Azure ARC patch management best practices

Question

Hi,

we want to use azure arc to patch our on premise machines, but this feature is still in preview.
Looks like we cannot really control updates.

So what is the best practices to patch our sensitive servers? Use Azure Arc just for information and patch machines by hand?

Thanks a lot

Answer 1

You can't uninstall patches if they are failed. This should be covered in your DR plan.

The fundamentals are the same as before:

• scope dev, preprod, prod environments (additionally, workload-specific scopes if necessary)
• set different schedules for each environment
• rollback strategy could be configured as a standard DR plan, actually this is where Azure Site Recovery+ Backup are great companions

Answer 2

Hi there,

If you are referring to Azure Update Management Center (Public Preview), yes, currently it's still under preview, but you will have a support on this.
If you can't use any preview features, you can use a previous version of Update Management based on Azure Automation account. But it requires to install Microsoft Monitoring Agent, configure it with a Log Analytics workspace, etc

I recommend to start using Update Management Center as a modern way to manage your updates.

Answer 3

Hi,

ok understand, but how we can avoid system failures due windows patches? Yes, we have a backup system, but restore is complex.

How can I ensure the follwing fundamentals:

• Do test patches before deploying them
• rollback strategy (Back out Plan), if patch failes

Critical environment like SQL Database and Exchange should be full backup and patched particular.

Is it possible to deinstall patches from Azure Update Management Center, if something failes?