Navigation
OperationsUpdated July 3, 2026

Azure Update and WSUS Management Guide

azurewsusupdate-managementgovernancecomplianceterraformpatchingsecurity

Azure Update and WSUS Management Guide


Azure Update Manager (AUM) and Windows Server Update Services (WSUS) ensure all EoA servers are patched according to organizational security and compliance standards. Patch management is driven by server tagging (PatchSchedule) and centralized AUM configurations, with healthcare-specific controls for Epic and HIPAA/ SOX compliance.

📋 Quick Reference

ComponentPurposeOHEMR Implementation
PatchSchedule TagDynamic update groupingAssigned to every server
GPO/Client ConfigUpdate source configurationPoints clients to WSUS or AUM

🏥 Healthcare Compliance Framework

  • Automated Patch Enforcement: Reduces risk of unpatched vulnerabilities.

  • Audit Trails: All patch activities are logged for compliance review.

  • Downtime Coordination: Patch windows aligned with Epic and clinical schedules.


WSUS Server & Azure Update Manager Flow

graph TD

B --> C[Optimize WSUS AV exclusions]

D --> E[Configure Client GPOs/Settings]

E --> F[Client Servers Windows/RHEL]

F --> G[PatchSchedule Tag Assignment]

G --> H[Azure Update Manager Scoping]

### **WSUS Server Checklist**

| 1 | Deploy Windows Server 2022 VM (Standard D8s_v5 BM, 128GB OS, 1TB Premium SSD) | Meets performance/security standards |
| 2 | Install WSUS Role | Centralizes patch management |
| 5 | Enable Optum Sync | Integrates with on-premises infrastructure |
| 6 | Configure Client GPO | Directs Windows clients to WSUS |
| 7 | Configure RHEL clients | Directs Linux clients to patching system |

---

### **Patch Scheduling and Tagging**

- Every Azure server receives a `PatchSchedule` tag.

- Azure Update Manager dynamically scopes servers into maintenance configurations based on tag.

- Patch windows are coordinated with clinical impact (e.g., Epic downtime).

- The complete list of patch schedules and the Azure Update Manager Configurations as on 10/3/25 is available here : <https://uhgazure.sharepoint.com/:x:/r/teams/EpiconAzureOptumMicrosoftandAccenture/Shared%20Documents/General/4%20-%20Delivery/2%20-%20Epic/1%20-%20Epic%20Infrastructure/EoA%20Server%20Patching%20-%20Update%20Management.xlsx?d=wd85dbe199d7148ef8b4e6248e490d036&csf=1&web=1&e=F6dNbg>

---

## 🔧 Update Classification & Platform Matrix

By default, Azure Update Manager enables Security and Critical updates only. Additional update types are recommended for comprehensive coverage.

| RHEL Linux        | Security and Critical Updates      | Security and Critical Updates            |
| Windows Server    | Critical, Security Updates         | Critical, Security, Update Rollups, Definition Updates, Updates |
- **SQL Server Updates**: Managed as manual deployments by DBA teams.

---

## 📊 Monitoring & Compliance

- **Azure Update Manager Dashboard**: Tracks patch status by PatchSchedule and server.

- **WSUS Reporting**: Centralized compliance reporting for Windows updates.

- **Log Analytics**: Audits all patch operations for regulatory review.

---

### **Common Issues**

**Diagnosis**: Check WSUS connectivity and GPO/client configuration

**Resolution**:

1. Verify client points to correct WSUS/AUM endpoint

2. Ensure PatchSchedule tag is correctly set<https://uhgazure.sharepoint.com/:x:/r/teams/EpiconAzureOptumMicrosoftandAccenture/Shared%20Documents/General/4%20-%20Delivery/2%20-%20Epic/1%20-%20Epic%20Infrastructure/EoA%20Server%20Patching%20-%20Update%20Management.xlsx?d=wd85dbe199d7148ef8b4e6248e490d036&csf=1&web=1&e=F6dNbg>

#### **Problem**: Performance issues on WSUS server

**Resolution**:

2. Verify VM SKU and disk performance

#### **Problem**: SQL servers missing updates

**Diagnosis**: Manual update workflow not followed

**Resolution**:

2. Validate SQL servers are excluded from automated patching, if required

---

- **[Network Standards](../ohemr-architecture-hub/standards/network/index.md)**: Network architecture and security requirements
- **[Operations Index](./index.md)**: Day-to-day operations and maintenance procedures

## 📞 Support & Contacts

|----------|-----------|-------------|

| **Platform Engineering** | Update Manager, WSUS, automation | <[email protected]> |

| **Windows Administration** | WSUS configuration, client GPO | <[email protected]> |

| **DBA Team** | SQL patching and compliance | <[email protected]> |

---