If you need a simple and effective way to manage Windows updates from the cloud, look no further than Azure Update Manager. As part of an Azure subscription, Update Manager allows you to schedule and monitor update compliance for Azure virtual machines, and VMs hosted on-premises or by other cloud providers. Update Management provides an overview of all your VMs, including their compliance status.
Update Management is available for both Windows and Linux. The solution uses the Microsoft Monitoring Agent (MMA) for Windows or Linux, PowerShell Desired State Configuration (DSC) for Linux, an Automation Hybrid Runbook Worker, and Microsoft Update or Windows Server Update Services (WSUS) for Windows servers. Update Management reports how up-to-date each VM is based on where it is configured to synchronize updates from. For example, if the VM is configured to pull updates from Windows Server Update Services (WSUS), then the results might differ from a device that synchronizes directly with Microsoft Update, depending on when WSUS last synced with Microsoft Update.
If VMs are running Windows Server 2008 or Windows Server 2008 R2 RTM, Update Management only supports update assessments. Windows Server 2008 R2 SP1 and later support the full feature set. Windows clients and Nano Server are not supported. Update Management supports the following versions of Linux:
CentOS 6 (x86/x64) and 7 (x64)
Red Hat Enterprise 6 (x86/x64) and 7 (x64)
SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)
Ubuntu 14.04 LTS and 16.04 LTS (x86/x64).
For more detailed technical information about Azure Update Management, see Microsoft’s website here.
Add an Azure VM to Update Management
Adding an existing Azure virtual machine (VM) to Update Management is easy. If you don’t already have an Azure Automation account and a log analytics workspace, Azure will walk you through the process of setting those up. To perform the following instructions, you will need an Azure subscription. If you don’t already have an Azure subscription and virtual machine, take a look at Create a Virtual Machine in the Azure Cloud on Petri.
In the list of services on the left, click VIRTUAL MACHINES.
Select a virtual machine from the list on the right.
In the list of options for the VM, scroll down to Operations and click Update management.
If the VM is not running, click Start VM to start it.
On the Update Management screen, check Enable for this VM. Alternatively, you can enable Update Management for multiple VMs in a subscription but in this example, we’ll enable it for just a one VM.
First you need to select a region for the log analytics workspace and Azure Automation account. If you already have a log analytics workspace configured in your subscription, Azure will default to the region in which the workspace is located. If not, you can select any region.
If Azure detected a workspace, it will automatically be selected. If not, then you can either select from one of your other existing workspaces, or use the wizard to Create default workspace…
Finally, select an Azure subscription where you want to create or use an existing Automation account.
In the Automation account menu, select an existing account or choose Create Automation account…
Now you’re done. Click Enable to finish the process.
Enabling Update Management on a VM can take up to 15 minutes. You’ll get a notification in the top right of the management portal when the process is complete.
Schedule Updates
You can create a specific schedule for updates on each VM that is enrolled with Azure Update Management. If a VM is configured to use WSUS, those settings will always take precedence over any deployment schedule configured in Azure Update Management.
To create a new deployment schedule:
In Update Management in the Azure management portal, click Schedule update deployment.
In the New update deployment pane, give the new deployment a name.
You can choose to exclude certain update categories, like security updates and service packs. You can also exclude specific updates by providing their Knowledge Base IDs.
Finally, you must provide schedule settings. A time and start date. The schedule can be one time only or recurring. If you set a recurring schedule, you can set the frequency and set an expiration date.
The standard maintenance window is set to 2 hours. The last 20 minutes of which is reserved for rebooting the server. The minimum maintenance window is 30 minutes. Any updates that have not been started by the time the maintenance window is over will be skipped. If updates are already in progress, they will be completed.
The reboot options allow you to reboot the server if required or set it to never reboot.
Click Create when you are done configuring the deployment settings.
Checking Update Compliance
You can use Azure Update Management to check update compliance. Scans are performed every 12 hours by default on Windows servers (3 hours on Linux servers) and the agent sends the results to Azure Log Analytics. Scans for update compliance are performed within 15 minutes after the MMA service starts, before update installation, and after update installation.
To view compliance for a single VM:
In the Azure management portal, click Virtual machines in the list of options on the right.
Select a virtual machine from the list on the right for which you’d like to check update compliance.
In the list of options for the VM, scroll down to Operations and click Update management.
On the Update management pane, click Missing updates if it’s not already selected. Here you’ll see a list of missing updates.
On the Update management pane, you can also see any update deployments that are currently in progress or those that are scheduled to run in the future.
To view compliance for all VMs enrolled with an automation account:
In the Azure management portal, select Automation Accounts in the list of options on the left.
In the list of automation accounts, click the account you chose to use when configuring Update Management.
On the automation account pane, click Update Management in the list of options on the left.
Now you can see a list of all the VMs enabled for Update Management and an overview of machines that need attention and of missing updates.
Enable Update Management on non-Azure VMs
Finally, to enable Azure Update Management on VMs that aren’t hosted in Azure you need to manually install and configure the Microsoft Monitoring Agent. The only requirement is that VMs are running a supported version of Windows Server or Linux and that they have Internet connectivity. More specifically, VMs must be able to communicate with the following addresses over port 443: *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.blob.core.windows.net.