How can I join a VM to the Update Manager (automation account) as a post provisioning step from PowerShell?

Question

I'm trying to automate the onboarding process of a VM in the Update Manager (automation account) as a post-provisioning step from PowerShell.

Make the test with 4 VMs. I onboarded 2 of them manually from the azure portal and for the other 2 I used the following command:

Set-AzVMExtension -ExtensionName "UpdateManagement" `

                    -Location $location `

                    -ResourceGroupName  $resourceGroupName `

                    -VMName $vmName `

                    -Publisher "Microsoft.EnterpriseCloud.Monitoring" `

                    -ExtensionType "MicrosoftMonitoringAgent" `

                    -TypeHandlerVersion "1.0" `

                    -Settings @{"workspaceId" = $workspaceId;

                                "azureResourceId" = $resourceId;

                                "AutomationAccountURL"=$registrationUrl;

                                "AzureAutomationAccountId"=$aaId;

                                "stopOnMultipleConnections"= $True} `

                    -ProtectedSettings @{

                      "workspaceKey" = $workspaceKey;

                      "vmResourceId" = $resourceId

                    }

All four VMs were added to the Log Analytics Workspace linked to the automation account.

But only the ones configured manually were added to the update management in the Automation Account

I have tested multiple settings options. Also, find this Runbook from the gallery. The runbook has two issues. First, it uses Run as account configuration, which will be deprecated this year. Second, the runbook needs an already onboarded machine.

Answer 1

@Santiago Gamboa , thank you for the question.

I will summarize the high-level steps for enabling Azure Automation update management (some of which has already been configured by you, as mentioned in the question) and include details of the last step (as required to enable update management for the VM later). This should help clarify the steps:

1. Create Automation Account, Log Analytics Workspace (done)
2. Link Automation Account to the LA workspace. This also enable the Updates solution to the LA workspace (done)
3. Onboard new VMs to LA workspace (done - as the new VMs are already reporting to the workspace).
4. The final step, as required, is to enable the VM for update management. This is done by including the VM in the saved search query of the Log Analytics workspace. When you enable update management for VM in portal, the default search query's computer list is updated with the VMUUID of the new machine and this new machine is added to the scope.
5. For more details, see Scope Configuration in Azure Automation Update Management.
6. 1. You can use the one stop solution of selecting Enable on all available machines, as mentioned in the link above so that it is enabled for all future machines reporting to the connected LA Workspace. Or you can use the selected machine option.
7. 1. Regarding the Runbook Solution linked in the question, the majority of runbook logic is to enable Update Management for Automation Account and ensuring that pre-requisites are met. Which you have already configured. The final piece which is missing for your listed step is available in the linked runbook - Enable-AutomationSolution.ps1. The script lines required are from 590 - Enable-AutomationSolution.ps1#L590 This does the same thing as mentioned in step 6 above. You may use the logic in here, with "Managed identity" for authentication, if you are not using Enable on all available machines option for enabling the update management.

Hope this helps. Please let me know if you have any questions.

If the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.