Azure’s Update Manager now shows missing Ubuntu Pro updates for all Ubuntu Long-Term Support (LTS) releases: 18.04, 20.04, 22.04 and 24.04. The feature was first introduced for only 18.04 during its move to Expanded Security Maintenance.

With this addition, Azure highlights where Ubuntu LTS instances would benefit from Expanded Security Maintenance updates if the administrator attaches an Ubuntu Pro license, even for instances running more recent Ubuntu releases.

You will see these alerts in two places: the Updates view of an individual VM and Azure Update Manager for fleet-wide visibility.

This builds on Canonical and Microsoft’s ongoing work to integrate Ubuntu into Azure’s systems management tools and keep Ubuntu securely maintained on Azure.

Why this matters: comprehensive security beyond the Main repository

Ubuntu LTS provides five years of standard security maintenance from Canonical for packages in the Main repository without any cost or need for a subscription with Canonical.

The Ubuntu Universe repository hosts tens of thousands of additional open source packages maintained by the community and used in many production environments. These additional packages do not normally receive security updates from Canonical as part of the standard security maintenance included with Ubuntu LTS releases.

Ubuntu Pro expands the security maintenance of Ubuntu LTS releases through its Expanded Security Maintenance (ESM) feature. ESM delivers:

• esm-apps: Security patching for thousands of applications in the Universe repository. This is essential for all supported LTS versions.
• esm-infra: Continued security patching for the Main repository after an LTS release has passed its standard support period, providing an extra 5 years of support (beneficial today for Ubuntu 20.04 and earlier)

If you are using Ubuntu 20.04 LTS or earlier, you need to either upgrade these systems to a later Ubuntu release or attach an Ubuntu Pro subscription in order to continue receiving security updates. If you are using packages from the Ubuntu Universe repository on any Ubuntu LTS release, even one released in the last five years, you may still be missing important security updates if you do not have an Ubuntu Pro subscription.  The new functionality of Update Manager in the Azure Portal helps you identify these instances that would benefit from an Ubuntu Pro subscription.

See what you’re missing in the Azure portal

Azure now simplifies identifying instances that have security updates available through Ubuntu Pro. When checking for updates on any Ubuntu LTS virtual machine (VM), you might see an alert like this:

“Security-ESM update(s) are available for this machine. An Ubuntu Pro subscription is required to remain secure. Learn more.”

This alert highlights Universe repository packages with known vulnerabilities that require Ubuntu Pro for patching. This visibility is available in two key locations:

• The Updates section of an individual VM for a detailed view.
• Azure Update Manager for a unified dashboard to monitor your entire fleet.

From Azure Update Manager, you can select multiple VMs and initiate assessments simultaneously. 

This provides a quick overview of your security landscape and identifies instances that would gain from Ubuntu Pro’s expanded coverage.

Activating Ubuntu Pro: a simple, seamless upgrade

Enabling these additional security updates is straightforward and can be done without service disruption. Perform an in-place upgrade to attach an Ubuntu Pro license to your existing Ubuntu Server VMs with no downtime.

First, update the license type for the VM via the Azure CLI:

az vm update -g myResourceGroup -n myVmName --license-type UBUNTU_PRO

Next, run the following commands on the virtual machine itself. If ubuntu-advantage-tools is not already installed, the first command will handle it.

sudo apt update && sudo apt install ubuntu-advantage-tools

sudo pro auto-attach

Tip: If the auto-attach command fails at first, wait a few minutes for the license change to propagate through Azure’s systems and then try the command again.

Finally, you can verify that the ESM services are enabled with:

pro status --all --wait

Do it at scale

Want to apply this across all your VMs? Use this script to perform in-place upgrades on multiple Ubuntu LTS VMs

Verify and apply updates

Attaching Ubuntu Pro only unlocks ESM; it does not install updates. After attaching Pro (per VM or at scale), re-run an assessment, install the available updates in Azure Update Manager (or with apt), then re-run the assessment to confirm the Security-ESM alert and pending counts have cleared.

Azure handles billing for your Ubuntu Pro usage automatically.

For new workloads, or workloads you redeploy frequently, you can launch directly from pre-licensed Ubuntu Pro images in the Azure Marketplace.

Conclusion

This broadened Ubuntu Pro awareness in the Azure portal offers customized and practical security recommendations for all Ubuntu LTS users. This helps you to identify where you would benefit most from the expanded security maintenance offered by Ubuntu Pro, letting you prioritze those instances that would benefit most from its additional security coverage. This ongoing collaboration with Microsoft enhances the security posture of your Ubuntu instances on Azure, helping you stay secure even when using a vast array of open source from across the ecosystem. Please let us know your experiences with this new functionality in our discourse.