Automate assessment at scale using Policy to see latest update status

This article describes how to enable Periodic Assessment for your machines at scale using Azure Policy. Periodic Assessment is a setting on your machine that enables you to see the latest updates available for your machines and removes the hassle of performing assessment manually every time you need to check the update status. Once you enable this setting, update management center (preview) fetches updates on your machine once every 24 hours.

Enable Periodic assessment for your Azure machines using Policy

  1. Go to Policy from the Azure portal and under Authoring, go to Definitions.
  2. From the Category dropdown, select Update management center. Select [Preview]: Configure periodic checking for missing system updates on Azure virtual machines for Azure machines.
  3. When the Policy Definition opens, select Assign.
  4. In Basics, select your subscription as your scope. You can also specify a resource group within subscription as the scope and select Next.
  5. In Parameters, uncheck Only show parameters that need input or review so that you can see the values of parameters. In Assessment mode, select AutomaticByPlatform, select Operating system and select Next. You need to create separate policies for Windows and Linux.
  6. In Remediation, check Create a remediation task, so that periodic assessment is enabled on your machines and click Next.
  7. In Non-compliance message, provide the message that you would like to see in case of non-compliance. For example: Your machine doesn't have periodic assessment enabled. Select Review+Create.
  8. On the Review+Create tab, select Create. This action triggers Assignment and Remediation Task creation, which can take a minute or so.

You can monitor the compliance of resources under Compliance and remediation status under Remediation from the Policy home page.

Enable Periodic assessment for your Arc machines using Policy

  1. Go to Policy from the Azure portal and under Authoring, Definitions.
  2. From the Category dropdown, select Update management center. Select [Preview]: Configure periodic checking for missing system updates on Azure Arc-enabled servers for Arc-enabled machines.
  3. When the Policy Definition opens, select Assign.
  4. In Basics, select your subscription as your scope. You can also specify a resource group within subscription as the scope and select Next.
  5. In Parameters, uncheck Only show parameters that need input or review so that you can see the values of parameters. In Assessment mode, select AutomaticByPlatform, select Operating system and select Next. You need to create separate policies for Windows and Linux.
  6. In Remediation, check Create a remediation task, so that periodic assessment is enabled on your machines and click on Next.
  7. In Non-compliance message, provide the message that you would like to see in case of non-compliance. For example: Your machine doesn't have periodic assessment enabled. Click Review+Create.
  8. In Review+Create, select Create to trigger Assignment and Remediation Task creation which can take a minute or so.

You can monitor compliance of resources under Compliance and remediation status under Remediation from the Policy home page.

Monitor if Periodic Assessment is enabled for your machines (both Azure and Arc-enabled machines)

  1. Go to Policy from the Azure portal and under Authoring, go to Definitions.
  2. From the Category dropdown above, select Update management center. Select [Preview]: Machines should be configured to periodically check for missing system updates.
  3. When the Policy Definition opens, select Assign.
  4. In Basics, select your subscription as your scope. You can also specify a resource group within subscription as the scope. Select Next.
  5. In Parameters and Remediation, select Next.
  6. In Non-compliance message, provide the message that you would like to see in case of non-compliance. For example: Your machine doesn't have periodic assessment enabled. and select Review+Create.
  7. In Review+Create, click Create to trigger Assignment and Remediation Task creation which can take a minute or so.

You can monitor compliance of resources under Compliance and remediation status under Remediation from the Policy home page.

Next steps