As a lot of customers are moving their workloads to Azure and specifically moving virtual machines to Azure Infrastructure-as-a-service (IaaS), the question is how do I manage my Azure virtual machines (VMs) efficiently. The great thing about Azure IaaS, it is not just another virtualization platform. Azure IaaS also offers a lot of other benefits versus classic virtualization. Azure IaaS and Azure Management provide a lot of functionality to it make it more efficient to run and manage virtual machines. One of them is Azure Update Management. In this blog post, I am going to show you how you can efficiently manage updates for your Azure IaaS VMs.
Overview and benefits Azure Update Management ☁
The Azure Update Management solution is part of Azure Automation. And with Azure Update Management you can manage operating system updates for your Windows and Linux computers in Azure, in on-premises environments, or in other cloud providers. That is right, it is not only for your Azure VMs, it also works with all your environment and provides you with a single pane of glass for your Update Management. It allows you to quickly assess the status of available updates on all virtual machines and servers, and manage the process of installing required updates for servers.
- Azure Update Management works with Azure IaaS VMs, on-premise servers and even servers running at other cloud service providers.
- Update Management supports Linux and Windows servers
- It is directly integrated into the Azure portal and onboarding of Azure VMs is very simple.
- It works with existing update sources like Microsoft Update, WSUS or on Linux with private and public update repositories.
- Azure Update Management can be integrated into System Center Configuration Manager. You can learn more about Azure Update Management and System Center Configuration Manager integration on Microsoft Docs.
- You can onboard new Azure VMs automatically to Update Management in multiple subscriptions in the same tenant.
How to onboard Azure IaaS VMs ✈
Onboarding Azure VMs to Azure Update Management is fairly simple and there are many different ways you can enable Update Management for an Azure VM.
- From a virtual machine
- From browsing multiple machines
- From your Automation account
- With an Azure Automation runbook
One thing I want to highlight is, that you can set up automatic enablement for future virtual machines. With that Azure virtual machines, you create in the future, will automatically be added to the Update Mangement solution.
Since this blog post is all about managing updates for Azure VMs, I will keep it short, but if you want to add servers running on-premises or at other service providers, you can have a look how you can configure Azure Update management from Windows Admin Center. If you are running Azure Stack, you can also easily add your Azure Stack VMs to the Update Management solution.
Update Assesment 📃
After you have enabled and connected your virtual machines, Azure Log Analytics and Update Management start to collect data and analyze it and creates a continuous assessment of your Azure VM infrastructure and the additional servers you added. It will let you know which servers are compliant and which updates are missing. In the Azure documentation for Azure Update Management, you can find the schedules and time new updates will be added to the assessment.
Manage and deploy updates to Azure VMs 🔧
After you know which servers are compliant or not, you can schedule an update deployment, to update your servers.
An update deployment configuration is done very easily.
- Enter a name for the update deployment
- Select which operating system you want to target with the deployment (Linux or Windows)
- Choose the machines you want to update. You can select specific Azure virtual machines, non-Azure machines, groups, AD, WSUS, SCCM groups and filters.
- Select the Update Classifications you want to deploy
- Include or exclude updates
- Schedule the deployment. You can also create recurring update deployments for example for monthly patching.
- Configure pre- and post-scripts
- Configure the maintenance window size
- Configure the reboot update after the updates are installed
View update deployments ✔
During and after the duration of the update deployment, you can see an overview of the deployment, which updates on which machine were installed and if they were successful.
Pricing – What does it cost? 💵
Now I know what you are thinking now, this is great, but I am sure Microsoft is making me pay for this. No! there are no charges for the service, you only pay for log data stored in the Azure Log Analytics service. You can find more pricing information here.
Conclusion and Learn more 🎓
Update Management is a great solution to keep your environment up to date. If you want to know more, check out Microsoft Docs or follow this tutorial to onboard Azure VMs. There is also a very good blog series by Microsoft MVP Samuel Erskine. If you don’t have Azure today, create an Azure Free account.
[cta title=”Create free Azure Account ☁” button=”Free Azure Account” link=”https://azure.microsoft.com/free?WT.mc_id=thomasmaurer-blog-thmaure”]Create your Azure free account today and get started with 12 months of free services![/cta]
If you have any questions, let me know in the comments.Tags: Azure, Azure IaaS, Azure Update Management, IaaS, Install Updates, Linux, Microsoft, Microsoft Azure, update, Update Management, Updates, Virtual Machine, VM, Windows Last modified: October 7, 2019
Been there done that. It is still poorly documented without clear advantages of integrating it with SCCM versus not integrating.
Still need to have ability of updating/reverting 3-rd party apps like Abode Flash, Reader, Java etc.
Also needs better scheduling and targeting to be apar with SCCM.
why do you have adobe flash, reader and java installed on servers? This is a server solution not a client update solution.
Update Management is not stable when it comes to number of machines to patch. Parallel patching fails. No exact failed results
Interesting, I haven’t seen those issues yet.
Hi Thomas, thanks for this blog. Doing a PoC of this but I’m getting an error when I try to query the logs with any query and I’ve tried a few (screenshot – https://pasteboard.co/IQnc0v9.jpg). Don’t know if this functionality would work with Azure VMs but I’m doing on-prem. Assume these logs would be required to troubleshoot errors with VMs that do not patch. Have you seen this or have any ideas? Thanks, Guy.
FYI, the patching actually works on a test 2019 server VM.
Following on… recreating in West Europe got rid of this error. Wasn’t happy with UK South using an Action Pack subscription.
What is lacking is kind of builtin reporting. We need to make reports to show to auditor all vm were patched