i have now 2 VMs that are not connected to the internet directly or through internet proxy.. but connected to log analytics through the OMS proxy but they show up as not assessed on the Update management solution. 

so thats mean that the OMS gateway doesnt serve the update management as proxy i assume ? but it would make more logic that if your VM is connected through OMS gateway proxy then Update management should work too. 

i will add the URLs as allowed hosts in the oms gateway and see what comes up. 

I have a similar question about OMS Gateway. Did you manage to find out more? I would like to configure the OMS Gateway in such a way that updates are downloaded on it and sent to agents.

Hi Tomek,

what we ended up doing is installing WSUS on the OMS Gateway,  it acts as repository for updates, all updates are downloaded to it, all servers are configured to have the wsus as their update source through GPO, but all orchestration and schedules of updates are managed through the Update Management Solution. 

This is something that I wanted to avoid.

So you are sure that there is no way that OMS Gateway server can connect to update.microsoft.com and download the update? 

How does managing the updates look like in this case?

You must do "approve" in WSUS for a specific KB and create Scheduled Update Deployment in Azure side? Something more?

the Gateway itself can connect to microsoft update as it have internet access, but that doesnt mean that the agents can pull the missing updates from the gateway.

I opened a case with MS support to investigate this before going to the WSUS solution as i wanted to avoid the management of WSUS as well, and i thought that the agent can use the oms gateway to act as a proxy and connect to update.microsoft.com and pull the updates from there, MS Support told me that this is not possible the agents must bound to an update repository, either WSUS or Microsoft Update, and of course VMs don't have direct internet connectivity. so there are 2 ways, setting a system proxy on the VMs where you can only allow internet access to certain URLs (was not applicable in my case) , the other way is WSUS, and yes i do automatic approvals for security and critical updates on WSUS, then the assessment and the scheduling of the updates are all from the portal. 

the WSUS Config is done only 1 time, then everything else i manage from the portal. 

this setup was back in April, and as things changes alot within the log analytics and Azure Monitor space, i hope that the oms gateway can actually work as proxy for updates on the agents as well. 

Thanks Ahmed for quick answer.

Could you tell me how you configure a WSUS GPO policy in such a scenario with Azure Update Management?