Manage Server Updates with Azure Update Management Center

Azure Update Management Center is a game-changer for IT pros, allowing you to manage server updates across your entire organization with ease.

With Azure Update Management Center, you can manage updates for both on-premises and cloud-based servers, giving you a single pane of glass to monitor and control updates.

This centralized approach helps reduce the risk of human error and saves you time by automating tasks, such as patching and updating servers.

The Azure Update Management Center allows you to manage updates for multiple virtual machines at once.

You can configure the center to scan for updates every hour, or at a custom interval that suits your needs.

To ensure compliance with security best practices, you can also require a reboot after installing updates.

This configuration helps prevent vulnerabilities from being exploited before they're patched.

By setting up a maintenance window, you can schedule updates to occur during a time when they won't disrupt your operations.

I've worked on numerous projects where configuration was a crucial step, and I can tell you that it's not just about setting up a few options. Configuration is a complex process that requires careful planning and execution.

One of the most important aspects of configuration is understanding the different types of configurations available, such as hardware, software, and network configurations. This can be overwhelming, especially for those new to configuration.

As I've learned from my experience with network configurations, having a clear understanding of the network architecture and the devices that will be connected to it is essential for a successful configuration. This includes knowing the type of network, the number of devices, and the type of data that will be transmitted.

A well-configured system is one that is optimized for performance, security, and reliability. This requires careful consideration of the system's hardware and software components, as well as the network infrastructure.

To manage configuration effectively, you need to understand the permissions required to create and manage update deployments.

Specifically, you'll need to learn about role-based access, which can be found in the Role-based access - Update Management section.

To create and manage update deployments, you need specific permissions.

These permissions are outlined in the Role-based access - Update Management section, so be sure to check that out.

Hybrid Runbook Worker groups are automatically configured when you enable Update Management. They support the runbooks that support Update Management.

Each Windows machine managed by Update Management is listed in the Hybrid worker groups pane as a System hybrid worker group for the Automation account. These groups use the Hostname FQDN_GUID naming convention. They can't be targeted with runbooks in your account.

You can add a Windows machine to a user Hybrid Runbook Worker group in your Automation account to support Automation runbooks. This is only possible if you use the same account for Update Management and the Hybrid Runbook Worker group membership.

This functionality was added in version 7.2.12024.0 of the Hybrid Runbook Worker.

To configure Update Management, you need to set up a few external dependencies. Azure Automation Update Management relies on Windows Server Update Services (WSUS) or Microsoft Update for software updates packages and the software updates applicability scan on Windows-based machines.

You'll also need to install the Windows Update Agent (WUA) client on Windows-based machines so they can connect to the WSUS server or Microsoft Update. This ensures they can receive software updates.

For Linux-based machines, you'll need a local or remote repository to retrieve and install OS updates. This is a crucial step to ensure your Linux machines are up-to-date.

Here's a list of the external dependencies needed for Update Management:

To update supported Windows systems, Update Management relies on the locally configured update repository, which can be WSUS or Windows Update.

You'll need to install the Microsoft System Center Advisor Update Assessment Intelligence Pack, along with the Update Deployment MP, to get Update Management up and running. These management packs are installed automatically if your Operations Manager management group is connected to a Log Analytics workspace.

The Microsoft.IntelligencePack.UpdateAssessment.Configuration is also part of the package, but you don't need to configure or manage these management packs yourself. They're taken care of by the system.

If you're running Operations Manager 1807 or 2019, you'll need to make a small adjustment to the Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init rule. Specifically, you'll need to set the parameter IsAutoRegistrationEnabled to True.

To fully manage machines with the Log Analytics agent, you'll need to update to the latest version of the agent for Windows or Linux. This is a requirement, not an option. You can find more information on how to update the agent in the article.

Here are the management packs you'll need to get started:

Make sure you're running System Center Operations Manager 2012 R2 UR 14 or later, or Update Management won't work properly.

Data Collection Frequency is an important aspect of Update Management. Update Management scans managed machines for data twice a day for each Windows machine.

Each scan can take anywhere from 30 minutes to 6 hours for the dashboard to display updated data. This may seem like a long time, but it's a necessary step to ensure that your machines are up to date.

Update Management scans each Linux machine every hour. This more frequent scanning can help catch any issues before they become major problems.

The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. This value is only an approximation and is subject to change, depending on your environment.

Classifications are a crucial aspect of Update Management, and understanding them can help you tailor your deployments to your specific needs. Update Management supports various classifications for Windows updates, including Critical updates, Security updates, Update rollups, Feature packs, Service packs, Definition updates, Tools, and Updates.

For Linux updates, the classification options are more limited, with only Critical and security updates and Other updates being supported. However, it's worth noting that update classification for Linux machines is only available when used in supported Azure public cloud regions.

The classification logic for Linux updates is based on data from two sources: assessment and patching. During assessment, Update Management classifies updates into three categories: Security, Critical, or Others. However, for patching, the classification is based solely on data from package managers like YUM, APT, or ZYPPER, and updates are classified into two categories: Critical and Security or Others.

Here's a breakdown of the supported classifications for Windows and Linux updates:

It's also worth noting that CentOS has limited support for update classification, and Red Hat Enterprise Linux 6 requires the installation of a YUM security plugin for proper classification.

Data Collection is a crucial aspect of the Azure Update Management Center. It's essential to understand how often Update Management scans your machines for data. Update Management scans managed machines for data using the following rules.

Each Windows machine is scanned twice per day, while each Linux machine is scanned every hour. This frequency can result in a delay of between 30 minutes and 6 hours for the dashboard to display updated data from managed machines.

The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. This value is only an approximation and is subject to change, depending on your environment.

To get a more accurate picture of your data usage, we recommend monitoring your environment closely.

Update Management is a crucial part of Azure Update Management Center, allowing you to manage updates for all your machines, including those running on Windows and Linux, across Azure, on premises, and on other cloud platforms.

You can monitor update compliance from a single dashboard, making it easier to keep track of your machines' update status. Update Management helps you manage updates in real-time, schedule updates within a maintenance window, or automatically update during off-peak hours.

To ensure seamless update management, it's essential to update the Windows Log Analytics agent to the latest version. This will help reduce security vulnerabilities and benefit from bug fixes. Versions prior to 10.20.18053 (bundle) and 1.0.18053.0 (extension) use an older method of certificate handling and should be avoided.

Here are some key benefits of Update Management:

During the upgrade process, update management schedules might fail. Ensure to do this when there is no planned schedule to avoid any disruptions.