result. It's similar to the [REST API](manage-vms-programmatically.md) path for creating a maintenance configuration. |

+| `NAME` | If the ID is of type `<resourcePath>/applyupdates`, then the record contains a unique GUID for the maintenance run. If `<resourcePath>/configurationassignments`, then the record contains the assignment of maintenance configuration to an Azure or Azure Arc VM. |

+| `TYPE` |Specifies the type of log for assessment. If type is `applyupdates`, then the record provides details of the maintenance run record at machine level. If type is `configurationassignments`, then the record describes the link between an Azure VM or Azure Arc VM and a maintenance configuration. |

+| `TENANTID` | Azure tenant ID for the Azure VM or Azure Arc-enabled server resource. |

+| `KIND` | Intentionally left blank for future use. |

+| `LOCATION` | Pure cloud region where the Azure VM or Azure Arc-enabled server resource exists.|

+| `RESOURCEGROUP` | Azure resource group hosting the Azure VM or Azure Arc-enabled server resource.|

+| `SUBSCRIPTIONID` | Azure subscription ID for the Azure VM or Azure Arc-enabled server resource.|

+| `MANAGEDBY` | Intentionally left blank for future use. |

+| `SKU` | Intentionally left blank for future use. |

+| `PLAN` | Intentionally left blank for future use. |

+| `PROPERTIES` | Captures details of operation in JSON format. More information follows this table.|

+| `TAGS` | Azure tags defined for the Azure VM or Azure Arc-enabled servers resource. |

+| `IDENTITY` | Intentionally left blank for future use. |

+| `ZONES` | Intentionally left blank for future use. |

+| `EXTENDEDLOCATION` | Intentionally left blank for future use. |

+### Description of the applyupdates property

+If the property for the resource type is `applyupdates`, it includes the information in the following table.

+|Value |Description |

+|||

+|`maintenanceConfigurationId` | Azure Resource Manager ID of applied maintenance configuration. |

+|`maintenanceScope` | Maintenance scope of applied maintenance configuration. |

+|`resourceId` | Azure Resource Manager template resource ID of ARC/Azure VM. |

+|`correlationId` | Schedule run ID of maintenance/schedule run. This information can be used to find all the VMs that were part of the same schedule. |

+|`startDateTime` | Start date and time of a schedule. |

+|`endDateTime` | End date and time of a schedule. |

+If the property for the resource type is `configurationassignments`, it includes the information in the following table.

+|Value |Description |

+|||

+|`resourceId` | Azure Resource Manager resource ID of ARC/Azure VM |

+|`maintenanceConfigurationId` | Azure Resource Manager ID of the applied maintenance configuration |

+## Next steps

+- For details of sample queries, see [Sample query logs](sample-query-logs.md).

+- To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

+ Title: 'Quickstart: Deploy updates by using Update Manager in the Azure portal'

+description: This quickstart helps you to deploy updates immediately and view results for supported machines in Azure Update Manager by using the Azure portal.

+# Quickstart: Check and install on-demand updates

+By using Azure Update Manager, you can update automatically at scale with the help of built-in policies and schedule updates on a recurring basis. You can also take control by checking and installing updates manually.

+This quickstart explains how to perform manual assessment and apply updates on selected Azure virtual machines (VMs) or an Azure Arc-enabled server on-premises or in cloud environments.

+## Prerequisites

+- An Azure account with an active subscription. If you don't have one yet, sign up for a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Your role must be either an [Owner](../role-based-access-control/built-in-roles.md#owner) or [Contributor](../role-based-access-control/built-in-roles.md#contributor) for an Azure VM and resource administrator for Azure Arc-enabled servers.

+- Ensure that the target machines meet the specific operating system requirements of the Windows Server and Linux. For more information, see [Overview](overview.md).

+## Check updates

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. SelectΓÇ»**Get started** > **On-demand assessment and updates** >ΓÇ»**Check for updates**.

+ :::image type="content" source="./media/quickstart-on-demand/quickstart-check-updates.png" alt-text="Screenshot that shows accessing check for updates.":::

+ On the **Select resources and check for updates** pane, a table lists all the machines in the specific Azure subscription.

+1. Select one or more machines from the list and select **Check for updates** to initiate a compliance scan.

+

+After the assessment is finished, a confirmation message appears in the upper-right corner of the page.

+## Configure settings

+For the assessed machines that are reporting updates, you can configure [periodic assessment](assessment-options.md#periodic-assessment), [hotpatching](updates-maintenance-schedules.md#hotpatching),and [patch orchestration](manage-multiple-machines.md#summary-of-machine-status) either immediately or schedule the updates by defining the maintenance window.

+To configure the settings on your machines:

+1. On the **Azure Update Manager | Get started** page, in **On-demand assessment and updates**, selectΓÇ»**Update settings**.

+ :::image type="content" source="./media/quickstart-on-demand/quickstart-update-settings.png" alt-text="Screenshot that shows how to access the Update settings option to configure updates for virtual machines.":::

+1. On the **Update settings to change** page, select **Periodic assessment**, **Hotpatch**, or **Patch orchestration** to configure. Select **Next**. For more information, see [Configure settings on virtual machines](manage-update-settings.md#configure-settings-on-a-single-vm).

+1. On the **Review and change** tab, verify the resource selection and update settings and select **Review and change**.

+A notification confirms that the update settings were successfully applied.

+## Install updates

+Based on the last assessment performed on the selected machines, you can now select resources and machines to install the updates.

+1. On the **Azure Update Manager | Get started** page, in **On-demand assessment and updates**, selectΓÇ»**Install updates by machines**.

+ :::image type="content" source="./media/quickstart-on-demand/quickstart-install-updates.png" alt-text="Screenshot that shows how to access the Install update settings option to install the updates for virtual machines.":::

+1. On the **Install one-time updates** pane, select one or more machines from the list on the **Machines** tab. Select **Next**.

+1. On the **Updates** tab, specify the updates to include in the deployment and select **Next**:

+ - Include update classification.

+ - Include the Knowledge Base (KB) ID/package, by specific KB IDs or package. For Windows, see the [Microsoft Security Response Center (MSRC)](https://msrc.microsoft.com/update-guide/deployments) for the latest information.

+ - Exclude the KB ID/package that you don't want to install as part of the process. Updates not shown in the list can be installed based on the time between last assessment and release of new updates.

+ - Include by maximum patch publish date includes the updates published on or before a specific date.

+1. On the **Properties** tab, select **Reboot** and **Maintenance window** (in minutes). Select **Next**.

+1. On the **Review + install** tab, verify the update deployment options and select **Install**.

+A notification confirms that the installation of updates is in progress. After the update is finished, you can view the results on the **Update Manager | History** page.

+## Next steps

+Learn about [managing multiple machines](manage-multiple-machines.md).

+ Title: Sample query logs and results from Azure Update Manager

+description: The article provides details of sample query logs from Azure Update Manager in Azure using Azure Resource Graph

+# Sample queries

+The following are some sample queries to help you get started querying the update assessment and deployment information collected from your managed machines. For more information on logs created from operations such as update assessments and installations, see [overview of query logs](query-logs.md).

+

+## List available updates for all your machines grouped by update category

+The following query returns a list of pending updates for your machine with the time when the assessment was performed, the resource ID for the assessment, OS type on the machine, and the OS updates available based on update classification.

+```kusto

+patchassessmentresources

+| where type !has "softwarepatches"

+| extend prop = parse_json(properties)

+| extend lastTime = properties.lastModifiedDateTime

+| extend updateRollupCount = prop.availablePatchCountByClassification.updateRollup, featurePackCount = prop.availablePatchCountByClassification.featurePack, servicePackCount = prop.availablePatchCountByClassification.servicePack, definitionCount = prop.availablePatchCountByClassification.definition, securityCount = prop.availablePatchCountByClassification.security, criticalCount = prop.availablePatchCountByClassification.critical, updatesCount = prop.availablePatchCountByClassification.updates, toolsCount = prop.availablePatchCountByClassification.tools, otherCount = prop.availablePatchCountByClassification.other, OS = prop.osType

+| project lastTime, id, OS, updateRollupCount, featurePackCount, servicePackCount, definitionCount, securityCount, criticalCount, updatesCount, toolsCount, otherCount

+```

+## Count of update installations

+The following query returns a list of update installations with their status for your machines from the last seven days. Results include the time when the update deployment was run, the resource ID of the installation, machine details, and the count of OS updates installed based on their status and your selection.

+```kusto

+patchinstallationresources

+| where type !has "softwarepatches"

+| extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4))

+| extend prop = parse_json(properties)

+| extend lTime = todatetime(prop.lastModifiedDateTime), OS = tostring(prop.osType), installedPatchCount = tostring(prop.installedPatchCount), failedPatchCount = tostring(prop.failedPatchCount), pendingPatchCount = tostring(prop.pendingPatchCount), excludedPatchCount = tostring(prop.excludedPatchCount), notSelectedPatchCount = tostring(prop.notSelectedPatchCount)

+| where lTime > ago(7d)

+| project lTime, RunID=name,machineName, rgName, resourceType, OS, installedPatchCount, failedPatchCount, pendingPatchCount, excludedPatchCount, notSelectedPatchCount

+```

+## List of Windows Server OS update installations

+The following query returns a list of update installations for Windows Server with their status for your machines from the last seven days. Results include the time when the update deployment was run, the resource ID of the installation, machine details, and other related deployment details.

+```kusto

+patchinstallationresources

+| where type has "softwarepatches" and properties !has "version"

+| extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4)), tostring(RunID = split(id, "/", 10))

+| extend prop = parse_json(properties)

+| extend lTime = todatetime(prop.lastModifiedDateTime), patchName = tostring(prop.patchName), kbId = tostring(prop.kbId), installationState = tostring(prop.installationState), classifications = tostring(prop.classifications)

+| where lTime > ago(7d)

+| project lTime, RunID, machineName, rgName, resourceType, patchName, kbId, classifications, installationState

+| sort by RunID

+```

+## List of Linux OS update installations

+The following query returns a list of update installations for Linux with their status for your machines from the last seven days. Results include the time when the update deployment was run, the resource ID of the installation, machine details, and other related deployment details.

+```kusto

+patchinstallationresources

+| where type has "softwarepatches" and properties has "version"

+| extend machineName = tostring(split(id, "/", 8)), resourceType = tostring(split(type, "/", 0)), tostring(rgName = split(id, "/", 4)), tostring(RunID = split(id, "/", 10))

+| extend prop = parse_json(properties)

+| extend lTime = todatetime(prop.lastModifiedDateTime), patchName = tostring(prop.patchName), version = tostring(prop.version), installationState = tostring(prop.installationState), classifications = tostring(prop.classifications)

+| where lTime > ago(7d)

+| project lTime, RunID, machineName, rgName, resourceType, patchName, version, classifications, installationState

+| sort by RunID

+```

+## List of maintenance run record at VM level

+The following query returns a list of all the maintenance run records for a VM

+```kusto

+maintenanceresources

+| where ['id'] contains "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/microsoft.compute/virtualmachines/<vm-name>" //VM Id here

+| where ['type'] == "microsoft.maintenance/applyupdates"

+| where properties.maintenanceScope == "InGuestPatch"

+```

+## Next steps

+- Review logs and search results from Update Manager in Azure using [Azure Resource Graph](query-logs.md).

+- Troubleshoot issues in Update Manager, see the [Troubleshoot](troubleshoot.md).

+ Title: Scheduling recurring updates in Azure Update Manager

+description: This article details how to use Azure Update Manager to set update schedules that install recurring updates on your machines.

+# Schedule recurring updates for machines by using the Azure portal and Azure Policy

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+> [!IMPORTANT]

+> For a seamless scheduled patching experience, we recommend that for all Azure virtual machines (VMs), you update the patch orchestration to **Customer Managed Schedules** by **June 30, 2023**. If you fail to update the patch orchestration by June 30, 2023, you can experience a disruption in business continuity because the schedules will fail to patch the VMs. [Learn more](prerequsite-for-schedule-patching.md).

+You can use Azure Update Manager to create and save recurring deployment schedules. You can create a schedule on a daily, weekly, or hourly cadence. You can specify the machines that must be updated as part of the schedule and the updates to be installed.

+This schedule then automatically installs the updates according to the created schedule for a single VM and at scale.

+Update Manager uses a maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see [Maintenance control documentation](/azure/virtual-machines/maintenance-control).

+## Prerequisites for scheduled patching

+1. See [Prerequisites for Update Manager](./overview.md#prerequisites).

+1. Patch orchestration of the Azure machines should be set to **Customer Managed Schedules**. For more information, see [Enable schedule patching on existing VMs](prerequsite-for-schedule-patching.md#enable-schedule-patching-on-azure-vms). For Azure Arc-enabled machines, it isn't a requirement.

+ > [!NOTE]

+ > If you set the patch mode to **Azure orchestrated** (`AutomaticByPlatform`) but do not enable the **BypassPlatformSafetyChecksOnUserSchedule** flag and do not attach a maintenance configuration to an Azure machine, it's treated as an [automatic guest patching](../virtual-machines/automatic-vm-guest-patching.md)-enabled machine. The Azure platform automatically installs updates according to its own schedule. [Learn more](./overview.md#prerequisites).

+## Schedule patching in an availability set

+All VMs in a common [availability set](../virtual-machines/availability-set-overview.md) aren't updated concurrently.

+VMs in a common availability set are updated within Update Domain boundaries. VMs across multiple Update Domains aren't updated concurrently.

+## Configure reboot settings

+The registry keys listed in [Configure Automatic Updates by editing the registry](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry) and [Registry keys used to manage restart](/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart) can cause your machines to reboot. A reboot can occur even if you specify **Never Reboot** in the **Schedule** settings. Configure these registry keys to best suit your environment.

+## Service limits

+We recommend the following limits for the indicators.

+| Indicator | Limit |

+|-|-|

+| Number of schedules per subscription per region | 250 |

+| Total number of resource associations to a schedule | 3,000 |

+| Resource associations on each dynamic scope | 1,000 |

+| Number of dynamic scopes per resource group or subscription per region | 250 |

+## Schedule recurring updates on a single VM

+You can schedule updates from the **Overview** or **Machines** pane on the **Update Manager** page or from the selected VM.

+To schedule recurring updates on a single VM:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Overview** page, select your subscription, and then select **Schedule updates**.

+1. On the **Create new maintenance configuration** page, you can create a schedule for a single VM.

+ Currently, VMs and maintenance configuration in the same subscription are supported.

+1. On the **Basics** page, select **Subscription**, **Resource Group**, and all options in **Instance details**.

+ - Select **Maintenance scope** as **Guest (Azure VM, Azure Arc-enabled VMs/servers)**.

+ - Select **Add a schedule**. In **Add/Modify schedule**, specify the schedule details, such as:

+

+ - **Start on**

+ - **Maintenance window** (in hours). The upper maintenance window is 3 hours 55 minutes.

+ - **Repeats** (monthly, daily, or weekly)

+ - **Add end date**

+ - **Schedule summary**

+ The hourly option isn't supported in the portal but can be used through the [API](./manage-vms-programmatically.md#create-a-maintenance-configuration-schedule).

+ :::image type="content" source="./media/scheduled-updates/scheduled-patching-basics-page.png" alt-text="Screenshot that shows the Scheduled patching basics page.":::

+ For **Repeats monthly**, there are two options:

+ - Repeat on a calendar date (optionally run on the last date of the month).

+ - Repeat on nth (first, second, etc.) x day (for example, Monday, Tuesday) of the month. You can also specify an offset from the day set. It could be +6/-6. For example, if you want to patch on the first Saturday after a patch on Tuesday, set the recurrence as the second Tuesday of the month with a +4 day offset. Optionally, you can also specify an end date when you want the schedule to expire.

+1. On the **Machines** tab, select your machine, and then select **Next**.

+ Update Manager doesn't support driver updates.

+1. On the **Tags** tab, assign tags to maintenance configurations.

+1. On the **Review + create** tab, verify your update deployment options, and then select **Create**.

+# [From the Machines pane](#tab/schedule-updates-single-machine)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Machines** page, select your subscription, select your machine, and then select **Schedule updates**.

+1. In **Create new maintenance configuration**, you can create a schedule for a single VM and assign a machine and tags. Follow the procedure from step 3 listed in **From the Overview pane** of [Schedule recurring updates on a single VM](#schedule-recurring-updates-on-a-single-vm) to create a maintenance configuration and assign a schedule.

+# [From a selected VM](#tab/singlevm-schedule-home)

+1. Select your virtual machine to open the **Virtual machines | Updates** page.

+1. Under **Operations**, select **Updates**.

+1. On the **Updates** tab, select **Go to Updates using Update Center**.

+1. In **Updates preview**, select **Schedule updates**. In **Create new maintenance configuration**, you can create a schedule for a single VM. Follow the procedure from step 3 listed in **From the Overview pane** of [Schedule recurring updates on a single VM](#schedule-recurring-updates-on-a-single-vm) to create a maintenance configuration and assign a schedule.

+A notification confirms that the deployment was created.

+## Schedule recurring updates at scale

+To schedule recurring updates at scale, follow these steps.

+You can schedule updates from the **Overview** or **Machines** pane.

+# [From the Overview pane](#tab/schedule-updates-scale-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Overview** page, select your subscription, and then select **Schedule updates**.

+1. On the **Create new maintenance configuration** page, you can create a schedule for multiple machines.

+ Currently, VMs and maintenance configuration in the same subscription are supported.

+1. On the **Basics** tab, select **Subscription**, **Resource Group**, and all options in **Instance details**.

+ - Select **Add a schedule**. In **Add/Modify schedule**, specify the schedule details, such as:

+

+ - **Start on**

+ - **Maintenance window** (in hours)

+ - **Repeats** (monthly, daily, or weekly)

+ - **Add end date**

+ - **Schedule summary**

+ The hourly option isn't supported in the portal but can be used through the [API](./manage-vms-programmatically.md#create-a-maintenance-configuration-schedule).

+1. On the **Machines** tab, verify if the selected machines are listed. You can add or remove machines from the list. Select **Next**.

+1. On the **Updates** tab, specify the updates to include in the deployment, such as update classifications or KB ID/packages that must be installed when you trigger your schedule.

+ Update Manager doesn't support driver updates.

+1. On the **Tags** tab, assign tags to maintenance configurations.

+1. On the **Review + create** tab, verify your update deployment options, and then select **Create**.

+# [From the Machines pane](#tab/schedule-updates-scale-machine)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Machines** page, select your subscription, select your machines, and then select **Schedule updates**.

+On the **Create new maintenance configuration** page, you can create a schedule for a single VM. Follow the procedure from step 3 listed in **From the Overview pane** of [Schedule recurring updates on a single VM](#schedule-recurring-updates-on-a-single-vm) to create a maintenance configuration and assign a schedule.

+A notification confirms that the deployment was created.

+## Attach a maintenance configuration

+ A maintenance configuration can be attached to multiple machines. It can be attached to machines at the time of creating a new maintenance configuration or even after you create one.

+ 1. On the **Azure Update Manager** page, select **Machines**, and then select your subscription.

+ 1. Select your machine, and on the **Updates** pane, select **Scheduled updates** to create a maintenance configuration or attach an existing maintenance configuration to the scheduled recurring updates.

+1. On the **Scheduling** tab, select **Attach maintenance configuration**.

+1. Select the maintenance configuration that you want to attach, and then select **Attach**.

+1. On the **Updates** pane, select **Scheduling** > **Attach maintenance configuration**.

+1. On the **Attach existing maintenance configuration** page, select the maintenance configuration that you want to attach, and then select **Attach**.

+ :::image type="content" source="./media/scheduled-updates/scheduled-patching-attach-maintenance-inline.png" alt-text="Screenshot that shows Scheduled patching attach maintenance configuration." lightbox="./media/scheduled-updates/scheduled-patching-attach-maintenance-expanded.png":::

+## Schedule recurring updates from maintenance configuration

+You can browse and manage all your maintenance configurations from a single place.

+1. Search **Maintenance configurations** in the Azure portal. It shows a list of all maintenance configurations along with the maintenance scope, resource group, location, and the subscription to which it belongs.

+1. You can filter maintenance configurations by using filters at the top. Maintenance configurations related to guest OS updates are the ones that have maintenance scope as **InGuestPatch**.

+You can create a new guest OS update maintenance configuration or modify an existing configuration.

+### Create a new maintenance configuration

+1. Go to **Machines** and select machines from the list.

+1. On the **Updates** pane, select **Scheduled updates**.

+1. On the **Create a maintenance configuration** pane, follow step 3 in this [procedure](#schedule-recurring-updates-on-a-single-vm) to create a maintenance configuration.

+1. On the **Basics** tab, select the **Maintenance scope** as **Guest (Azure VM, Arc-enabled VMs/servers)**.

+ :::image type="content" source="./media/scheduled-updates/create-maintenance-configuration.png" alt-text="Screenshot that shows creating a maintenance configuration.":::

+### Add or remove machines from maintenance configuration

+1. Go to **Machines** and select the machines from the list.

+1. On the **Updates** page, select **One-time updates**.

+1. On the **Install one-time updates** pane, select **Machines** > **Add machine**.

+ :::image type="content" source="./media/scheduled-updates/add-or-remove-machines-from-maintenance-configuration-inline.png" alt-text="Screenshot that shows adding or removing machines from maintenance configuration." lightbox="./media/scheduled-updates/add-or-remove-machines-from-maintenance-configuration-expanded.png":::

+### Change update selection criteria

+1. On the **Install one-time updates** pane, select the resources and machines to install the updates.

+1. On the **Machines** tab, select **Add machine** to add machines that weren't previously selected, and then select **Add**.

+1. On the **Updates** tab, specify the updates to include in the deployment.

+1. Select **Include KB ID/package** and **Exclude KB ID/package**, respectively, to select updates like **Critical**, **Security**, and **Feature updates**.

+ :::image type="content" source="./media/scheduled-updates/change-update-selection-criteria-of-maintenance-configuration-inline.png" alt-text="Screenshot that shows changing update selection criteria of Maintenance configuration." lightbox="./media/scheduled-updates/change-update-selection-criteria-of-maintenance-configuration-expanded.png":::

+## Onboard to schedule by using Azure Policy

+Update Manager allows you to target a group of Azure or non-Azure VMs for update deployment via Azure Policy. The grouping using a policy keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags, or regions to define the scope. You can use this feature for the built-in policies, which you can customize according to your use case.

+> [!NOTE]

+> This policy also ensures that the patch orchestration property for Azure machines is set to **Customer Managed Schedules** because it's a prerequisite for scheduled patching.

+### Assign a policy

+Azure Policy allows you to assign standards and assess compliance at scale. For more information, see [Overview of Azure Policy](../governance/policy/overview.md). To assign a policy to scope:

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Policy**.

+1. Under **Assignments**, select **Assign policy**.

+1. On the **Assign policy** page, on the **Basics** tab:

+ - For **Scope**, choose your subscription and resource group and choose **Select**.

+ - Select **Policy definition** to view a list of policies.

+ - On the **Available Definitions** pane, select **Built in** for **Type**. In **Search**, enter **Schedule recurring updates using Azure Update Manager** and click **Select**.

+ :::image type="content" source="./media/scheduled-updates/dynamic-scoping-defintion.png" alt-text="Screenshot that shows how to select the definition.":::

+

+ - Ensure that **Policy enforcement** is set to **Enabled**, and then select **Next**.

+1. On the **Parameters** tab, by default, only the **Maintenance configuration ARM ID** is visible.

+ If you don't specify any other parameters, all machines in the subscription and resource group that you selected on the **Basics** tab are covered under scope. If you want to scope further based on resource group, location, OS, tags, and so on, clear **Only show parameters that need input or review** to view all parameters:

+ - **Maintenance Configuration ARM ID**: A mandatory parameter to be provided. It denotes the Azure Resource Manager (ARM) ID of the schedule that you want to assign to the machines.

+ - **Resource groups**: You can optionally specify a resource group if you want to scope it down to a resource group. By default, all resource groups within the subscription are selected.

+ - **Operating System types**: You can select Windows or Linux. By default, both are preselected.

+ - **Machine locations**: You can optionally specify the regions that you want to select. By default, all are selected.

+ - **Tags on machines**: You can use tags to scope down further. By default, all are selected.

+ - **Tags operator**: If you select multiple tags, you can specify if you want the scope to be machines that have all the tags or machines that have any of those tags.

+ :::image type="content" source="./media/scheduled-updates/dynamic-scoping-assign-policy.png" alt-text="Screenshot that shows how to assign a policy.":::

+1. On the **Remediation** tab, in **Managed Identity** > **Type of Managed Identity**, select **System assigned managed identity**. **Permissions** is already set as **Contributor** according to the policy definition.

+ If you select **Remediation**, the policy is in effect on all the existing machines in the scope or else it's assigned to any new machine that's added to the scope.

+1. On the **Review + create** tab, verify your selections, and then select **Create** to identify the noncompliant resources to understand the compliance state of your environment.

+### View compliance

+To view the current compliance state of your existing resources:

+1. In **Policy Assignments**, select **Scope** to select your subscription and resource group.

+1. In **Definition type**, select the policy. In the list, select the assignment name.

+1. Select **View compliance**. **Resource compliance** lists the machines and reasons for failure.

+ :::image type="content" source="./media/scheduled-updates/dynamic-scoping-policy-compliance.png" alt-text="Screenshot that shows policy compliance.":::

+## Check your scheduled patching run

+You can check the deployment status and history of your maintenance configuration runs from the Update Manager portal. For more information, see [Update deployment history by maintenance run ID](./manage-multiple-machines.md#update-deployment-history-by-maintenance-run-id).

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

+ Title: Security awareness and Ubuntu Pro support in Azure Update Manager

+description: Guidance on security awareness and Ubuntu Pro support in Azure Update Manager.

+# Guidance on security awareness and Ubuntu Pro support

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides the details on security vulnerabilities and Ubuntu Pro support in Azure Update Manager.

+If you are using Ubuntu 18.04 LTS, you must take the necessary steps against security vulnerabilities as the Ubuntu 18.04 image has reached the end of its [standard security maintenance](https://ubuntu.com/blog/18-04-end-of-standard-support) in May 2023. As Canonical has stopped publishing new security or critical updates after May 2023, the risk of systems and data to potential security threats is high. Without software updates, you may experience performance issues or compatibility issues whenever a new hardware or software is released.

+You can either upgrade to [Ubuntu Pro](https://ubuntu.com/azure/pro) or migrate to a newer version of LTS to avoid any future disruption to the patching mechanisms. When you [upgrade to Ubuntu Pro](https://ubuntu.com/blog/enhancing-the-ubuntu-experience-on-azure-introducing-ubuntu-pro-updates-awareness), you can avoid any security or performance issues.

+## Ubuntu Pro on Azure Update Manager

+

+Azure Update Manager assesses both Azure and Arc-enabled VMs to indicate any action. AUM helps to identify Ubuntu instances that don't have the available security updates and allows an upgrade to Ubuntu Pro from the Azure portal. For example, an Ubuntu server 18.04 LTS instance on Azure Update Manager has information about upgrading to Ubuntu Pro.

+You can continue to use the Azure Update Manager [capabilities](updates-maintenance-schedules.md) to remain secure after migrating to a supported model from Canonical.

+> [!NOTE]

+> - [Ubuntu Pro](https://ubuntu.com/azure/pro) will provide the support on 18.04 LTS from Canonical until 2028 through Expanded Security Maintenance (ESM). You can also [upgrade to Ubuntu Pro from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/canonical.0001-com-ubuntu-pro-bionic?tab=Overview) as well.

+> - Ubuntu offers 20.04 LTS and 22.04 LTS as a migration from 18.04 LTS. [Learn more](https://ubuntu.com/18-04/azure).

+

+## Next steps

+- [An overview on Azure Update Manager](overview.md)

+- [View updates for single machine](view-updates.md)

+- [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+ Title: Azure Update Manager support matrix

+description: This article provides a summary of supported regions and operating system settings.

+# Support matrix for Azure Update Manager

+This article details the Windows and Linux operating systems supported and system requirements for machines or servers managed by Azure Update Manager. The article includes the supported regions and specific versions of the Windows Server and Linux operating systems running on Azure virtual machines (VMs) or machines managed by Azure Arc-enabled servers.

+## Update sources supported

+**Windows**: [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) reports to Microsoft Update by default, but you can configure it to report to [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). If you configure WUA to report to WSUS, based on the last synchronization from WSUS with Microsoft Update, the results in Update Manager might differ from what Microsoft Update shows.

+To specify sources for scanning and downloading updates, see [Specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings?branch=main#specify-intranet-microsoft-update-service-location). To restrict machines to the internal update service, see [Do not connect to any Windows Update internet locations](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates?branch=main#do-not-connect-to-any-windows-update-internet-locations).

+**Linux**: You can configure Linux machines to report to a local or public YUM or APT package repository. The results shown in Update Manager depend on where the machines are configured to report.

+## Types of updates supported

+The following types of updates are supported.

+### Operating system updates

+Update Manager supports operating system updates for both Windows and Linux.

+Update Manager doesn't support driver updates.

+### Extended Security Updates (ESU) for Windows Server

+Using Azure Update Manager, you can deploy Extended Security Updates for your Azure Arc-enabled Windows Server 2012 / R2 machines. To enroll in Windows Server 2012 Extended Security Updates, follow the guidance on [How to get Extended Security Updates (ESU) for Windows Server 2012 and 2012 R2](/windows-server/get-started/extended-security-updates-deploy#extended-security-updates-enabled-by-azure-arc)

+### First-party updates on Windows

+By default, the Windows Update client is configured to provide updates only for the Windows operating system. If you enable the **Give me updates for other Microsoft products when I update Windows** setting, you also receive updates for other Microsoft products. Updates include security patches for Microsoft SQL Server and other Microsoft software.

+Use one of the following options to perform the settings change at scale:

+- For servers configured to patch on a schedule from Update Manager (with VM `PatchSettings` set to `AutomaticByPlatform = Azure-Orchestrated`), and for all Windows Servers running on an earlier operating system than Windows Server 2016, run the following PowerShell script on the server you want to change:

+ ```powershell

+ $ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")

+ $ServiceManager.Services

+ $ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"

+ $ServiceManager.AddService2($ServiceId,7,"")

+ ```

+- For servers running Windows Server 2016 or later that aren't using Update Manager scheduled patching (with VM `PatchSettings` set to `AutomaticByOS = Azure-Orchestrated`), you can use Group Policy to control this process by downloading and using the latest Group Policy [Administrative template files](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).

+> [!NOTE]

+> Run the following PowerShell script on the server to disable first-party updates:

+>

+> ```powershell

+> $ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")

+> $ServiceManager.Services

+> $ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"

+> $ServiceManager.RemoveService($ServiceId)

+> ```

+### Third-party updates

+**Windows**: Update Manager relies on the locally configured update repository to update supported Windows systems, either WSUS or Windows Update. Tools such as [System Center Updates Publisher](/mem/configmgr/sum/tools/updates-publisher) allow you to import and publish custom updates with WSUS. This scenario allows Update Manager to update machines that use Configuration Manager as their update repository with third-party software. To learn how to configure Updates Publisher, see [Install Updates Publisher](/mem/configmgr/sum/tools/install-updates-publisher).

+**Linux**: If you include a specific third-party software repository in the Linux package manager repository location, it's scanned when it performs software update operations. The package isn't available for assessment and installation if you remove it.

+Update Manager doesn't support managing the Configuration Manager client.

+## Supported regions

+Update Manager scales to all regions for both Azure VMs and Azure Arc-enabled servers. The following table lists the Azure public cloud where you can use Update Manager.

+# [Azure VMs](#tab/azurevm)

+Azure Update Manager is available in all Azure public regions where compute virtual machines are available.

+# [Azure Arc-enabled servers](#tab/azurearc)

+Azure Update Manager is currently supported in the following regions. It implies that VMs must be in the following regions.

+**Geography** | **Supported regions**

+ |

+Africa | South Africa North

+Asia Pacific | East Asia </br> South East Asia

+Australia | Australia East </br> Australia Southeast

+Brazil | Brazil South

+Canada | Canada Central </br> Canada East

+Europe | North Europe </br> West Europe

+France | France Central

+India | Central India

+Japan | Japan East

+Korea | Korea Central

+Norway | Norway East

+Sweden | Sweden Central

+Switzerland | Switzerland North

+United Kingdom | UK South </br> UK West

+United States | Central US </br> East US </br> East US 2</br> North Central US </br> South Central US </br> West Central US </br> West US </br> West US 2 </br> West US 3

+## Supported operating systems

+All operating systems are assumed to be x64. For this reason, x86 isn't supported for any operating system.

+Update Manager doesn't support CIS-hardened images.

+> [!NOTE]

+> Currently, schedule patching and periodic assessment on [specialized images](../virtual-machines/linux/imaging.md) and **VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery** are supported in preview.

+# [Azure VMs](#tab/azurevm-os)

+### Azure Marketplace/PIR images

+The Azure Marketplace image has the following attributes:

+- **Publisher**: The organization that creates the image. Examples are `Canonical` and `MicrosoftWindowsServer`.

+- **Offer**: The name of the group of related images created by the publisher. Examples are `UbuntuServer` and `WindowsServer`.

+- **SKU**: An instance of an offer, such as a major release of a distribution. Examples are `18.04LTS` and `2019-Datacenter`.

+- **Version**: The version number of an image SKU.

+Update Manager supports the following operating system versions. You might experience failures if there are any configuration changes on the VMs, such as package or repository.

+#### Windows operating systems

+| **Publisher**| **Versions**

+|-|-|

+|Microsoft Windows Server | 1709, 1803, 1809, 2012, 2016, 2019, 2022|

+|Microsoft Windows Server HPC Pack | 2012, 2016, 2019 |

+|Microsoft SQL Server | 2008, 2012, 2014, 2016, 2017, 2019, 2022 |

+|Microsoft Visual Studio | ws2012r2, ws2016, ws2019, ws2022 |

+|Microsoft Azure Site Recovery | Windows 2012

+|Microsoft BizTalk Server | 2016, 2020 |

+|Microsoft DynamicsAx | ax7 |

+|Microsoft Power BI | 2016, 2017, 2019, 2022 |

+|Microsoft SharePoint | sp* |

+#### Linux operating systems

+| **Publisher**| **Versions**

+|-|-|

+|Canonical | Ubuntu 16.04, 18.04, 20.04, 22.04 |

+|Red Hat | RHEL 7,8,9|

+|OpenLogic | CentOS 7|

+|SUSE 12 |sles, sles-byos, sap, sap-byos, sapcal, sles-standard |

+|SUSE 15 | basic, hpc, opensuse, sles, sap, sapcal|

+|Oracle Linux | 7*, ol7*, ol8*, ol9* |

+|Oracle Database | 21, 19-0904, 18.*|

+#### Unsupported operating systems

+The following table lists the operating systems for Azure Marketplace images that aren't supported.

+| **Publisher**| **OS offer** | **SKU**|

+|-|-|--|

+|OpenLogic | CentOS | 8* |

+|OpenLogic | centos-hpc| * |

+|Oracle | Oracle-Linux | 8, 8-ci, 81, 81-ci , 81-gen2, ol82, ol8_2-gen2,ol82-gen2, ol83-lvm, ol83-lvm-gen2, ol84-lvm,ol84-lvm-gen2 |

+|Red Hat | RHEL | 74-gen2 |

+|Red Hat | RHEL-HANA | 7.4, 7.5, 7.6, 8.1, 81_gen2 |

+|Red Hat | RHEL-SAP | 7.4, 7.5, 7.7 |

+|Red Hat | RHEL-SAP-HANA | 7.5 |

+|Microsoft SQL Server | SQL 2019-SLES* | * |

+|Microsoft SQL Server | SQL 2019-RHEL7 | * |

+|Microsoft SQL Server | SQL 2017-RHEL7 | * |

+|Microsoft | microsoft-ads |*.* |

+|SUSE| sles-sap-15-*-byos | gen *|

+### Custom images

+We support [generalized](../virtual-machines/linux/imaging.md#generalized-images) custom images. Currently, scheduled patching and periodic assessment on [specialized images](../virtual-machines/linux/imaging.md#specialized-images) and VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery are supported in preview.

+The following table lists the operating systems that we support for customized images. For instructions on how to use Update Manager to manage updates on custom images, see [Custom images (preview)](manage-updates-customized-images.md).

+ |**Windows operating system**|

+ ||

+ |Windows Server 2022|

+ |Windows Server 2019|

+ |Windows Server 2016|

+ |Windows Server 2012 R2|

+ |Windows Server 2012|

+ |Windows Server 2008 R2 (RTM and SP1 Standard)|

+ |**Linux operating system**|

+ ||

+ |CentOS 7, 8|

+ |Oracle Linux 7.x, 8x|

+ |Red Hat Enterprise 7, 8, 9|

+ |SUSE Linux Enterprise Server 12.x, 15.0-15.4|

+ |Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS|

+# [Azure Arc-enabled servers](#tab/azurearc-os)

+The following table lists the operating systems supported on [Azure Arc-enabled servers](../azure-arc/servers/overview.md).

+ |**Operating system**|

+ |-|

+ | Amazon Linux 2023 |

+ | Windows Server 2012 R2 and higher (including Server Core) |

+ | Windows Server 2008 R2 SP1 with PowerShell enabled and .NET Framework 4.0+ |

+ | Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS |

+ | CentOS Linux 7 and 8 (x64) |

+ | SUSE Linux Enterprise Server (SLES) 12 and 15 (x64) |

+ | Red Hat Enterprise Linux (RHEL) 7, 8, 9 (x64) |

+ | Amazon Linux 2 (x64) |

+ | Oracle 7.x, 8.x|

+ | Debian 10 and 11|

+ | Rocky Linux 8|

+## Unsupported operating systems

+The following table lists the operating systems that aren't supported.

+ | **Operating system**| **Notes**

+ |-|-|

+ | Windows client | For client operating systems such as Windows 10 and Windows 11, we recommend [Microsoft Intune](/mem/intune/) to manage updates.|

+ | Virtual machine scale sets| We recommend that you use [Automatic upgrades](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) to patch the virtual machine scale sets.|

+ | Azure Kubernetes Service nodes| We recommend the patching described in [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](/azure/aks/node-updates-kured).|

+Because Update Manager depends on your machine's OS package manager or update service, ensure that the Linux package manager or Windows Update client is enabled and can connect with an update source or repository. If you're running a Windows Server OS on your machine, see [Configure Windows Update settings](configure-wu-agent.md).

+## Next steps

+- [View updates for a single machine](view-updates.md)

+- [Deploy updates now (on-demand) for a single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+- [Manage update settings via the portal](manage-update-settings.md)

+ Title: Troubleshoot known issues with Azure Update Manager

+description: This article provides details on known issues and how to troubleshoot any problems with Azure Update Manager.

+# Troubleshoot issues with Azure Update Manager

+This article describes the errors that might occur when you deploy or use Azure Update Manager, how to resolve them, and the known issues and limitations of scheduled patching.

+## General troubleshooting

+The following troubleshooting steps apply to the Azure virtual machines (VMs) related to the patch extension on Windows and Linux machines.

+### Azure Linux VM

+To verify if the Microsoft Azure Virtual Machine agent (VM agent) is running and has triggered appropriate actions on the machine and the sequence number for the autopatching request, check the agent log for more information in `/var/log/waagent.log`. Every autopatching request has a unique sequence number associated with it on the machine. Look for a log similar to `2021-01-20T16:57:00.607529Z INFO ExtHandler`.

+The package directory for the extension is `/var/lib/waagent/Microsoft.CPlat.Core.Edp.LinuxPatchExtension-<version>`. The `/status` subfolder has a `<sequence number>.status` file. It includes a brief description of the actions performed during a single autopatching request and the status. It also includes a short list of errors that occurred while applying updates.

+To review the logs related to all actions performed by the extension, check for more information in `/var/log/azure/Microsoft.CPlat.Core.Edp.LinuxPatchExtension/`. It includes the following two log files of interest:

+* `<seq number>.core.log`: Contains information related to the patch actions. This information includes patches assessed and installed on the machine and any problems encountered in the process.

+* `<Date and Time>_<Handler action>.ext.log`: There's a wrapper above the patch action, which is used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log `<Date and Time>_Enable.ext.log` has information on whether the specific patch operation was invoked.

+### Azure Windows VM

+To verify if the VM agent is running and has triggered appropriate actions on the machine and the sequence number for the autopatching request, check the agent log for more information in `C:\WindowsAzure\Logs\AggregateStatus`. The package directory for the extension is `C:\Packages\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension<version>`.

+To review the logs related to all actions performed by the extension, check for more information in `C:\WindowsAzure\Logs\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension<version>`. It includes the following two log files of interest:

+* `WindowsUpdateExtension.log`: Contains information related to the patch actions. This information includes patches assessed and installed on the machine and any problems encountered in the process.

+* `CommandExecution.log`: There's a wrapper above the patch action, which is used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log has information on whether the specific patch operation was invoked.

+## Unable to change the patch orchestration option to manual updates from automatic updates

+Here's the scenario.

+### Issue

+The Azure machine has the patch orchestration option as `AutomaticByOS/Windows` automatic updates and you're unable to change the patch orchestration to Manual Updates by using **Change update settings**.

+### Resolution

+If you don't want any patch installation to be orchestrated by Azure or aren't using custom patching solutions, you can change the patch orchestration option to **Customer Managed Schedules (Preview)** or `AutomaticByPlatform` and `ByPassPlatformSafetyChecksOnUserSchedule` and not associate a schedule/maintenance configuration to the machine. This setting ensures that no patching is performed on the machine until you change it explicitly. For more information, see **Scenario 2** in [User scenarios](prerequsite-for-schedule-patching.md#user-scenarios).

+## Machine shows as "Not assessed" and shows an HRESULT exception

+Here's the scenario.

+### Issue

+* You have machines that show as `Not assessed` under **Compliance**, and you see an exception message below them.

+* You see an `HRESULT` error code in the portal.

+### Cause

+The Update Agent (Windows Update Agent on Windows and the package manager for a Linux distribution) isn't configured correctly. Update Manager relies on the machine's Update Agent to provide the updates that are needed, the status of the patch, and the results of deployed patches. Without this information, Update Manager can't properly report on the patches that are needed or installed.

+### Resolution

+Try to perform updates locally on the machine. If this operation fails, it typically means that there's an Update Agent configuration error.

+This issue is frequently caused by network configuration and firewall problems. Use the following checks to correct the issue:

+* For Linux, check the appropriate documentation to make sure you can reach the network endpoint of your package repository.

+* For Windows, check your agent configuration as described in [Updates aren't downloading from the intranet endpoint (WSUS/SCCM)](/windows/deployment/update/windows-update-troubleshooting#updates-arent-downloading-from-the-intranet-endpoint-wsussccm).

+ * If the machines are configured for Windows Update, make sure that you can reach the endpoints described in [Issues related to HTTP/proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy).

+ * If the machines are configured for Windows Server Update Services (WSUS), make sure that you can reach the WSUS server configured by the [WUServer registry key](/windows/deployment/update/waas-wu-settings).

+If you see an `HRESULT` error code, double-click the exception displayed in red to see the entire exception message. Review the following table for potential resolutions or recommended actions.

+|Exception |Resolution or action |

+|||

+|`Exception from HRESULT: 0x……C` | Search the relevant error code in the [Windows Update error code list](https://support.microsoft.com/help/938205/windows-update-error-code-list) to find more information about the cause of the exception. |

+|`0x8024402C`</br>`0x8024401C`</br>`0x8024402F` | Indicates network connectivity problems. Make sure your machine has network connectivity to Update Management. For a list of required ports and addresses, see the [Network planning](../automation/update-management/plan-deployment.md#ports) section. |

+|`0x8024001E`| The update operation didn't finish because the service or system was shutting down.|

+|`0x8024002E`| Windows Update service is disabled.|

+|`0x8024402C` | If you're using a WSUS server, make sure the registry values for `WUServer` and `WUStatusServer` under the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` registry key specify the correct WSUS server. |

+|`0x80072EE2`|There's a network connectivity problem or a problem in talking to a configured WSUS server. Check WSUS settings and make sure the service is accessible from the client.|

+|`The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422)` | Make sure the Windows Update service (`wuauserv`) is running and not disabled. |

+|`0x80070005`| An access denied error can be caused by any one of the following problems:<br> - Infected computer.<br> - Windows Update settings not configured correctly.<br> - File permission error with the `%WinDir%\SoftwareDistribution` folder.<br> - Insufficient disk space on the system drive (drive C).

+|Any other generic exception | Run a search on the internet for possible resolutions and work with your local IT support. |

+Reviewing the `%Windir%\Windowsupdate.log` file can also help you determine possible causes. For more information about how to read the log, see [Read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file).

+You can also download and run the [Windows Update troubleshooter](https://support.microsoft.com/help/4027322/windows-update-troubleshooter) to check for any problems with Windows Update on the machine.

+> [!NOTE]

+> The [Windows Update troubleshooter](https://support.microsoft.com/help/4027322/windows-update-troubleshooter) documentation indicates that it's for use on Windows clients, but it also works on Windows Server.

+### Azure Arc-enabled servers

+For Azure Arc-enabled servers, see [Troubleshoot VM extensions](../azure-arc/servers/troubleshoot-vm-extensions.md) for general troubleshooting steps.

+To review the logs related to all actions performed by the extension, on Windows, check for more information in `C:\ProgramData\GuestConfig\extension_Logs\Microsoft.SoftwareUpdateManagement\WindowsOsUpdateExtension`. It includes the following two log files of interest:

+* `WindowsUpdateExtension.log`: Contains information related to the patch actions. This information includes the patches assessed and installed on the machine and any problems encountered in the process.

+* `cmd_execution_<numeric>_stdout.txt`: There's a wrapper above the patch action. It's used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log has information on whether the specific patch operation was invoked.

+* `cmd_excution_<numeric>_stderr.txt`

+## Known issues in schedule patching

+- For a concurrent or conflicting schedule, only one schedule is triggered. The other schedule is triggered after a schedule is finished.

+- If a machine is newly created, the schedule might have 15 minutes of schedule trigger delay in the case of Azure VMs.

+- Policy definition **Schedule recurring updates using Azure Update Manager** with version 1.0.0-preview successfully remediates resources. However, it always shows them as noncompliant. The current value of the existence condition is a placeholder that always evaluates to false.

+### Unable to apply patches for the shutdown machines

+Here's the scenario.

+#### Issue

+Patches aren't getting applied for the machines that are in shutdown state. You might also see that machines are losing their associated maintenance configurations or schedules.

+#### Cause

+The machines are in a shutdown state.

+### Resolution

+Keep your machines turned on at least 15 minutes before the scheduled update. For more information, see [Shut down machines](../virtual-machines/maintenance-configurations.md#shut-down-machines).

+### Patch run failed with Maintenance window exceeded property showing true even if time remained

+Here's the scenario.

+#### Issue

+When you view an update deployment in **Update History**, the property **Failed with Maintenance window exceeded** shows **true** even though enough time was left for execution. In this case, one of the following problems is possible:

+* No updates are shown.

+* One or more updates are in a **Pending** state.

+* Reboot status is **Required**, but a reboot wasn't attempted even when the reboot setting passed was `IfRequired` or `Always`.

+#### Cause

+During an update deployment, Maintenance window utilization is checked at multiple steps. Ten minutes of the Maintenance window are reserved for reboot at any point. Before the deployment gets a list of missing updates or downloads or installs any update (except Windows service pack updates), it checks to verify if there are 15 minutes + 10 minutes for reboot (that is, 25 minutes left in the Maintenance window).

+For Windows service pack updates, the deployment checks for 20 minutes + 10 minutes for reboot (that is, 30 minutes). If the deployment doesn't have the sufficient time left, it skips the scan/download/installation of updates. The deployment run then checks if a reboot is needed and if 10 minutes are left in the Maintenance window. If there are, the deployment triggers a reboot. Otherwise, the reboot is skipped.

+In such cases, the status is updated to **Failed**, and the **Maintenance window exceeded** property is updated to **true**. For cases where the time left is less than 25 minutes, updates aren't scanned or attempted for installation.

+To find more information, review the logs in the file path provided in the error message of the deployment run.

+#### Resolution

+Set a longer time range for maximum duration when you're triggering an [on-demand update deployment](deploy-updates.md) to help avoid the problem.

+## Next steps

+* To learn more about Update Manager, see the [Overview](overview.md).

+* To view logged results from all your machines, see [Querying logs and results from Update Manager](query-logs.md).

+ Title: Schedule updates and enable periodic assessment at scale using policy.

+description: In this tutorial, you learn on how enable periodic assessment or update the deployment using policy.

+#Customer intent: As an IT admin, I want dynamically apply patches or enable periodic assessment on the machines at scale using a policy.

+# Tutorial: Enable periodic assessment and schedule updates on Azure VMs using policy

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+

+This tutorial explains how you can enable periodic assessment and schedule updates on your Azure VMs at scale using Azure policy. A policy allows you to assign standards and assess compliance at scale. [Learn more](../governance/policy/overview.md).

+**Periodic Assessment** - is a setting on your machine that enables you to see the latest updates available for your machines and removes the hassle of performing assessment manually every time you need to check the update status. Once you enable this setting, update manager fetches updates on your machine once every 24 hours.

+**Schedule patching** - is a setting to target a group of machines for update deployment via Azure Policy. The grouping using policy, keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags or regions to define the scope and use this feature for the built-in policies which you can customize as per your use-case.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> - Enable periodic assessment

+> - Enable schedule patching

+## Prerequisites

+- You must have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Enable Periodic assessment

+Go to **Policy** from the Azure portal and under **Authoring**, go to **Definitions**.

+1. From the **Category** dropdown, select **Azure Update Manager**. Select *Configure periodic checking for missing system updates on Azure virtual machines* for Azure machines.

+1. When the Policy Definition opens, select **Assign**.

+1. In **Basics**, select your subscription as your scope. You can also specify a resource group within subscription as the scope and select Next.

+1. In **Parameters**, uncheck **Only show parameters that need input or review** so that you can see the values of parameters.

+1. In **Assessment**: select *AutomaticByPlatform* and select *Operating system* and then select **Next**. You need to create separate policies for Windows and Linux.

+1. In **Remediation**, check **Create a remediation task**, so that periodic assessment is enabled on your machines and click **Next**.

+1. In **Non-compliance**, provide the message that you would like to see in case of non-compliance. For example: *Your machine doesn't have periodic assessment enabled.* and then select **Review+Create**.

+1. In **Review+Create**, select **Create**. This action triggers Assignment and Remediation Task creation, which can take a minute or so.

+You can monitor the compliance of resources under **Compliance** and remediation status under **Remediation** from the Policy home page.

+## Enable schedule patching

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Policy**.

+1. In **Assignments**, select **Assign policy**.

+1. Under **Basics**, in the **Assign policy** page:

+ - In **Scope**, choose your subscription, resource group, and choose **Select**.

+ - Select **Policy definition** to view a list of policies.

+ - In **Available Definitions**, select **Built in** for Type and in search, enter - *Schedule recurring updates using Azure Update Manager* and click **Select**.

+ - Ensure that **Policy enforcement** is set to **Enabled** and select **Next**.

+

+1. In **Parameters**, by default, only the Maintenance configuration ARM ID is visible.

+ > [!NOTE]

+ > If you do not specify any other parameters, all machines in the subscription and resource group that you selected in **Basics** will be covered under scope. However, if you want to scope further based on resource group, location, OS, tags and so on, deselect **Only show parameters that need input or review** to view all parameters.

+ - Maintenance Configuration ARM ID: A mandatory parameter to be provided. It denotes the ARM ID of the schedule that you want to assign to the machines.

+ - Resource groups: You can specify a resource group optionally if you want to scope it down to a resource group. By default, all resource groups within the subscription are selected.

+ - Operating System types: You can select Windows or Linux. By default, both are preselected.

+ - Machine locations: You can optionally specify the regions that you want to select. By default, all are selected.

+ - Tags on machines: You can use tags to scope down further. By default, all are selected.

+ - Tags operator: In case you have selected multiple tags, you can specify if you want the scope to be machines that have all the tags or machines which have any of those tags.

+1. In **Remediation**, **Managed Identity**, **Type of Managed Identity**, select System assigned managed identity and **Permissions** is already set as *Contributor* according to the policy definition.

+ > [!NOTE]

+ > If you select Remediation, the policy would be effective on all the existing machines in the scope else, it is assigned to any new machine which is added to the scope.

+1. In **Review + Create**, verify your selections, and select **Create** to identify the non-compliant resources to understand the compliance state of your environment.

+## Next steps

+Learn about [managing multiple machines](manage-multiple-machines.md).

+

+ Title: Schedule updates on Dynamic scoping.

+description: In this tutorial, you learn how to group machines, dynamically apply the updates at scale.

+#Customer intent: As an IT admin, I want dynamically apply patches on the machines as per a schedule.

+# Tutorial: Schedule updates on Dynamic scopes

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure VMs :heavy_check_mark: Azure Arc-enabled servers.

+

+This tutorial explains how you can create a dynamic scope, and apply patches based on the criteria.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> - Create and edit groups

+> - Associate a schedule

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Create a Dynamic scope

+To create a dynamic scope, follow these steps:

+#### [Azure portal](#tab/az-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Update Manager**.

+1. Select **Overview** > **Schedule updates** > **Create a maintenance configuration**.

+1. In the **Create a maintenance configuration** page, enter the details in the **Basics** tab and select **Maintenance scope** as *Guest* (Azure VM, Arc-enabled VMs/servers).

+1. Select **Dynamic Scopes** and follow the steps to [Add Dynamic scope](manage-dynamic-scoping.md#add-a-dynamic-scope).

+1. In **Machines** tab, select **Add machines** to add any individual machines to the maintenance configuration and select **Updates**.

+1. In the **Updates** tab, select the patch classification that you want to include/exclude and select **Tags**.

+1. Provide the tags in **Tags** tab.

+1. Select **Review** and then **Review + Create**.

+> [!NOTE]

+> A dynamic scope exists within the context of a schedule only. You can use one schedule to link to a machine, dynamic scope, or both. One dynamic scope cannot have more than one schedule.

+#### [Azure CLI](#tab/az-cli)

+```azurecli

+ az maintenance assignment create-or-update-subscription --maintenance-configuration-id "/subscriptions/{subscription_id}/resourcegroups/{rg}/providers/Microsoft.Maintenance/maintenanceConfigurations/clitestmrpconfinguestadvanced" --name cli_dynamicscope_recording01 --filter-locations eastus2euap centraluseuap --filter-os-types windows linux --filter-tags {{tagKey1:[tagKey1Val1,tagKey1Val2],tagKey2:[tagKey2Val1,tagKey2Val2]}} --filter-resource-group rg1, rg2 --filter-tags-operator All -l global

+```

+#### [PowerShell](#tab/az-ps)

+```powershell

+ New-AzConfigurationAssignment -ConfigurationAssignmentName $maintenanceConfigurationName -MaintenanceConfigurationId $maintenanceConfigurationInGuestPatchCreated.Id -FilterLocation eastus2euap,centraluseuap -FilterOsType Windows,Linux -FilterTag '{"tagKey1" : ["tagKey1Value1", "tagKey1Value2"], "tagKey2" : ["tagKey2Value1", "tagKey2Value2", "tagKey2Value3"] }' -FilterOperator "Any"

+```

+## Provide the consent

+Obtaining consent to apply updates is an important step in the workflow of scheduled patching and follow the steps on various ways to [provide the consent](manage-dynamic-scoping.md#provide-consent-to-apply-updates).

+## Next steps

+Learn about [managing multiple machines](manage-multiple-machines.md).

+

+ Title: Azure Update Manager FAQ

+description: This article gives answers to frequently asked questions about Azure Update Manager

+#Customer intent: As an implementer, I want answers to various questions.

+# Azure Update Manager frequently asked questions

+This FAQ is a list of commonly asked questions about Azure Update Manager. If you have any other questions about its capabilities, go to the discussion forum and post your questions. When a question is frequently asked, we add it to this article so that it's found quickly and easily.

+## Fundamentals

+### What are the benefits of using Azure Update Manager?

+Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multicloud environments.

+Following are the benefits of using Azure Update

+- Oversee update compliance for your entire fleet of machines in Azure (Azure VMs), on premises, and multicloud environments (Arc-enabled Servers).

+- View and deploy pending updates to secure your machines [instantly](updates-maintenance-schedules.md#update-nowone-time-update).

+- Manage [extended security updates (ESUs)](../azure-arc/servers/prepare-extended-security-updates.md) for your Azure Arc-enabled Windows Server 2012/2012 R2 machines. Get consistent experience for deployment of ESUs and other updates.

+- Define recurring time windows during which your machines receive updates and might undergo reboots using [scheduled patching](scheduled-patching.md). Enforce machines grouped together based on standard Azure constructs (Subscriptions, Location, Resource Group, Tags etc.) to have common patch schedules using [dynamic scoping](dynamic-scope-overview.md). Sync patch schedules for Windows machines in relation to patch Tuesday, the unofficial term for month.

+- Enable incremental rollout of updates to Azure VMs in off-peak hours using [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) and reduce reboots by enabling [hotpatching](updates-maintenance-schedules.md#hotpatching).

+- Automatically [assess](assessment-options.md#periodic-assessment) machines for pending updates every 24 hours, and flag machines that are out of compliance. Enforce enabling periodic assessments on multiple machines at scale using [Azure Policy](periodic-assessment-at-scale.md).

+- Create [custom reports](workbooks.md) for deeper understanding of the updates data of the environment.

+- Granular access management to Azure resources with Azure roles and identity, to control who can perform update operations and edit schedules.

+### How does the new Azure Update Manager work on machines?

+Whenever you trigger any Azure Update Manager operation on your machine, it pushes an extension on your machine that interacts with the VM agent (for Azure machine) or Arc agent (for Arc-enabled machines) to fetch and install updates.

+### Is enabling Azure Arc mandatory for patch management for machines not running on Azure?

+Yes, machines that aren't running on Azure must be enabled for Arc, for management using Update Manager.

+### Is the new Azure Update Manager dependent on Azure Automation and Log Analytics?

+No, it's a native capability on a virtual machine.

+### Where is updates data stored in Azure Update Manager?

+All Azure Update Manager data is stored in Azure Resource Graph (ARG). Custom reports can be generated on the updates data for deeper understanding and patterns using Azure Workbooks [Learn more](query-logs.md)

+### Are there programmatic ways to interact with Azure Update Manager?

+Yes, Azure Update Manager supports REST API, CLI and PowerShell for [Azure machines](manage-vms-programmatically.md) and [Arc-enabled machines](manage-arc-enabled-servers-programmatically.md).

+### Do I need MMA or AMA for using Azure Update Manager to manage my machines?

+No, it's a native capability on a virtual machine and doesn't rely either on MMA or AMA.

+### Which operating systems are supported by Azure Update Manager?

+For more information, see [Azure Update Manager OS support](support-matrix.md).

+### Does Update Manager support Windows 10, 11?

+Automation Update Management didn't provide support for patching Windows 10 and 11. The same is true for Azure Update Manager. We recommend that you use Microsoft Intune as the solution for keeping Windows 10 and 11 devices up to date.

+## Impact of Log Analytics Agent retirement

+### How do I move from Automation Update Management to Azure Update Manager?

+Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move from Automation Update Management to Azure Update Manager.

+### LA agent (also known as MMA) is retiring and will be replaced with AMA. Is it necessary to move to Update Manager or can I continue to use Automation Update Management with AMA?

+The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update management solution relies on this agent and might encounter issues once the agent is retired. It doesn't work with Azure Monitoring Agent (AMA) either.

+Therefore, if you're using Azure Automation Update management solution, you're encouraged to move to Azure Update Manager for their software update needs. All capabilities of Azure Automation Update Management Solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move update management for your machines to Azure Update Manager.

+

+### If I move to AMA while I'm still using Automation Update Management, will my solution break?

+Yes. Automation Update Management isn't compatible with AMA. We recommend that you move the machine to Azure Update Manager before removing MMA from the machine. Update Manager doesn't rely either on MMA or AMA.

+### Will I lose my Automation Update Management update related data if I move to Azure Update Manager?

+Automation Update Management uses Log Analytics workspace for storing updates data. Azure Update Manager uses Azure Resource Graph for data storage. You can continue using the historical data in Log Analytics workspace for old data and use Azure Resource Graph for new data.

+### I have some reports/dashboards built for Automation Update Management. How do I move those?

+You can rebuild custom dashboards/reports on updates data from Azure Resource Graph (ARG). For more information, see [how to query ARG data](query-logs.md) and [sample queries](sample-query-logs.md). These are a few built-in workbooks that you can modify as per your needs to get started. For more information, see [how to create reports using workbooks](manage-workbooks.md).

+### I have been using saved searches in Automation Update Management for schedules. How do I migrate to Azure Update Manager?

+Arc-enabling of machines is a prerequisite for management with Update Manager. To move the saved searches. You can Arc-enable them and then use dynamic scoping feature to define the same scope of machines. [Learn more](manage-dynamic-scoping.md).

+### If I have been using pre and post-script or alerting capability in Automation Update management, how can I move to Azure Update Manager?

+These capabilities will be added to Azure Update Manager. For more information, see [guidance for moving from Automation Update management to Azure Update Manager](guidance-migration-automation-update-management-azure-update-manager.md).

+### I'm using Automation Update Management on sovereign clouds; will I get region support in the new Azure Update Manager?

+Yes, Automation Update Manager will be rolled out to sovereign clouds soon.

+## Pricing

+### What is the pricing for Azure Update Manager?

+Azure Update Manager is available at no extra charge for managing Azure VMs and Arc-enabled Azure Stack HCI VMs (for which Azure Benefits are enabled). For Arc-enabled Servers, the price is $5 per server per month (assuming 31 days of usage).

+### How is Azure Update Manager price calculated for Arc-enabled servers?

+For Arc-enabled servers, Azure Update Manager is charged $5/server/month (assuming 31 days of connected usage). It's charged at a daily prorated value of 0.16/server/day. An Arc-enabled machine would only be charged for the days when it's connected and managed by Azure Update Manager.

+### When is an Arc-enabled server considered managed by Azure Update Manager?

+An Arc-enabled server is considered managed by Azure Update Manager for days on which the machine fulfills the following conditions:

+ - *Connected* status for Arc at any time during the day.

+ - An update operation (patched on demand or through a scheduled job, assessed on demand or through periodic assessment) is triggered on it, or it's associated with a schedule.

+

+### Are there scenarios in which Arc-enabled Server isn't charged for Azure Update Manager?

+An Arc-enabled server managed with Azure Update Manager is not charged in following scenarios:

+ - If the machine is enabled for delivery of Extended Security Updates (ESUs) enabled by Azure Arc.

+ - Microsoft Defender for Servers Plan 2 is enabled for the subscription hosting the Arc-enabled server.

+### Will I be charged if I move from Automation Update Management to Update Manager?

+Customers using Automation Update Management moving to Azure Update Manager won't be charged till retirement of LA agent.

+### I'm a Defender for Server customer and use update recommendations powered by Azure Update Manager namely "periodic assessment should be enabled on your machines" and "system updates should be installed on your machines". Would I be charged for Azure Update Manager?

+If you have purchased a Defender for Servers Plan 2, then you won't have to pay to remediate the unhealthy resources for the above two recommendations. But if you're using any other Defender for server plan for your Arc machines, then you would be charged for those machines at the daily prorated $0.16/server by Azure Update Manager.

+### Is Azure Update Manager chargeable on Azure Stack HCI?

+Azure Update Manager is not charged for machines hosted Azure Stack HCI clusters that have been enabled for Azure benefits and Azure Arc VM management. [Learn more](/azure-stack/hci/manage/azure-benefits?tabs=wac#azure-benefits-available-on-azure-stack-hci).

+

+## Update Manager support and integration

+### Does Azure Update Manager support integration with Azure Lighthouse?

+Azure Update Manager doesn't currently support Azure Lighthouse integration.

+### Does Azure Update Manager support Azure Policy?

+Yes, Azure Update Manager supports update features via policies. For more information, see [how to enable periodic assessment at scale using policy](periodic-assessment-at-scale.md) and [how to enable schedules on your machines at scale using Azure Policy](scheduled-patching.md#onboard-to-schedule-by-using-azure-policy).

+### I have machines across multiple subscriptions in Automation Update Management. Is this scenario supported in Azure Update Manager?

+Yes, Azure Update Manager supports multi-subscription scenarios.

+### Is there guidance available to move VMs and schedules from SCCM to Azure Update Manager?

+Customers can follow this [guide](guidance-migration-azure.md) to move update configurations from SCCM to Azure Update Manager.

+## Miscellaneous

+### Can I configure my machines to fetch updates from WSUS (Windows) and private repository (Linux)?

+By default, Azure Update Manager relies on Windows Update (WU) client running on your machine to fetch updates. You can configure WU client to fetch updates from Microsoft Update/WSUS repository and manage patch schedules using Azure Update Manager.

+Similarly for Linux, you can fetch updates by pointing your machine to a public repository or clone a private repository that regularly pulls updates from the upstream.

+Azure Update Manager honors machine settings and installs updates accordingly.

+### Does Azure Update Manager store customer data?

+No, Azure Update Manager doesn't store any customer identifiable data outside of the Azure Resource Graph for the subscription.

+## Next steps

+- [An overview of Azure Update Manager](overview.md)

+- [What's new in Azure Update Manager](whats-new.md)

+ Title: Updates and maintenance in Azure Update Manager

+description: This article describes the updates and maintenance options available in Azure Update Manager.

+# Update options and orchestration in Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+> [!IMPORTANT]

+> - For a seamless scheduled patching experience, we recommend that for all Azure virtual machines (VMs), you update the patch orchestration to **Customer Managed Schedules**. If you fail to update the patch orchestration, you can experience a disruption in business continuity because the schedules fail to patch the VMs. For more information, see [Configure schedule patching on Azure VMs to ensure business continuity](prerequsite-for-schedule-patching.md).

+> - For Azure Arc-enabled servers, the updates and maintenance options such as automatic VM guest patching in Azure, Windows automatic updates, and hot patching aren't supported.

+This article provides an overview of the various update options and orchestration in Azure Update Manager.

+## Update Options

+### Automatic OS image upgrade

+When you enable the [automatic OS image upgrades](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) on your [Azure Virtual Machine Scale Set](../virtual-machine-scale-sets/overview.md), it helps ease Azure Update Manager to safely and automatically upgrade the OS disk for all instances in the scale set.

+Automatic OS upgrade has the following characteristics:

+- After you configure, the latest OS image published by the image publishers is automatically applied to the scale set without any user intervention.

+- It upgrades batches of instances in a rolling manner every time a new image is published by the publisher.

+- Integrates with application health probes and [Application Health extension](../virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension.md).

+- Works for all VM sizes, for both Windows and Linux images including the custom images through the [Azure Compute Gallery](../virtual-machines/shared-image-galleries.md).

+- Flexibility to opt out of automatic upgrades at any time. (OS upgrades can be initiated manually as well).

+- The OS Disk of a VM is replaced with the new OS Disk created with the latest image version. Configured extensions and custom data scripts are run while persisted data disks are retained.

+- Supports Extension sequencing.

+- You can enable on a scale set of any size.

+> [!NOTE]

+> We recommend that you check on the following:

+> - Requirements before you enable automatic OS image upgrades

+> - Supported OS images

+> - Requirements to support custom images. [Learn more](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md)

+### Automatic VM guest patching

+When you enable [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) on your Azure VMs, it helps ease Azure Update Manager to safely and automatically patch virtual machines to maintain security compliance.

+Automatic VM guest patching has the following characteristics:

+- Patches classified as *Critical* or *Security* are automatically downloaded and applied on the VM.

+- Patches are applied during off-peak hours for IaaS VMs in the VM's time zone.

+- Patches are applied during all hours for Azure Virtual Machine Scale Sets [VMSS Flexible orchestration](../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#scale-sets-with-flexible-orchestration).

+- Patch orchestration is managed by Azure and patches are applied following [availability-first principles](../virtual-machines/automatic-vm-guest-patching.md#availability-first-updates).

+- Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.

+- You can monitor application health through the [Application Health Extension](../virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension.md).

+- It works for all VM sizes.

+#### Enable VM property

+To enable the VM property, follow these steps:

+1. On the Azure Update Manager home page, go to **Update Settings**.

+1. Select Patch Orchestration as **Azure Managed-Safe Deployment**.

+> [!NOTE]

+> We recommend the following:

+> - Obtain an understanding how the Automatic VM guest patching works.

+> - Check the requirements before you enable Automatic VM guest patching.

+> - Check for supported OS images. [Learn more](../virtual-machines/automatic-vm-guest-patching.md)

+## Hotpatching

+[Hotpatching](/windows-server/get-started/hotpatch?context=%2Fazure%2Fvirtual-machines%2Fcontext%2Fcontext) allows you to install OS security updates on supported *Windows Server Datacenter: Azure Edition* virtual machines that don't require a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process.

+Following are the features of Hotpatching:

+- Fewer binaries mean update install faster and consume less disk and CPU resources.

+- Lower workload impact with fewer reboots.

+- Better protection, as the hotpatch update packages are scoped to Windows security updates that install faster without rebooting.

+- Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager

+Hotpatching property is available as a setting in Azure Update Manager that you can enable by using Update settings flow. For more information, see [Hotpatch for virtual machines and supported platforms](/windows-server/get-started/hotpatch).

+## Automatic extension upgrade

+[Automatic Extension Upgrade](../virtual-machines/automatic-extension-upgrade.md) is available for Azure VMs and [Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/overview.md). When Automatic Extension Upgrade is enabled on a VM or scale set, the extension is upgraded automatically whenever the extension publisher releases a new version for that extension.

+Automatic Extension Upgrade has the following features:

+- It's supported for Azure VMs and Azure Virtual Machine Scale Sets.

+- Upgrades are applied on an [availability-first-deployment-model](../virtual-machines/automatic-extension-upgrade.md#availability-first-updates).

+- For a Virtual Machine Scale Set, no more than 20% of the scale set virtual machines will be upgraded in a single batch. The minimum batch size is one virtual machine.

+- Works for all VM sizes and for both Windows and Linux extensions.

+- Enabled on a Virtual Machine Scale Sets of any size.

+- Each supported extension is enrolled individually, and you can choose the extensions to upgrade automatically.

+- Supported in all public cloud regions. For more information, see [supported extensions and Automatic Extension upgrade](../virtual-machines/automatic-extension-upgrade.md#availability-first-updates)

+

+ ### Windows automatic updates

+This mode of patching allows operating system to automatically install updates on Windows VMs as soon as they're available. It uses the VM property that is enabled by setting the patch orchestration to OS orchestrated/Automatic by OS.

+> [!NOTE]

+> - Windows automatic updates is not an Azure Update Manager setting but a Windows level setting.

+> - Azure Update Manager doesn't support [In-place upgrade for VMs running Windows Server in Azure](../virtual-machines/windows-in-place-upgrade.md).

+## Update or Patch orchestration

+Azure Update Manager provides the flexibility to either install updates immediately or schedule updates within a defined maintenance window. These settings allow you to orchestrate patching for your virtual machine.

+### Update Now/One-time update

+Azure Update Manager allows you to secure your machines immediately by installing updates on demand. To perform the on-demand updates, see [Check and install one time updates](deploy-updates.md#install-updates-on-a-single-vm)

+### Scheduled patching

+You can create a schedule for a daily, weekly or hourly cadence as per your requirement, specify the machines that must be updated as part of the schedule, and the updates that you must install. The schedule will then automatically install the updates as per the specifications.

+Azure Update Manager uses maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see the [Maintenance control](../virtual-machines/maintenance-configurations.md).

+Use [scheduled patching](scheduled-patching.md) to create and save recurring deployment schedules.

+> [!NOTE]

+> Patch orchestration property for Azure machines should be set to **Customer Managed Schedules** as it is a prerequisite for scheduled patching. For more information, see the [list of prerequisites](scheduled-patching.md#prerequisites-for-scheduled-patching).

+> [!IMPORTANT]

+> - For a seamless scheduled patching experience, we recommend that for all Azure VMs, you must update the patch orchestration to **Customer Managed Schedules**. If you fail to update the patch orchestration, you can experience a disruption in business continuity because the schedules will fail to patch the VMs. [Learn more](prerequsite-for-schedule-patching.md).

+> - For Arc-enabled servers, the updates and maintenance options such as Automatic VM Guest patching in Azure, Windows automatic updates and Hotpatching aren't supported.

+

+

+## Next steps

+* To view update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot Azure Update Manager issues, see [Troubleshoot issues](troubleshoot.md).

+ Title: Check update compliance in Azure Update Manager

+description: This article explains how to use Azure Update Manager in the Azure portal to assess update compliance for supported machines.

+# Check update compliance with Azure Update Manager

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article explains how to check the status of available updates on a single VM or multiple VMs by using Azure Update Manager.

+## Check updates on a single VM

+You can check the updates from the **Overview** or **Machines** pane on the **Update Manager** page or from the selected VM.

+# [From the Overview pane](#tab/singlevm-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Overview** page, select your subscription to view all your machines, and then select **Check for updates**.

+1. On the **Select resources and check for updates** pane, choose the machine that you want to check for updates, and then select **Check for updates**.

+ An assessment is performed and a notification appears as a confirmation.

+ :::image type="content" source="./media/view-updates/check-updates-overview-inline.png" alt-text="Screenshot that shows checking updates from Overview." lightbox="./media/view-updates/check-updates-overview-expanded.png":::

+

+ The **Update status of machines**, **Patch orchestration configuration** of Azure VMs, and **Total installation runs** tiles are refreshed and display the results.

+# [From the Machines pane](#tab/singlevm-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Machines** page, select your subscription to view all your machines.

+1. Select the checkbox for your machine, and then select **Check for updates** > **Assess now**. Alternatively, you can select your machine and in **Updates**, select **Assess updates**. In **Trigger assess now**, select **OK**.

+ An assessment is performed and a notification appears first that says **Assessment is in progress**. After a successful assessment, you see **Assessment successful**. Otherwise, you see the notification **Assessment Failed**. For more information, see [Update assessment scan](assessment-options.md#update-assessment-scan).

+# [From a selected VM](#tab/singlevm-home)

+1. Select your virtual machine to open the **Virtual machines | Updates** page.

+1. Under **Operations**, select **Updates**.

+1. On the **Updates** pane, select **Go to Updates using Update Manager**.

+ :::image type="content" source="./media/view-updates/resources-check-updates.png" alt-text="Screenshot that shows selection of updates from the home page.":::

+1. On the **Updates** page, select **Check for updates**. In **Trigger assess now**, select **OK**.

+ An assessment is performed and a notification says **Assessment is in progress**. After the assessment, you see **Assessment successful** or **Assessment failed**.

+ :::image type="content" source="./media/view-updates/check-updates-home-inline.png" alt-text="Screenshot that shows the status after checking updates." lightbox="./media/view-updates/check-updates-home-expanded.png":::

+ For more information, see [Update assessment scan](assessment-options.md#update-assessment-scan).

+## Check updates at scale

+To check the updates on your machines at scale, follow these steps.

+You can check the updates from the **Overview** or **Machines** pane.

+# [From the Overview pane](#tab/at-scale-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Overview** page, select your subscription to view all your machines and select **Check for updates**.

+1. On the **Select resources and check for updates** pane, choose the machines that you want to check for updates and select **Check for updates**.

+ An assessment is performed and a notification appears as a confirmation.

+

+ The **Update status of machines**, **Patch orchestration configuration** of Azure virtual machines, and **Total installation runs** tiles are refreshed and display the results.

+# [From the Machines pane](#tab/at-scale-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the **Azure Update Manager** | **Machines** page, select your subscription to view all your machines.

+1. Choose **Select all** to select all your machines, and then select **Check for updates**.

+1. Select **Assess now** to perform the assessment.

+ A notification appears when the operation is initiated and finished. After a successful scan, the **Update Manager | Machines** page is refreshed to display the updates.

+> [!NOTE]

+> In Update Manager, you can initiate a software updates compliance scan on the machine to get the current list of operating system (guest) updates, including the security and critical updates. On Windows, the Windows Update Agent performs the software update scan. On Linux, the software update scan is performed by using OVAL-compatible tools to test for the presence of vulnerabilities based on the OVAL definitions for that platform, which are retrieved from a local or remote repository.

+## Next steps

+* To learn how to deploy updates on your machines to maintain security compliance, see [Deploy updates](deploy-updates.md).

+* To view the update assessment and deployment logs generated by Update Manager, see [Query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot Update Manager](troubleshoot.md).

+ Title: What's new in Azure Update Manager

+description: Learn about what's new and recent updates in the Azure Update Manager service.

+# What's new in Azure Update Manager

+[Azure Update Manager](overview.md) helps you manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. This article summarizes new releases and features in Azure Update Manager.

+## October 2023

+### Azure Migrate, Azure Backup, Azure Site Recovery VMs support (preview)

+Azure Update Manager now supports scheduled patching and periodic assessment for [specialized](../virtual-machines/linux/imaging.md#specialized-images) VMs including the VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery in preview.

+## September 2023

+**Azure Update Manager is now Generally Available**.

+For more information, see [the announcement](https://techcommunity.microsoft.com/t5/azure-governance-and-management/generally-available-azure-update-manager/ba-p/3928878).

+## August 2023

+### Service rebranding

+Update management center is now rebranded as Azure Update Manager.

+### New region support

+Azure Update Manager is now available in Canada East and Sweden Central regions for Arc-enabled servers. [Learn more](support-matrix.md#supported-regions).

+### SQL Server patching (preview)

+SQL Server patching (preview) allows you to patch SQL Servers. You can now manage and govern updates for all your SQL Servers using the patching capabilities provided by Azure Update Manager. [Learn more](guidance-patching-sql-server-azure-vm.md).

+## July 2023

+### Dynamic scope

+Dynamic scope is an advanced capability of schedule patching. You can now create a group of [machines based on a schedule and apply patches](dynamic-scope-overview.md) on those machines at scale. [Learn more](tutorial-dynamic-grouping-for-scheduled-patching.md).

+

+## May 2023

+### Customized image support

+Update Manager now supports [generalized](../virtual-machines/linux/imaging.md#generalized-images) custom images, and a combination of offer, publisher, and SKU for Marketplace/PIR images.See the [list of supported operating systems](support-matrix.md#supported-operating-systems).

+### Multi-subscription support

+The limit on the number of subscriptions that you can manage to use the Update Manager portal has now been removed. You can now manage all your subscriptions using the Update Manager portal.

+## April 2023

+### New prerequisite for scheduled patching

+A new patch orchestration - **Customer Managed Schedules (Preview)** is introduced as a prerequisite to enable scheduled patching on Azure VMs. The new patch enables the *Azure-orchestrated* and *BypassPlatformSafteyChecksOnUserSchedule* VM properties on your behalf after receiving the consent. [Learn more](prerequsite-for-schedule-patching.md).

+> [!IMPORTANT]

+> For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch orchestration to **Customer Managed Schedules (Preview)** by **30th June 2023**. If you fail to update the patch orchestration by **30th June 2023**, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.

+## November 2022

+### New region support

+Update Manager now supports new five regions for Azure Arc-enabled servers. [Learn more](support-matrix.md#supported-regions).

+## October 2022

+### Improved on-boarding experience

+You can now enable periodic assessment for your machines at scale using [Policy](periodic-assessment-at-scale.md) or from the [portal](manage-update-settings.md#configure-settings-on-a-single-vm).

+## Next steps

+- [Learn more](support-matrix.md) about supported regions.

+ Title: What's upcoming in Azure Update Manager

+description: Learn about what's upcoming and updates in Azure Update Manager.

+# What are the upcoming features in Azure Update Manager

+The article [What's new in Azure Update Manager](whats-new.md) contains updates of feature releases. This article lists all the upcoming features for Azure Update Manager.

+## Alerting

+Enable alerts to address events as captured in updates data.

+## Prescript and postscript

+The ability to execute Azure Automation runbook scripts before or after deploying scheduled updates to machines will be available by the fourth quarter of 2023.

+## Next steps

+For more information about supported regions, see [Support matrix for Update Manager](support-matrix.md).

+ Title: An overview of workbooks

+description: This article provides information on how workbooks provide a flexible canvas for data analysis and the creation of rich visual reports.

+# About workbooks

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+Workbooks help you to create visual reports that help in data analysis. This article describes the various features that workbooks offer in Azure Update Manager.

+## Key benefits

+- Use as a canvas for data analysis and creation of visual reports.

+- Access specific metrics from within the reports.

+- Create interactive reports with various kinds of visualizations.

+- Create, share, and pin workbooks to the dashboard.

+- Combine text, log queries, metrics, and parameters to make rich visual reports.

+## The gallery

+The gallery lists all the saved workbooks and templates for your workspace. You can easily organize, sort, and manage workbooks of all types.

+ :::image type="content" source="./media/workbooks/workbooks-gallery.png" alt-text="Screenshot that shows the workbooks gallery.":::

+The following four tabs help you organize workbook types.

+ | Tab | Description |

+ |||

+ | **All** | Shows the top four items for **Workbooks**, **Public Templates**, and **My Templates**. Workbooks are sorted by modified date, so you see the most recent eight modified workbooks.|

+ | **Workbooks** | Shows the list of all the available workbooks that you created or are shared with you. |

+ | **Public Templates** | Shows the list of all the available ready-to-use, get-started functional workbook templates published by Microsoft. Grouped by category. |

+ | **My Templates** | Shows the list of all the available deployed workbook templates that you created or are shared with you. Grouped by category. |

+- On the **Quick start** tile, you can create new workbooks.

+ :::image type="content" source="./media/workbooks/quickstart-workbooks.png" alt-text="Screenshot that shows creating a new workbook by using Quick start.":::

+- On the **Azure Update Manager** tile, you can view the following summary.

+-

+ :::image type="content" source="./media/workbooks/workbooks-summary-inline.png" alt-text="Screenshot that shows a workbook summary." lightbox="./media/workbooks/workbooks-summary-expanded.png":::

+

+ - **Machines overall status and configurations**: Provides the status of all machines in a specific subscription.

+ :::image type="content" source="./media/workbooks/workbooks-machine-overall-status-inline.png" alt-text="Screenshot that shows the overall status and configuration of machines." lightbox="./media/workbooks/workbooks-machine-overall-status-expanded.png":::

+ - **Updates data overview**: Provides a summary of machines that have no updates, assessments, and reboot needed, including the pending Windows and Linux updates by classification and by machine count.

+ :::image type="content" source="./media/workbooks/workbooks-machines-updates-status-inline.png" alt-text="Screenshot that shows a summary of machines that have no updates and assessments needed." lightbox="./media/workbooks/workbooks-machines-updates-status-expanded.png":::

+

+ - **Schedules/Maintenance configurations**: Provides a summary of schedules, maintenance configurations, and a list of machines attached to the schedule. You can also access the maintenance configuration overview page from this section.

+

+ :::image type="content" source="./media/workbooks/workbooks-schedules-maintenance-inline.png" alt-text="Screenshot that shows a summary of schedules and maintenance configurations." lightbox="./media/workbooks/workbooks-schedules-maintenance-expanded.png":::

+ - **History of installation runs**: Provides a history of machines and maintenance runs.

+ :::image type="content" source="./media/workbooks/workbooks-history-installation-inline.png" alt-text="Screenshot that shows a history of installation runs." lightbox="./media/workbooks/workbooks-history-installation-expanded.png":::

+For information on how to use the workbooks for customized reporting, see [Edit a workbook](manage-workbooks.md#edit-a-workbook).

+## Next steps

+ To learn how to deploy updates to your machines to maintain security compliance, see [Deploy updates](deploy-updates.md).

+When you commit to an Azure reserved VM instance you can save money. The reservation discount is applied automatically to the number of running virtual machines that match the reservation scope and attributes. You don't need to assign a reservation to a virtual machine to get the discounts. A reserved instance purchase covers only the compute part of your VM usage. For Windows VMs, the usage meter is split into two separate meters. There's a compute meter, which is same as the Linux meter, and a Windows server license. The charges that you see when you make the purchase are only for the compute costs. Charges don't include Windows software costs. For more information about software costs, see [Software costs not included with Azure Reserved VM Instances](../cost-management-billing/reservations/reserved-instance-windows-software-costs.md).

+>[!NOTE]

+> If you enable Service Endpoint on certain services likes "Microsoft.AzureActiveDirectory" you can see IPV6 address connections on Sign-In Logs. Microsoft use an internal IPV6 private range for this type of connections.

+ Title: 'Resize a gateway SKU'

+description: Learn how to resize a gateway SKU.

+# Resize a gateway SKU for VPN Gateway

+This article helps you resize a gateway SKU. Resizing a gateway SKU is a relatively fast process. You don't need to delete and recreate your existing VPN gateway to resize. However, there are certain limitations and restrictions for resizing and not all SKUs are available when resizing.

+When using the portal to resize your SKU, notice that the dropdown list of available SKUs is based on the SKU you currently have. If you don't see the SKU you want to resize to, instead of resizing, you have to change to a new SKU. For more information, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md).

+## Resize a SKU

+1. Go to the **Configuration** page for your virtual network gateway.

+1. On the right side of the page, click the dropdown arrow to show a list of available SKUs. The options listed are based on the starting SKU and SKU Generation.

+ :::image type="content" source="./media/gateway-sku-resize/resize-sku.png" alt-text="Screenshot showing how to resize the gateway SKU." lightbox ="./media/gateway-sku-resize/resize-sku.png":::

+1. Select the SKU from the dropdown.

+1. **Save** your changes.

+## Next steps

+For more information about SKUs, see [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md).