![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZK%3C/text%3E%3C/svg%3E)
You should not patch the same server with both SCCM and Azure Update Manager at the same time. Unlike Intune co-management, there is no supported “co-management” model between SCCM and Azure Update Manager — both systems control Windows Update Agent (WUA) policies independently, and conflicts can occur.Supported approaches Technically yes, but not recommended without separation. You must ensure:
Option 1 – Hybrid environment with clear separation
Use SCCM for all on-premises and domain-joined servers.
Use Azure Update Manager (via Azure Arc) for cloud-native, workgroup, or isolated servers not reachable by SCCM. This is the most common and supported design.
Option 2 – Transition scenario
If you are moving workloads from SCCM to Azure:
Remove the WSUS GPO settings on the target machines.
Disable the SCCM software update agent (CCM Software Updates Agent).
Register those servers to Azure Arc and onboard them to Update Manager. Now they will use Microsoft Update directly.
Option 3 – Reporting-only
You can still use Azure Update Manager in “reporting” mode (view compliance data) while SCCM performs patching — but disable automatic update deployment in Update Manager.
Supported approaches
Option 1 – Hybrid environment with clear separation
Use SCCM for all on-premises and domain-joined servers.
Use Azure Update Manager (via Azure Arc) for cloud-native, workgroup, or isolated servers not reachable by SCCM.
This is the most common and supported design.
Option 2 – Transition scenario
If you are moving workloads from SCCM to Azure:
Remove the WSUS GPO settings on the target machines.
Disable the SCCM software update agent (CCM Software Updates Agent).
Register those servers to Azure Arc and onboard them to Update Manager.
Now they will use Microsoft Update directly.
Option 3 – Reporting-only
You can still use Azure Update Manager in “reporting” mode (view compliance data) while SCCM performs patching — but disable automatic update deployment in Update Manager.
Split Responsibility by Environment
- Use SCCM for on-premises and hybrid servers
- Use Azure Update Manager for pure Azure VMs or Arc-enabled servers not managed by SCCM
- Avoid Double Patching
- Disable Windows Update for Business and Update Manager on SCCM-managed servers
- In Azure Update Manager, exclude servers that are SCCM clients
- Use Tags or Groups
- Tag Azure VMs with PatchBy=SCCM or PatchBy=UpdateManager
- Use these tags to scope update deployments
- Monitor Compliance Separately
- Use SCCM reports for on-prem patch compliance
- Use Azure Update Manager dashboard for cloud patch status
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 12%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)