For most of the companies, the patch management is a challenge. All customers don’t have SCCM. And WSUS is aging and is not agile (you have to create several GPOs to handle different patch windows). This is why Azure Update Management is welcome to replace this tool. If you do only Azure Update Management in your automation account, the solution is nearly free (while you don’t exceed 500mn of usage per month).
For most of the usage, Azure Update Management helps to improve your patch management. However, clusters are not handled for the moment (a shame for my S2D clusters). Some features are missing such as run an update process “now” and the information are not assessed immediately after an update. Despite all these lacks, I use only Azure Update Management to handle Windows Update in my lab and I try to convince my customers to use this product instead of WSUS. In this topic I’ll show you how to deploy and use Azure Update Management.
Azure resources creation
The following Azure resources are required to deploy Azure Update Management:
- Log Analytics workspace
- Azure Automation Account
So I create these resources from the Azure Marketplace.
Then, once you created the Azure Automation Account and the Log Analytics workspace, open the Azure Automation Account blade and navigate to Update Management. Select the Log Analytics workspace and click on Enable.
Connect on-prem machines to Azure Update Management
Open Log Analytics Workspace blade. In overview pane, locate Connect a data source. Then click on Windows, Linux and others sources.
Then download the Windows Agent. Copy the workspace ID and the primary key: you need these information to complete the agent installation.
Once you downloaded the agent binaries, run the installation. Check the box saying Connect the agent to Azure log analytics (OMS).
Next specify the workspace ID and key. Select Azure Commercial.
N.B: You can also install the agent by using a command line:
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=
It can take a while before information are pulled up in Azure. Once the agent is detected in Azure Update Management, you should get a message saying that a machine does not have “Update Management” enabled. Click on the link beside.
Choose the option you want and click on OK.
Once you have enabled update management of machines, you should get information about update states on your On-Prem computers.
Create an update deployment
Now that machines are well reported in the Update Management portal, we can create an update deployment to install the updates. Click on Schedule update deployment. First provide a name for this update deployment. Then, select machine to update and click on Machines. Select machine you want to upgrade.
Then configure the schedule. For this rule I choose to run it once a time. As you can see also in the below screenshot, you can specify a pre and post script.
Finally, specify the maintenance window and the reboot options as specified in the following screenshot.
Once the schedule update is created, you can retrieve it in scheduled update deployments tab.
Create a recurring update deployment
You can also create a recurring update deployment to install automatically updates each month. Create a new update deployment and this time in schedule settings choose recurring.
Several scheduled update deployments can be created as you can see in the following screenshot.
When a deployment update is running, you can see the progression in Update Deployments tab.
Finally, when update process is finished, you have to wait almost 30mn to get the new assessment from on-prem machines. After updates are installed you should get all your machines compliant.
What network ports are required for this? What needs opening especially on the On-prem servers? How /do the patches get downloaded to the Servers especially on premise and over what protocols