A great engine.
Not a complete process.

Azure Update Manager is one of the best things Microsoft has added to the Azure platform in years. It is also genuinely insufficient for running a governed patch cycle at scale. Here's the honest difference.

Where AUM genuinely delivers

Give credit where it's due

Azure Update Manager is a solid foundation. It is native to Azure, requires no agents on your managed servers, and it is free for Azure VMs. For organisations that have standardised on Azure, it is the obvious starting point for patch management — and for small, simple estates with minimal compliance requirements, it may be all you need.

These are genuine strengths worth acknowledging before talking about the gaps:

Native Azure integration

No third-party agents, no external infrastructure. Works directly with your Azure subscription and Arc-enabled servers out of the box.

Free for Azure VMs

The core AUM tier costs nothing for Azure-hosted virtual machines — a meaningful advantage over agent-based alternatives that charge per endpoint.

Solid scheduling engine

Maintenance configurations, dynamic scopes, and schedule-based patching work reliably. The underlying execution mechanism is sound.

Arc-enabled server support

On-premises and hybrid servers joined via Azure Arc are treated as first-class citizens alongside Azure VMs — genuinely useful for mixed estates.

Where AUM stops

The gaps no one talks about

AUM was designed as a scheduling and execution engine. It was not designed to manage the full monthly patch cycle — and that distinction matters enormously once your estate grows beyond a handful of servers or a single person who knows exactly what to do and when.

The gaps fall into three patterns, and every Azure patching team hits all three eventually.

No structure — you have to already know what you're doing

AUM gives you the tools. It does not tell you what order to use them in, what to check before you start, or what to do when something goes wrong. Running a patch cycle correctly means knowing the right sequence of assessments, maintenance window creation, pre-patch health checks, compliance reviews, and remediation steps — and knowing what to do when any of them behave unexpectedly.

That knowledge lives in people, not in the platform. The moment the wrong person is unavailable on patch weekend, the process falls apart.

  • No guided workflow — the administrator must know the correct sequence from memory
  • No pre-patch health checks — failing devices are discovered after they fail to patch, not before
  • No KB curation step — whatever Microsoft makes available gets deployed without a human review gate
  • No SQL offset handling — separate SQL patching windows must be managed entirely manually

No memory — compliance state disappears the moment you look away

AUM shows you current compliance state. It does not retain it. There is no automatic record of what your estate looked like after last month's patch cycle. If you need to answer "what was compliance in March?" — for an auditor, a manager, or a post-incident review — you either exported a report at the right moment, or you are reconstructing it from Azure activity logs under pressure.

This is where teams often reach for vulnerability scanners to fill the gap. But a vulnerability scanner tells you a patch is missing right now — not whether you were compliant last month. That is answering a different question entirely.

  • No compliance snapshots — historical state must be manually exported at the right time or it is gone
  • No consolidated cross-subscription view — the portal is navigated subscription by subscription
  • 100-device portal limit — large estates require repeated filtered operations
  • Audit requests require reconstruction, not retrieval

No leverage — more devices means more manual work, not the same work

Every additional subscription, client tenant, or managed server multiplies the portal navigation, the configuration updates, and the manual interventions. Exempting a device means finding every maintenance configuration it belongs to across every subscription and removing it one by one. Moving a device between schedules is two manual portal operations per subscription. Answering "which schedule is this device in?" means searching until you find it.

For a single small estate this is manageable. For an MSP managing multiple client tenants — or any organisation that has grown its Azure footprint — the work scales with the estate rather than with the value being delivered.

  • Device exemptions require touching every maintenance configuration individually across every subscription
  • No cross-tenant management — each tenant is a separate, isolated manual operation
  • No forward schedule view — patch weekend dates require manual Patch Tuesday calculation per environment
  • Schedule restructures are full manual portal exercises with no central device membership view
The real risk

When the process lives inside someone's head

There is a more fundamental problem underneath all three of the gaps above. AUM-based patching, done well, works. But it works because of the people running it — not because the platform enforces the right behaviour.

"The process works because it is operated by people with deep knowledge of Azure Update Manager and the specific behaviours of the estate. That knowledge is the process."

The risk is not in the tooling. It is in assuming that knowledge transfers automatically when someone leaves, when a team grows, or when a new client environment needs onboarding quickly. Without a structured process, every new person starts from a blank canvas — and every mistake is a learning exercise that happens in production, during a patch window, under time pressure.

The scenarios that catch teams out are not edge cases. They are the ordinary recurring situations that arise every month: a device that should have been temporarily excluded wasn't, because someone forgot to reverse the change. A KB that caused issues three months ago reappeared, because the exclusion was only applied to some configurations. A compliance report was needed for an auditor and no one had thought to export it at the right time.

None of these are AUM failures. They are process failures — and a scheduling engine cannot solve a process problem.

Compliance history

Not a scanner. An operational record.

One of the most common attempts to fill AUM's compliance gap is to reach for a vulnerability scanner — a tool that reports which patches are missing on which devices right now. It is useful, but it is answering a different question.

Vulnerability scanner

Tells you a patch is missing today. Next month, if that device still has not patched, it becomes a new record — a new finding with a new date. The previous record is closed or superseded.

Ask it "were we compliant in March?" and there is no clean answer. You get what the scanner saw when it last ran — not what your estate looked like after your patch cycle completed.

Vulnerability scanners identify what is exposed. They are not an operational compliance record.

OPUS compliance snapshots

After every patch cycle, OPUS automatically captures a compliance snapshot — a timestamped record of which devices were compliant, which were not, and the compliance percentage across the estate.

Ask it "what was compliance in March?" and you get the answer immediately, regardless of whether anyone remembered to export a report. The record exists because the system created it, not because someone ran a manual process.

Historical compliance is a retrieval operation, not a reconstruction exercise.

When an auditor asks for historical patch compliance data, a team without structured compliance history must reconstruct it from Azure activity logs, maintenance run histories, and whatever manual records exist. This takes hours of stressful work under deadline pressure. With OPUS, it is a 30-second export — the data was captured at the time, automatically, whether anyone thought to ask for it or not.

What OPUS adds on top of AUM

The orchestration layer AUM was never going to be

OPUS does not replace Azure Update Manager. It sits on top of it — using AUM's scheduling engine while adding the governance layer, the structured workflow, the compliance history, and the operational tooling that AUM does not provide. Every patch is still deployed by AUM. OPUS handles everything around it.

The gap in AUM
What OPUS adds
StructureNo guided process — the administrator must know the correct sequence and manage each step manually from memory.
Guided workflowStep-by-step patch cycle from assessment through compliance review. Every phase in the right order, nothing skipped, full audit trail of every action taken.
Pre-patch visibilityNo proactive health checking — issues are discovered when devices fail to patch, not before the window opens.
Patch IntelligencePre-patch health checks across the estate — disk space, Windows Update service state, VM agent responsiveness. Issues surface before the patch window, not during it.
Human patch governanceNo curation step — available patches are deployed without a review gate. Problem KBs require manual configuration updates across every maintenance config.
Patch curationReview and approve available patches before they run. KB exclusions defined once and propagated everywhere automatically — it never deploys something you have not seen.
Compliance historyNo retention — compliance state disappears when the view changes. Historical data requires manual export or reconstruction under pressure.
Automatic snapshotsCompliance captured and retained every month without any manual action. Historical compliance for any previous period is always immediately available.
Exemption managementDevice exclusions require touching every maintenance configuration individually. Temporary exclusions depend on someone remembering to reverse them.
Device ExemptionsOne action exempts a device across every schedule and subscription. Temporary exemptions self-reverse on expiry. Full audit record of every exemption, active and historical.
Scale and multi-tenancyEvery additional tenant or subscription multiplies manual work. No cross-tenant view, no consolidated compliance across client environments.
Multi-tenant managementUnlimited tenants, each fully isolated. The same guided workflow, the same compliance history, the same audit trail — regardless of how many environments you manage.
RemediationFailed devices require new one-off maintenance configurations created manually, with KBs re-added by hand under incident pressure.
Three-tier remediationAutomatic remediation window, AUM one-time update, and a direct KB installer that bypasses AUM entirely — escalating options without any manual configuration work.

See the difference in your own environment.

OPUS is self-hosted, installs in minutes, and runs a 90-day free trial with full functionality and no device cap. If you are already using Azure Update Manager, you are most of the way there — OPUS just needs a Service Principal and your first tenant configured.

Start Free Trial

90-day free trial. No payment details required.