Enable cross subscription patching in Azure Update Manager
Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.
This article describes how to enable cross-subscription patching either through Azure CLI or Azure portal.
Enable resource providers in your subscription
You can register the necessary resource providers to your subscription through Azure CLI or manually via the Azure portal.
Open your Azure CLI and run the following commands:
az provider register--namespace "Microsoft.Insights" az provider register--namespace "Microsoft.Maintenance"
Grant necessary roles to your managed identity
- Assign the appropriate roles to your Azure VM and Arc assets to ensure scheduled patching is managed effectively. The required roles are:
- Scheduled patching contributor
- Reader
- These roles can be granted on the Resource Group or at the Subscription level if you have resources spread among multiple resource groups and want to include them all at once.
- If you have a smaller scope and plan to manage it with a dedicated admin or group, these two roles can be granted to a user or a security group (SG). If you are envisioning a larger scope with automation in place, ensure to grant these roles to the API and Service Principal Name (SPN) you use.
- Assign the appropriate roles to your Azure VM and Arc assets to ensure scheduled patching is managed effectively. The required roles are:
Scheduling using maintenance configurations
To create maintenance configurations in Azure Update Manager, you can set it up as follows:
- Sign in to the Azure portal and go to Azure Update Manager.
- Under Resources, select Machines, and then select Maintenance configurations.
- In the Maintenance Configurations page, follow the steps to set up the patching schedule.