Skip to content

Deploy Azure Automation Update Management

Deploy Azure Automation Update Management

In this post we will deploy Azure Automation Update Management to managed updates on both Azure and On-premises Servers. The solution caters for Linux and Windows Servers.

Azure Update management is configuration component of Azure Automation. Windows and Linux computers, both in Azure and on-premises, send assessment information about missing updates to the Log Analytics workspace. Azure Automation then uses that information to create a schedule for automatic deployment of the missing updates.

This above reference architecture illustrates how to design a hybrid update management solution to manage updates on both Microsoft Azure and on-premises Windows and Linux computers.

Update Management

Update Management is a component of Automation. Windows and Linux computers, both in Azure and on-premises, send assessment information about missing updates to Log Analytics. Azure Automation uses this information to create a schedule for automatic deployment of missing updates.

The following items form part of the implementation:

  1. Log Analytics workspace
  2. Automation account

To get started, we will create an Automation account and link it to an existing log analytics workspace.

  1. In Azure portal, select create a resource.

Graphical user interface, text, application
Description automatically generated

  1. In the search bar, type Automation and select Automation.

Graphical user interface, text, application
Description automatically generated

  1. Click on Create

Graphical user interface, text, application
Description automatically generated

  1. Configure the following items:
    1. Provide a name i.e cloud-az-auto
    2. Select your subscription
    3. Choose your resource group or create a new resource group
    4. Specify your location and once done click on Create

Graphical user interface, application
Description automatically generated

Now that the Automation account is up and running, we need to Link the Automation account with an existing Log Analytics Workspace.

  1. In the Azure search bar, type Automation and select Automation Accounts

Graphical user interface, text, application, email
Description automatically generated

  1. Select the newly created Automation account the click on Update management.

Graphical user interface, application
Description automatically generated

  1. In the Update Management configuration, select the Log analytics Workspace and Automation account.

Once selected, click on Enable

Graphical user interface, text, application, email
Description automatically generated

You can monitor the progress by clicking on the Alarm bell in the top right-hand corner.

Graphical user interface, text, application
Description automatically generated

Now that we have the Automation account associated with the Log Analytics workspace, let’s go ahead and link an existing Azure VM to the solution.

In the Update Management section in the Automation account, click on Add Azure VMs.

Graphical user interface, text
Description automatically generated

After clicking on Add Azure Vms you will notice that some machines have a status of ready and some with a status of Cannot enable. They cannot enable status is because the VM is associated to another Log Analytics Workspace, you will have to disconnect the vm from the other Log Analytics workspace and then associate with the newly created Workspace.

Graphical user interface, text, application, email
Description automatically generated

After selecting the VMs you would like to add the Update Management, click on Enable at the bottom of the page.

You will notice that on the update Management page, you have a new message indicating that a x number of machines do not have “Update Management” enabled.

Click on “Click to manage machines” to enable Update management for these machines.

Select “Enable on all available machines” and then click on Enable.

Graphical user interface, text, application, email
Description automatically generated

Once you have enabled Update Management on all the machines you have selected, you will notice that that the servers will start to show at the bottom of the page.

Graphical user interface, text, application
Description automatically generated

As you can see, one of the servers we added has some updates missing and is non-compliant. You can click on the server’s name with the missing updates to view which updates is missing from the servers.

Log Analytics will open, and the following search query will automatically populate to give you the results.

The results will look as follow:

Graphical user interface, text, application, email, website
Description automatically generated

Next, lets schedule update deployments by clicking on the “Schedule update deployment

In the “New update deployment” scheduler, you will have to provide the following information.

Provide the scheduler with a Name and then select your operating system type, either “Windows” or “Linux”

Graphical user interface, text, application, chat or text message
Description automatically generated

Next, we need to either select all servers in a dynamic group or select machines individually. Let’s start with “Groups to update”

Graphical user interface, text, application
Description automatically generated with medium confidence

When you select the “Group” option, you need to specify the criteria for the dynamics group. For this demo I will select the following.

  • Subscription
  • Resource Group where all my resources are located
  • The location where my AZ Servers are running in

Once I have provided all the needed information, you can click on “Add”.

Graphical user interface, text, application
Description automatically generated

You will notice that your query is not listed under “Included items” . You can click on “Preview” to view which servers are part of the query.

Graphical user interface, text, application
Description automatically generated

You will notice from the “Preview” page, all the servers in the subscription.

Graphical user interface, website
Description automatically generated

If you happy with the results, click on Ok twice to save the query.

The second option is to select “Machine to update”.

Graphical user interface, text, application
Description automatically generated

In this option, we will click on the drop-down arrow on “Type” and select “Machines

Graphical user interface, application, Teams
Description automatically generated

Once you have selected the “Machine” option, you will notice all the Azure VMs which is connected to Update Management.

Graphical user interface, application
Description automatically generated

Click on each device you would like to add to the “Update Scheduler”, all selected machines will show under “Selected Items

Graphical user interface, text, application
Description automatically generated

Click on “OK” to move back to main configuration menu.

Next up, lets click on “Update classification” Here we need to select which updates we want to install on the servers. For this demo I will select the following.

  • Critical updates
  • Security updates
  • Definition updates
  • Updates

Graphical user interface, application, Word
Description automatically generated

Next, we need to specify if there are any updates we want to exclude or include. Click on “Include /exclude updates

Graphical user interface, text
Description automatically generated

On the Include /exclude updates page, you can specify the KB numbers of the updates you would like to add or exclude. For this demo, I will leave them “Blank” and click ok.

Graphical user interface, text, application, email
Description automatically generated

Next, lets configure the “Schedule Setting” Here we need to determine when will the scheduler start and will it be a recurring schedule.

Text
Description automatically generated with medium confidence

Specify the start date and time and select “Recurring” and then click “Ok”.

Graphical user interface, text, application
Description automatically generated

If you have selected “Recurring” You will have some addition settings to configure at the bottom.

For Recurring we need to specify how often the scheduler will run, I will select every 2 days. And set the “expiration” to “No”. Click on to move to main menu.

Graphical user interface, text, application, chat or text message
Description automatically generated

The following settings I will leave as default.

  • Pre-scripts + post-scripts
  • Maintenance Window I will keep at 120 min

Graphical user interface, text, application
Description automatically generated with medium confidence

Lastly, I will select “reboot if required” and click “Create

Graphical user interface, text, application
Description automatically generated

You will notice in the top right-hand corner a new notification will appear indicating that the schedule has been created.

Graphical user interface, text, application, email
Description automatically generated

To view if the schedule was created successfully, Navigate to Shared Resources under your automation account and then click on “Schedules

Graphical user interface, text, application
Description automatically generated

On the “Schedules” page, you will see your newly created schedules.

Graphical user interface, text, application, email
Description automatically generated

You can modify your schedule by clicking on it, a new page will fly out with all the options you can modify.

Graphical user interface, application
Description automatically generated

And this is how you can quickly configure Update Management to patch your Azure VMs and make sure that they are constantly compliant.

#happypatching ☺

Sharing is caring!

Published inAzureAzure VM

Be First to Comment

Leave a Reply

Your email address will not be published.