Azure Update Manager

Question

Azure Update Manager

Abrar Adil S 401

How to enable the patch updates automatically for the newly added VM's in the Azure Update Manager without manual intervention, is there any possibility of restricting the access to users other than admins.

Herux Sa 0 Reputation points

2023-10-03T09:49:53.8866667+00:00
In Azure, you can use Azure Update Management to automate patching for virtual machines (VMs) and ensure that they are up to date with the latest security updates. To enable automatic patch updates for newly added VMs without manual intervention, you can follow these steps:

Create an Update Management Solution:

Go to the Azure Portal (portal.azure.com).

Navigate to "Update Management" under the "Monitoring + management" section.

Click on "Add" to create a new Update Management solution if you haven't already.

Configure Automation Account:

You'll need to link your Update Management to an Automation Account. If you don't have one, you can create it during this step.

Enable Automatic Patching:

Inside the Automation Account, go to "Update Management" under "Inventory + Change tracking."

In the "Update Management" pane, select "Schedule update deployments."

Create a new update deployment schedule. In the schedule settings, you can specify the schedule to be recurring, so that it automatically applies patches to VMs on a regular basis.

Scope Assignment:

You can assign the update deployment to a specific set of VMs by using tags, Azure Resource Manager (ARM) templates, or Azure Policy.

Now, the VMs that match the scope criteria you defined will automatically receive patch updates based on your schedule without manual intervention.
Abrar Adil S 401 Reputation points

2023-10-03T10:22:08.8066667+00:00

thanks so much for your response. We have followed the above mentioned process, now that Azure LA Agent is about to expire next year and the Azure Update Manager being Generally available, we would like to explore the Azure Update manager instead of going with Update management using Automation Account, manually I am able to check for updates, do a schedule update for a single virtual machine, would like to know how we can add newly created virtual machines to the schedule updates without manual intervention.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-10-16T06:39:57.9066667+00:00

Abrar Adil S Hope the information provided is useful. If the answer is helpful, kindly "Accept As Answer" as its beneficial for community members who are facing similar questions. Do revert if you have further questions.

1 answer

Your answer

Herux Sa 0 Reputation points

2023-10-03T09:49:53.8866667+00:00

In Azure, you can use Azure Update Management to automate patching for virtual machines (VMs) and ensure that they are up to date with the latest security updates. To enable automatic patch updates for newly added VMs without manual intervention, you can follow these steps:

Create an Update Management Solution:

Go to the Azure Portal (portal.azure.com).

Navigate to "Update Management" under the "Monitoring + management" section.

Click on "Add" to create a new Update Management solution if you haven't already.

Configure Automation Account:

You'll need to link your Update Management to an Automation Account. If you don't have one, you can create it during this step.

Enable Automatic Patching:

Inside the Automation Account, go to "Update Management" under "Inventory + Change tracking."

In the "Update Management" pane, select "Schedule update deployments."

Create a new update deployment schedule. In the schedule settings, you can specify the schedule to be recurring, so that it automatically applies patches to VMs on a regular basis.

Scope Assignment:

You can assign the update deployment to a specific set of VMs by using tags, Azure Resource Manager (ARM) templates, or Azure Policy.

Now, the VMs that match the scope criteria you defined will automatically receive patch updates based on your schedule without manual intervention.
Abrar Adil S 401 Reputation points

2023-10-03T10:22:08.8066667+00:00

thanks so much for your response. We have followed the above mentioned process, now that Azure LA Agent is about to expire next year and the Azure Update Manager being Generally available, we would like to explore the Azure Update manager instead of going with Update management using Automation Account, manually I am able to check for updates, do a schedule update for a single virtual machine, would like to know how we can add newly created virtual machines to the schedule updates without manual intervention.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-10-16T06:39:57.9066667+00:00

Abrar Adil S Hope the information provided is useful. If the answer is helpful, kindly "Accept As Answer" as its beneficial for community members who are facing similar questions. Do revert if you have further questions.

Answer 1

SwathiDhanwada-MSFT 18,996 Moderator

Abrar Adil S To enable patch updates automatically for the newly added VMs in Azure Update Manager, you can use the dynamic scope feature of Azure Update Manager. Dynamic scope is a feature of Azure Update Manager that allows you to create a group of machines based on certain criteria and apply patches to them automatically according to a schedule. This way, you can manage the updates for multiple machines at scale without having to select them individually. You can define the dynamic scope using filters such as subscription, resource group, resource type, location, tags, and OS type. You can also add or remove individual machines to the dynamic scope if needed. Dynamic scope is available for Windows and Linux VMs, on-premises environments, and Azure Arc-enabled servers. To use dynamic scope, you need to have patch orchestration set to Customer Managed Schedules and provide your consent for applying the updates. You can view, add, edit, and delete dynamic scopes from the Azure portal or using Azure CLI or PowerShell commands. Dynamic scope is an advanced capability of scheduled patching that can help you keep your machines secure and up-to-date.

For more information, you can refer this document.

Abrar Adil S 401 Reputation points

2023-10-11T04:47:13.3166667+00:00

we have been using the Dynamic scope and which is set at subscription level, and all the VM created in the scope the patches are being deployed at the schedule time, however we need the scope to be set to Management group level which is not been provided in Azure Update Manager, neither the option of starting the virtual machine when we want to deploy the patches as we do in the Azure Automation Update Manager.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-10-11T07:16:45.37+00:00

Abrar Adil S I understand that you are currently using Dynamic scope at the subscription level to deploy patches to VMs, but you would like to set the scope at the Management Group level instead. Unfortunately, Azure Update Manager does not currently support setting the scope at the Management Group level.

Also, as of now, we are unable to apply maintenance updates to any shut down machines. You need to ensure that your machine is turned on at least 15 minutes before a scheduled update or your update may not be applied. If your machine is in a shutdown state at the time of your scheduled update, it may appear that the maintenance configuration has been disassociated on the Azure portal, and this is only a display issue that the team is currently working to fix it. The maintenance configuration has not been completely disassociated and you can check it via CLI using check configuration.

In Azure Update Manager, the ability to execute Azure Automation runbook scripts before or after deploying scheduled updates to machines will be available by the fourth quarter of 2023. You can use this to start the vms.

Share via

Azure Update Manager

1 answer

Your answer