Deploy Azure Automation Update Management
In this post we will deploy Azure Automation Update Management to managed updates on both Azure and On-premises Servers. The solution caters for Linux and Windows Servers.
This above reference architecture illustrates how to design a hybrid update management solution to manage updates on both Microsoft Azure and on-premises Windows and Linux computers.
Update Management is a component of Automation. Windows and Linux computers, both in Azure and on-premises, send assessment information about missing updates to Log Analytics. Azure Automation uses this information to create a schedule for automatic deployment of missing updates.
The following items form part of the implementation:
- Log Analytics workspace
- Automation account
To get started, we will create an Automation account and link it to an existing log analytics workspace.
- In Azure portal, select create a resource.
- In the search bar, type Automation and select Automation.
- Click on Create
- Configure the following items:
- Provide a name i.e cloud-az-auto
- Select your subscription
- Choose your resource group or create a new resource group
- Specify your location and once done click on Create
Now that the Automation account is up and running, we need to Link the Automation account with an existing Log Analytics Workspace.
- In the Azure search bar, type Automation and select Automation Accounts
- Select the newly created Automation account the click on Update management.
- In the Update Management configuration, select the Log analytics Workspace and Automation account.
Once selected, click on Enable
You can monitor the progress by clicking on the Alarm bell in the top right-hand corner.
Now that we have the Automation account associated with the Log Analytics workspace, let’s go ahead and link an existing Azure VM to the solution.
In the Update Management section in the Automation account, click on Add Azure VMs.
After clicking on Add Azure Vms you will notice that some machines have a status of ready and some with a status of Cannot enable. They cannot enable status is because the VM is associated to another Log Analytics Workspace, you will have to disconnect the vm from the other Log Analytics workspace and then associate with the newly created Workspace.
After selecting the VMs you would like to add the Update Management, click on Enable at the bottom of the page.
You will notice that on the update Management page, you have a new message indicating that a x number of machines do not have “Update Management” enabled.
Click on “Click to manage machines” to enable Update management for these machines.
Select “Enable on all available machines” and then click on Enable.
Once you have enabled Update Management on all the machines you have selected, you will notice that that the servers will start to show at the bottom of the page.
As you can see, one of the servers we added has some updates missing and is non-compliant. You can click on the server’s name with the missing updates to view which updates is missing from the servers.
Log Analytics will open, and the following search query will automatically populate to give you the results.
123456789101112131415161718192021 Update| where TimeGenerated > ago(14h) and OSType != "Linux" and (Optional == false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat| where TimeGenerated > ago(12h) and OSType =~ "Windows" and notempty(Computer)| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId| where Solutions has "updates"| distinct SourceComputerId))| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID| where UpdateState =~ "Needed"and Approved != falseand Computer == "ZAAZTHATSRV01.thatlazyadmin.local"| render table
The results will look as follow:
Next, lets schedule update deployments by clicking on the “Schedule update deployment”
In the “New update deployment” scheduler, you will have to provide the following information.
Provide the scheduler with a Name and then select your operating system type, either “Windows” or “Linux”
Next, we need to either select all servers in a dynamic group or select machines individually. Let’s start with “Groups to update”
When you select the “Group” option, you need to specify the criteria for the dynamics group. For this demo I will select the following.
- Resource Group where all my resources are located
- The location where my AZ Servers are running in
Once I have provided all the needed information, you can click on “Add”.
You will notice that your query is not listed under “Included items” . You can click on “Preview” to view which servers are part of the query.
You will notice from the “Preview” page, all the servers in the subscription.
If you happy with the results, click on Ok twice to save the query.
The second option is to select “Machine to update”.
In this option, we will click on the drop-down arrow on “Type” and select “Machines”
Once you have selected the “Machine” option, you will notice all the Azure VMs which is connected to Update Management.
Click on each device you would like to add to the “Update Scheduler”, all selected machines will show under “Selected Items”
Click on “OK” to move back to main configuration menu.
Next up, lets click on “Update classification” Here we need to select which updates we want to install on the servers. For this demo I will select the following.
- Critical updates
- Security updates
- Definition updates
Next, we need to specify if there are any updates we want to exclude or include. Click on “Include /exclude updates”
On the Include /exclude updates page, you can specify the KB numbers of the updates you would like to add or exclude. For this demo, I will leave them “Blank” and click ok.
Next, lets configure the “Schedule Setting” Here we need to determine when will the scheduler start and will it be a recurring schedule.
Specify the start date and time and select “Recurring” and then click “Ok”.
If you have selected “Recurring” You will have some addition settings to configure at the bottom.
For Recurring we need to specify how often the scheduler will run, I will select every 2 days. And set the “expiration” to “No”. Click on to move to main menu.
The following settings I will leave as default.
- Pre-scripts + post-scripts
- Maintenance Window I will keep at 120 min
Lastly, I will select “reboot if required” and click “Create”
You will notice in the top right-hand corner a new notification will appear indicating that the schedule has been created.
To view if the schedule was created successfully, Navigate to Shared Resources under your automation account and then click on “Schedules”
On the “Schedules” page, you will see your newly created schedules.
You can modify your schedule by clicking on it, a new page will fly out with all the options you can modify.
And this is how you can quickly configure Update Management to patch your Azure VMs and make sure that they are constantly compliant.