Azure Update Management Approval Source

Ben Ng 1 Reputation point
2022-04-20T04:30:53.39+00:00

Hi guys

I have just created Azure Update Management for my servers. Then I tried to switch the update source from SCCM to WSUS. But the Update Approval Source didn't change to WSUS, so the servers have not installed the updates even the status is "Not Compliance" and have missing updates.

Can someone let me know how I can change the Approval Source?

Many thanks

Ben

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,184 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,546 Reputation points
    2022-05-11T12:35:49.127+00:00

    @Ben Ng Welcome to Microsoft Q & A Community Forum. Azure Automation Update Management relies on the Windows Update client to download and install Windows updates. Windows machines need to be configured to report to either Windows Server Update Services or Microsoft Update. Within the Automation Update Management Portal there is a column entitled "Update Approval Source".

    200990-image.png

    SCCM = VM is configured with the SCCM client which is configured with the ability to use SCCM for patching
    Windows Update = install Windows OS updates only
    Microsoft Update = install Windows OS updates and security updates for other Microsoft products.

    This indicates where the Windows VMs get their Updates from, and the three options are as follows

    Meaning Link
    SCCM SCCM client is installed and configured to use SCCM for patching https://supportability.visualstudio.com/AzureAutomation/_wiki/wikis/Azure-Automation.wiki/586282/HT-Check-to-see-if-a-Windows-machine-is-configured-to-use-SCCM-to-get-patches
    WSUS Client is configured to get its patches from WSUS. Note that if a machine is configured to get its patches from WSUS AND it also has the SCCM client installed and configured for patching then this will show as SCCM https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499
    Microsoft Update Receive updates for other Microsoft products when you update Windows is checked under Check for Updates - advanced options* https://support.microsoft.com/en-us/topic/how-to-enable-and-to-disable-microsoft-update-90bc0156-b08e-8045-25a7-2d0543061ed2
    Windows Update Receive updates for other Microsoft products when you update Windows is NOT checked under Check for Updates - advanced options*

    Within Azure Update Management we only report the setting we do not set it, however it can be changed on the Windows system using GPO and via the update settings GUI.

    You can configure Receive updates for other Microsoft products when you update Windows using Group Policy. However, the setting does not take affect right away, like it does when you manual selecting the GUI option Check for Updates - advanced options

    Group Policy editor
    "Computer Configuration\Administrative Templates\Windows Components\Windows Update"
    "Configure Automatic Updates"
    "Configure automatic Updating: 7" (7 should be the value for Windows 2016 servers and higher, 3 otherwise)
    "Install updates for other Microsoft products" bottom left of the pane

    Applying the policy setting above result in the following registry entries. Allowing Windows Server 2016 and higher to automatically download updates (AuOptions=7) and configure the system for Microsoft Updates (versus only Windows Updates)

    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU  
    AllowMUUpdateService = 1  (REG_DWORD)  
    AUOptions = 7 (REG_DWORD)  
    NoAutoUpdate = 1 (REG_DWORD)  
    ScheduleInstallDay = 7 (REG_DWORD)  
    ScheduleInstallTime = 3  (REG_DWORD)  
    

    Below is the PowerShell script we use determine if a Windows client is configured for only "Windows Update" or "Microsoft Update"

      $UpdateServiceManager = New-Object -com "Microsoft.Update.ServiceManager"  
         $serviceName = ""  
         $UpdateServiceManager.Services | foreach {  
            if ($_.IsRegisteredWithAU) {  
               $serviceId = $_.ServiceID  
           
               if ($serviceId -eq "9482f4b4-e343-43b6-b170-9a65bc822c77") {  
                    $serviceName = "Windows Update"  
               } elseif ($serviceId -eq "7971f918-a847-4430-9279-4a52d1efe18d"){   
                    $serviceName =  "Microsoft Update"  
               }  
            }  
         }  
         Write-Output $serviceName