Azure Update Manager allows customers manage their Azure VM and on-premises devices using an agent called (MMA) Microsoft Monitoring Agent. The client will by default check if its compliant every 12 hours and the agent initiates a scan to check for update compliance within 15 minutes of the agent being restarted, before an installation and after update installation.
Azure Update Manager only supports the following OS for patch cycles
Supported Client Types
|Windows Server 2008, Windows Server 2008 R2 RTM||Supports only update assessments.|
|Windows 2008 R2 SP1 and later (including Windows Server 2012 and 2016)||.Net Framework 4.5.1 or later is required|
Windows Powershell 4.0 or later is required
Windows PowerShell 5.1 is recommended for increased reliability.
|CentOS 6 (x86/x64) and 7 (x64)||Linux agents must have access to an update repository. Classification-based patching requires ‘yum’ to return security data which CentOS doesn’t have out of the box. For more information on classification-based patching on CentOS|
|Red Hat Enterprise 6 (x86/x64) and 7 (x64)||Linux agents must have access to an update repository.|
|SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)||Linux agents must have access to an update repository.|
|Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 (x86/x64)||Linux agents must have access to an update repository.|
Unsupported Client Type
|Windows Client||Client operating systems (such was Windows 7 and Windows 10 arent supported.|
|Windows Server 2016 Nano Serverq||Not Supported|
However, the Windows Client arent supported for patch management. The MMA agent can be installed if you just require update reporting using Azure Monitor.
Where do I start in configuring Azure Update Management?
The first thing we need is an Azure Automation Account
You will need to provide details as specified below
Please Note:Log Analytics Workspace is required later in this process and its only currently available in the following locations;
West Central US
West US 2
If you want to check where functionality located, please visit this url https://azure.microsoft.com/en-us/global-infrastructure/services/?products=monitor®ions=us-east,us-east-2,us-central,us-north-central,us-south-central,us-west-central,us-west,us-west-2,canada-east,canada-central,united-kingdom-south,united-kingdom-west,non-regional,south-africa-north,south-africa-west
Once the account has been created, select the newly account and go to Update Management Section and Update Management. This will show the Location you specified, Log Analytics Workspace subscription and you can now create the Log Analytics Workspace.
Once you press Enable, you’ll receive a message that “The installation of the Update Management solution is in progress.”
Now we have successful created the Log Analytics Workspace you will be able to build the “Schedule Update Deployment” as shown below
Now we can get down with the nit and gritty of configuring deployment schedules based on your own requirement. This section will be configured down to personal preference for my Test Lab Machine.
Please Note:The following information will only reference Windows Operating System, Linux is also available but will not be discussed.
Groups to update
In this section, you can filter the machines you would like to manage using Azure Update Management. This also includes the Non-Azure machines feature which is currently In Preview at the time of this post.
If you select preview for your Azure Machines and unable to detect an clients. You may need onboard your Azure VM https://docs.microsoft.com/en-us/azure/automation/automation-onboard-solutions-from-vm
Machines to update
In this sectrion, depending how you are providing your client machines into the Azure Portal, you can use one of the three Types to select your machines
- Saved Searches
- Imported groups (AD
In this section, you can select 8 individual classifications based on your requirements.
- Critical updates
- Security updates
- Update rollups
- Feature packs
- Service packs
- Definition updates
Select the type of update classifications you would like to apply to your client machines.
In this section you can Include or Exclude particular Microsoft update using the KB number without the KB prefix.
In this section, you can specify the require schedule whether its run once or needs to recurrence cycle.
Pre-scripts + Post-scripts
In this section, Pre-scripts and Post-scripts are tasks that can be automatically executed before or after an update deployment run. You can configure up to one Pre-script and Post-script per deployment.
Maintenance Window – To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours.
The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied
Reboot options – There are currently 4 reboot options available
- Reboot if required
- Never reboot
- Always reboot
- Only reboot – will not install updates
The Author – Blogabout.Cloud