Azure Update Management Part 1: Overview and Enrolling Azure VMs

Microsoft Azure cloud hero

If you need a simple and effective way to manage Windows updates from the cloud, look no further than Azure Update Management. As part of an Azure subscription, Update Management allows you to schedule and monitor update compliance for Azure virtual machines, and VMs hosted on-premises or by other cloud providers. Update Management provides an overview of all your VMs, including their compliance status.

Update Management is available for both Windows and Linux. The solution uses the Microsoft Monitoring Agent (MMA) for Windows or Linux, PowerShell Desired State Configuration (DSC) for Linux, an Automation Hybrid Runbook Worker, and Microsoft Update or Windows Server Update Services (WSUS) for Windows servers. Update Management reports how up-to-date each VM is based on where it is configured to synchronize updates from. For example, if the VM is configured to pull updates from Windows Server Update Services (WSUS), then the results might differ from a device that synchronizes directly with Microsoft Update, depending on when WSUS last synced with Microsoft Update.

Azure Update Management solution in action (Image Credit: Microsoft)
Azure Update Management solution in action (Image Credit: Microsoft)

If VMs are running Windows Server 2008 or Windows Server 2008 R2 RTM, Update Management only supports update assessments. Windows Server 2008 R2 SP1 and later support the full feature set. Windows clients and Nano Server are not supported. Update Management supports the following versions of Linux:

  • CentOS 6 (x86/x64) and 7 (x64)
  • Red Hat Enterprise 6 (x86/x64) and 7 (x64)
  • SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)
  • Ubuntu 14.04 LTS and 16.04 LTS (x86/x64).

For more detailed technical information about Azure Update Management, see Microsoft’s website here.

Add an Azure VM to Update Management

Adding an existing Azure virtual machine (VM) to Update Management is easy. If you don’t already have an Azure Automation account and a log analytics workspace, Azure will walk you through the process of setting those up. To perform the following instructions, you will need an Azure subscription. If you don’t already have an Azure subscription and virtual machine, take a look at Create a Virtual Machine in the Azure Cloud on Petri.

  • Sign in to the Azure management portal here.
  • In the list of services on the left, click VIRTUAL MACHINES.
  • Select a virtual machine from the list on the right.
  • In the list of options for the VM, scroll down to Operations and click Update management.
  • If the VM is not running, click Start VM to start it.
  • On the Update Management screen, check Enable for this VM. Alternatively, you can enable Update Management for multiple VMs in a subscription but in this example, we’ll enable it for just a one VM.
  • First you need to select a region for the log analytics workspace and Azure Automation account. If you already have a log analytics workspace configured in your subscription, Azure will default to the region in which the workspace is located. If not, you can select any region.
Enrolling an Azure VM in Azure Update Management (Image Credit: Russell Smith)
Enrolling an Azure VM in Azure Update Management (Image Credit: Russell Smith)
  • If Azure detected a workspace, it will automatically be selected. If not, then you can either select from one of your other existing workspaces, or use the wizard to Create default workspace…
  • Finally, select an Azure subscription where you want to create or use an existing Automation account.
  • In the Automation account menu, select an existing account or choose Create Automation account…
  • Now you’re done. Click Enable to finish the process.

Enabling Update Management on a VM can take up to 15 minutes. You’ll get a notification in the top right of the management portal when the process is complete.

In the second part of this two-part series, I’ll show you how to schedule updates, check update compliance, and enable Update Management on non-Azure VMs.