Managing your on-premises device with Azure Update Manager

Azure Update Manager allows customers manage their Azure VM and on-premises devices using an agent called (MMA) Microsoft Monitoring Agent. The client will by default check if its compliant every 12 hours and the agent initiates a scan to check for update compliance within 15 minutes of the agent being restarted, before an installation and after update installation.

Azure Update Manager only supports the following OS for patch cycles

Supported Client Types

Operating SystemNotes
Windows Server 2008, Windows Server 2008 R2 RTMSupports only update assessments.
Windows 2008 R2 SP1 and later (including Windows Server 2012 and 2016).Net Framework 4.5.1 or later is required
Windows Powershell 4.0 or later is required
Windows PowerShell 5.1 is recommended for increased reliability.
CentOS 6 (x86/x64) and 7 (x64)Linux agents must have access to an update repository. Classification-based patching requires ‘yum’ to return security data which CentOS doesn’t have out of the box. For more information on classification-based patching on CentOS
Red Hat Enterprise 6 (x86/x64) and 7 (x64) Linux agents must have access to an update repository.
SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64) Linux agents must have access to an update repository.
Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 (x86/x64) Linux agents must have access to an update repository.

Unsupported Client Type

Operating SystemNotes
Windows ClientClient operating systems (such was Windows 7 and Windows 10 arent supported.
Windows Server 2016 Nano ServerqNot Supported

However, the Windows Client arent supported for patch management. The MMA agent can be installed if you just require update reporting using Azure Monitor.

Where do I start in configuring Azure Update Management?

The first thing we need is an Azure Automation Account

You will need to provide details as specified below

Please Note:

Log Analytics Workspace is required later in this process and its only currently available in the following locations;

Australia Southeast
Canada Central
Central India
East US
Japan East
Southeast Asia
UK South
West Central US
West Europe
West US 2

If you want to check where functionality located, please visit this url https://azure.microsoft.com/en-us/global-infrastructure/services/?products=monitor&regions=us-east,us-east-2,us-central,us-north-central,us-south-central,us-west-central,us-west,us-west-2,canada-east,canada-central,united-kingdom-south,united-kingdom-west,non-regional,south-africa-north,south-africa-west

Once the account has been created, select the newly account and go to Update Management Section and Update Management. This will show the Location you specified, Log Analytics Workspace subscription and you can now create the Log Analytics Workspace.

Configure Automation Account for Update Management

Once you press Enable, you’ll receive a message that “The installation of the Update Management solution is in progress.”

Enable Update Management with Log Analytics Workspace

Now we have successful created the Log Analytics Workspace you will be able to build the “Schedule Update Deployment” as shown below

Update Management – Schedule Update Deployment

Now we can get down with the nit and gritty of configuring deployment schedules based on your own requirement. This section will be configured down to personal preference for my Test Lab Machine.

Please Note:

The following information will only reference Windows Operating System, Linux is also available but will not be discussed.

Groups to update

In this section, you can filter the machines you would like to manage using Azure Update Management. This also includes the Non-Azure machines feature which is currently In Preview at the time of this post.

Azure Machines

If you select preview for your Azure Machines and unable to detect an clients. You may need onboard your Azure VM https://docs.microsoft.com/en-us/azure/automation/automation-onboard-solutions-from-vm

Non-Aure Machines

Machines to update

In this sectrion, depending how you are providing your client machines into the Azure Portal, you can use one of the three Types to select your machines

  • Saved Searches
  • Imported groups (AD,WSUS,SCCM)
  • Machines
Machines to update

Update classifications

In this section, you can select 8 individual classifications based on your requirements.

  • Critical updates
  • Security updates
  • Update rollups
  • Feature packs
  • Service packs
  • Definition updates
  • Tools
  • Updates

Select the type of update classifications you would like to apply to your client machines.

Include/Exclude updates

In this section you can Include or Exclude particular Microsoft update using the KB number without the KB prefix.

Schedule settings

In this section, you can specify the require schedule whether its run once or needs to recurrence cycle.

Pre-scripts + Post-scripts

In this section, Pre-scripts and Post-scripts are tasks that can be automatically executed before or after an update deployment run. You can configure up to one Pre-script and Post-script per deployment.

Finishing touches

Maintenance Window – To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours.
The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied

Reboot options – There are currently 4 reboot options available

  • Reboot if required
  • Never reboot
  • Always reboot
  • Only reboot – will not install updates

Regards
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *