Azure Patch Governance

AUM does the patching.
OPUS does everything else.

Azure Update Manager is the engine. OPUS is the structured workflow, the KB curation discipline, the compliance evidence, the audit trail — and the security posture that surfaces CVE risk before you patch. Built for the engineer running Patch Tuesday across multiple tenants. Self-hosted. No agents. No data leaves your Azure environment.

30-day free trial. No payment details required.

OPUS Security Briefing

The engineer's patch month,
start to finish.

Patching isn't a single event. It's a month-long discipline — preparation, execution, review, remediation, and audit evidence. OPUS handles every stage of it.

Stage 1 Before patch weekend

Preparation.
Decide what gets patched.

KB curation across every Maintenance Configuration, intelligently routed — SQL-offset configurations receive SQL patches a week later automatically. Devices with active exemptions are surfaced for review. Dispensations approaching expiry are flagged before they silently lapse.

  • KB Curation phase — eight workflow steps, once per tenant, all Maintenance Configurations updated
  • Device Exemption tracking — every exempted device tied to a dispensation date, with automatic expiry surfacing
  • Device Health Tool — optional pre-flight scan for the nine most common patch-blocking issues
Stage 2 Day or two before the weekend

Readiness.
Make sure AUM has what it needs.

The work between preparation and patch weekend. Deallocated devices powered on. Runbook schedules modified if you've enabled that capability. Fresh assessments run so AUM walks into the weekend with current data — not stale results from a week ago.

  • Power On phase — deallocated devices spun up, ready for assessment
  • Runbook Amendment phase — schedule modifications applied across the estate, in workflow
  • Assessment phase — triggered manually or run automatically as a scheduled task
OPUS Readiness phase
Stage 3 Monday morning

The dashboard.
Where you stand, before your first coffee.

You walk in Monday morning and open the Compliance Dashboard. Every non-compliant device, scored by CVE severity from Microsoft's MSRC feed — already calculated overnight by an OPUS scheduled task. You're not starting the week with triage. You're starting the week with a prioritised list.

  • CVE-scored non-compliance — Microsoft MSRC severity applied automatically the day after Patch Tuesday
  • Per-device drilldown — see exactly which KBs are missing and why
  • PDF and Excel export — audit-ready compliance evidence in 30 seconds
OPUS Compliance Dashboard
Stage 4 Through the week

Remediation.
Close the gap.

In twenty years of patching, no estate ever hits 100% on the first pass. The team works the dashboard list — some devices clear with a retry, some need a one-time update, some need a KB installed directly. OPUS gives you three remediation paths, each appropriate for a different kind of stubborn device.

  • Remediation toggle — automatic second-weekend retry for every OS patch window
  • One-Time Update Utility — bulk-trigger updates across selected devices outside the maintenance window
  • KB Installation Utility — direct KB installation that bypasses AUM entirely when AUM is the problem
OPUS Remediation tools
Stage 5 When the auditor calls

ITSM and audit trail.
The evidence is already there.

For the stubborn devices the team can't clear, OPUS raises a ticket automatically when the compliance threshold is breached — Jira, ServiceNow, PagerDuty, or webhook. Severity, device list, KB context, full audit link. The ticket isn't a notification someone has to chase. It's an investigation, opened.

Six months later, when the boss forwards an audit request and your stomach drops — you don't go hunting through C:\Temp or SharePoint for that one report. The ticket is already there. 98% compliance, with every stubborn device explained, every action logged, and every dispensation signed off.

  • Four ITSM providers — Jira, ServiceNow, PagerDuty, and webhook (custom providers built on request)
  • Configurable threshold — raise a ticket after n days of continued non-compliance
  • Full activity log per tenant — every operation OPUS performs, audit-ready, searchable, exportable
OPUS-raised Jira ticket for non-compliance

Built for security teams
to approve.

Every operation OPUS performs streams to Azure Application Insights — KB exclusions, scheduler runs, operator actions, exemption changes, ticket creations. Structured, queryable, attributable. The same SIEM your security team already runs (Sentinel, Splunk, or anything that consumes Application Insights data) just gained patch governance telemetry.

The security review you'd dread for any other patching tool is one your team can defend.

  • Native Azure SIEM integration — Sentinel-ready via Application Insights, no extra plumbing
  • Self-hosted, in your tenant — no OPUS-operated cloud, no central data plane
  • No agents on managed devices — OPUS orchestrates AUM, AUM does the patching
  • Per-tenant audit isolation — every tenant's activity log, exemption records, and compliance history stays in its own database
OPUS activity streaming to Azure Application Insights

The depth behind
the workflow.

Capabilities that solve the operational realities of patching at scale — most of which no other tool in this space offers at all.

KB Exclusions with auto-expiry

Add a KB to the exclusion list and it'll never hit a device — until the expiry date you set. When that date arrives, OPUS removes the exclusion automatically. No forgetting. No KBs blocked forever because someone left the company.

Device Exemptions with dispensation tracking

Exempt specific devices from patching with an expiry date tied to a signed-off dispensation. When the dispensation lapses, OPUS surfaces it for review automatically. No Monday morning surprises in six months' time.

Bulk KB install & uninstall, with simulation

Install or uninstall any KB across selected devices, bypassing AUM entirely. Simulate the operation first to see exactly what would happen. No other patching tool can uninstall a bad KB across a device list — meaning no more engineers at 2am on time-and-a-half undoing a dodgy patch one device at a time.

Unique to OPUS

SQL IaaS extension installer

AUM refuses to patch SQL servers without the SQL IaaS extension installed. Full stop. OPUS installs it across your estate seamlessly — one less reason for an engineer to be diagnosing AUM at 2am, one less compliance gap that quietly persists for months.

And more

Forward Schedule (dynamic, up to a year ahead) · Every workflow step also runnable as an ad-hoc utility · Installed Update Tool (audit installed KBs in bulk) · Pre-requisites Checker (verify Azure environment is patch-ready) · Power On utility · Assessment-on-demand.

The capability you'd otherwise
need a developer for.

Curating KBs across dozens of Azure Maintenance Configurations isn't a portal task. It's a scripting task — and one that breaks every time Microsoft changes an API, every time a new patch class appears, every time the team's requirements shift.

Most Azure teams take one of three paths:

  • 1
    Skip curation entirely. Patch everything Microsoft releases and hope nothing breaks. Quickest path to a 3am incident.
  • 2
    Script it in-house. Find someone who understands Azure, patch governance, and .NET or PowerShell at depth — a rare combination — and hope they don't leave. Six weeks of work, a fragile pipeline, undocumented edge cases, and a single point of failure.
  • 3
    Use OPUS. The engineered, supported, audit-ready version of that pipeline — built by an engineer who already walked path 2, then turned it into a product so your team doesn't have to.
Why this exists

"I'm an infrastructure engineer and a .NET developer — and twenty years in enterprise IT taught me that the combination is rare. OPUS is what happens when both skills point at the same problem."

— Matthew Burrows, Founder, Cloudframe Solutions

Simple, device-based pricing.
No surprises.

Pay only for the devices you manage. Billed annually — price locks in for the year, with a simple usage true-up at renewal.

Essential
1 – 100 devices
£ 5.00
per device / month
£60 per device / year
At 50 devices — £250/month. Replaces 5–8 hours of KB curation, scheduling, and compliance reporting per cycle.
  • Full feature access
  • Up to 100 managed devices
  • £6,000/year at tier ceiling
  • 30-day free trial included
Enterprise
251 – 500 devices
£ 4.00
per device / month
£48 per device / year
At 375 devices — £1,500/month. Replaces 16–22 hours of orchestration per cycle — across every tenant you manage.
  • Everything in Professional
  • Up to 500 managed devices
  • £24,000/year at tier ceiling
  • 30-day free trial included
  • Priority onboarding support
Elite
501 – 1,000 devices
£ 3.50
per device / month
£42 per device / year
At 750 devices — £2,625/month. Replaces 25–35 hours of orchestration per cycle, with audit trails ready for inspection.
  • Everything in Enterprise
  • Up to 1,000 managed devices
  • £42,000/year at tier ceiling
  • 30-day free trial included
  • Direct access to the team

1,000+ devices?

Get in touch for a tailored quote. Large estates get hands-on onboarding and a pricing conversation that makes sense for your scale.

Annual true-up

Licences are issued annually. At renewal, a usage report exported from OPUS confirms your device count — you only ever pay for what you actually manage.

No Azure extras

OPUS works on the free Azure Update Manager tier. No additional Microsoft licensing required.

30 days free.
One full Patch Tuesday cycle.

Most tools give you 14 days — not enough to complete a single patch cycle. OPUS gives you 30 days: enough to run a full Patch Tuesday, evaluate the curation phase, build compliance history, and see exactly what it's worth before spending a penny.

No payment details required to start. If your trial ends mid-cycle, a 14-day read-only grace period ensures it completes. OPUS never leaves your estate semi-compliant.

30
days free
  • Full functionality
  • No device cap
  • No payment details
  • Data retained after trial
  • 14-day grace period on expiry
Download Free Trial

A question? A specific requirement?
We want to hear it.

OPUS is built by an infrastructure engineer who has run enterprise patching at scale. If your estate has a specific shape, get in touch — we'll tell you honestly whether OPUS is the right fit.

hello@opus-orchestrator.co.uk

Usually replied to within one business day.