| title | Prerequisites for Azure Update Manager |
|---|---|
| description | This article explains the prerequisites for Azure Update Manager, VM extensions, and network planning. |
| ms.service | azure-update-manager |
| ms.custom | linux-related-content |
| author | habibaum |
| ms.author | v-uhabiba |
| ms.date | 08/21/2025 |
| ms.topic | overview |
| ms.update-cycle | 1095-days |
This article summarizes the prerequisites for Azure Update Manager, the extensions for Azure virtual machines (VMs) and Azure Arc-enabled servers, and how to prepare your network to support Update Manager.
Before you start using this service on Linux machines, you must install Python version 2.7 or later.
Update Manager requires high level permissions because it can update multiple system components, including kernel drivers and operating system security patches. On Linux machines, the Update Manager extensions run operations as the root user. To ensure that assessment and patching operations succeed, grant sudo privileges by adding the root account to the /etc/sudoers file.
To use Update Manager for Azure Arc-enabled servers, you must connect those servers to Azure Arc. For more information, see the overview of Azure Arc-enabled servers.
To learn about updates and the update sources, VM images, and Azure regions that are supported for Update Manager, refer to the support matrix.
To manage machines from Update Manager, see Roles and permissions in Azure Update Manager.
For Update Manager to work, Azure VM extensions and Azure Arc-enabled VM extensions are required to run on the Azure machine and Azure Arc-enabled machine (respectively). But separate installation isn't required, because the extensions are automatically pushed on the VM the first time you trigger any Update Manager operation on the VM. For more information, see Update Manager VM extensions.
To prepare your network to support Update Manager, you might need to configure some infrastructure components. For more information, see the network requirements for Azure Arc-enabled servers.
For Windows machines, you must allow traffic to any endpoints that the Windows Update agent requires. You can find an updated list of required endpoints in Issues related to HTTP/proxy. If you have a local Windows Server Update Services (WSUS) deployment, you must allow traffic to the server specified in your WSUS key.
For Red Hat Linux machines, see IPs for the RHUI content delivery servers for required endpoints. For other Linux distributions, see your provider documentation.
Update Manager relies on the Windows Update client to download and install Windows updates. The Windows Update client uses specific settings when it connects to WSUS or Windows Update. For more information, see Configure Windows Update settings for Azure Update Manager.
- Check update compliance with Azure Update Manager
- Deploy updates now and track results with Azure Update Manager
- Automate assessment at scale by using Azure Policy
- Schedule recurring updates for machines by using the Azure portal and Azure Policy
- Manage update configuration settings
- Manage multiple machines with Azure Update Manager