Maximizing Your Security with Azure Update Management

What is Azure Update Management?

Azure Update Management is a cloud-based patch management solution that helps organizations keep their Azure resources up-to-date with the most critical security and performance updates. With Azure Update Management, users can set up maintenance windows to automatically detect, download, and install both critical and security updates for physical or virtual machines in the production environment. Additionally, it allows users to review patch status and update assessments to ensure that all systems are properly updated.
 

Azure Update Management also provides support for Azure Log Analytics Workspaces as well as deployment schedules for software patches and updates. With its comprehensive features, users can configure guest patching settings, determine which updates should be installed on specific machines, create custom classifications for software updates, and more. Additionally, Azure Automation Update Management integrates with Azure Log Analytics and Azure Monitor to provide complete visibility into update installation activities within an organization’s environment.

Key Features of Azure Update Management

  • Centralized solution for managing updates to VMs: Azure Update Management provides a centralized solution for managing updates to VMs in Azure or on-premises. This allows administrators to easily manage updates from a single location rather than manually updating each VM.
  • Automated process for installing updates: The solution automates the process of installing updates to VMs, reducing the workload for administrators and improving efficiency.
  • Scheduling update installations: Administrators can schedule update installations to be performed during a maintenance window or at a convenient time for their organization.
  • Specifying updates to install or skip: Azure Update Management also allows administrators to specify which updates to install or skip, providing more control over the update process and ensuring that only necessary updates are installed.
  • Support for Windows and Linux machines: you can centrally manage all your servers and no need for separate solutions for non-windows machines.
  • Pre and Post Activities: Update Management is built on Azure Automation and this allows us to define custom actions before the installation of the update and after. If needed, you can extend the Runbooks even to your on-premises using the Azure Automation Hybrid Runbook Worker.

Prerequisites

Before configuring Update Management, it’s important to understand the prerequisites that must be in place.

  • Azure Automation Account
  • Azure Log Analytics Workspace
    • All data will be stored in the Azure Log Analytics workspace
  • An Azure Subscription
    • Permissions to deploy resources and services to that service
  • One or more virtual machines (VMs) running in Azure or on-premises
  • Azure Update Management integrates with the following solutions. These are all optional integrations:
    • Configuration Manager (SCCM)
    • Windows Server Update Services (WSUS)
    • Active Directory
    • Windows Admin Center

Setting Up Update Management

Setting up Azure Update Management is a straightforward process and can help organizations ensure that their Azure resources are running smoothly, securely and optimally.

Create a Resource Group

  1. Log in to the Azure portal (portal.azure.com).
  2. Click the “Create a resource” button (+) in the upper-left corner of the screen.
  3. In the “New” page, search for “Resource group” in the search box and select “Resource group” from the results.
  4. In the “Resource Group” page, click the “Create” button.
  5. In the “Basics” tab, fill in the following information:
  6. Subscription: select the subscription that you want to use for the resource group.
  7. Resource group: enter a unique name for your resource group, for example, RG-PROD-AZ-UPDATE-MGMT-WE
  8. Region: select the region where you want to create the resource group.
  9. Click the “Review + create” button to go to the “Review + create” tab.
  10. Review the settings and click the “Create” button to create the resource group.
  11. Once the resource group is created, you can see it listed in the “Resource groups” section of the Azure portal.

Create an Automation Account

  1. Log in to the Azure portal (portal.azure.com)
  2. Click the “Create a resource” button (+) in the upper-left corner of the screen
  3. Search for “Automation” in the search box and select “Automation” from the results
  4. Click the “Create” button
  5. Fill in the required information
    • Subscription
    • Resource Group
    • Name – for example, PROD-IT-SRV-PATCHING-WE
    • Region
  1. Click the “Review + create” button to go to the “Review + create” tab.
  2. Click “Create” to create the Automation account.

Create a Log Analytics Workspace

  1. Log in to the Azure portal (portal.azure.com).
  2. Click the “Create a resource” button (+) in the upper-left corner of the screen.
  3. In the “New” page, search for “Log Analytics workspace” in the search box and select “Log Analytics workspace” from the results.
  4. In the “Log Analytics workspace” page, click the “Create” button.
  5. In the “Basics” tab, fill in the following information:
    • Subscription: select the subscription that you want to use for the Log Analytics workspace.
    • Resource group: use the same resource group that you created for Azure Automation Account, RG-PROD-AZ-UPDATE-MGMT-WE
    • Workspace name: enter a unique name for your Log Analytics workspace. For example, PROD-LAW-WE
    • Region: select the region where you want to create the Log Analytics workspace.

6. Click the “Review + create” button to go to the “Review + create” tab.

7. Review the settings and click the “Create” button to create the Log Analytics workspace.

8. Once the workspace is created, you can see it listed in the “Log Analytics workspaces” section of the Azure portal.

Enable Update Management

Once you have an Automation account, you can enable Update Management. Here are the steps to do so:

  1. Open your Automation account, i.e. ROD-IT-SRV-PATCHING-WE
  2. Click “Update Management” in the left-hand menu
  3. Choose the Subscription and Log Analytics Workspace
  4. Click the “Enable” button

Configuring Your Machines for Update Management

Now that the Azure Update Management is configured, we need to start onboarding machines. First, we must enable the scope of the machines we want to onboard.

As of today, there are three different options:

  • Enable on all available machines
  • Enable on all available and future machines
  • Enable on selected machines
 
In this case, lets select the second option “Enable on all available and future machines”. This makes it easier to automatically onboard new machines to the Update Management. Based on the internal processes, you can always change it etc.

Installing the Microsoft Monitoring Agent

Every server that we want to manage through Update Management needs an agent. There are different ways how you can install the agent:

  • Manually
  • Group Policy
  • Azure Arc for Servers Extensions
  • Configuration Manager
  • PowerShell

To install the agent, we first need to get the Log Analytics Workspace ID and Key.

  1. In the Azure portal, navigate to the Log Analytics workspace you want to collect data from.
  2. Click “Agents” under the “Workspace Data Sources” section.
  3. Click “Windows Server” and select the appropriate version of the Microsoft Monitoring Agent for your environment.
  4. Click the “Download” button to download the agent installation package.
  5. Run the downloaded setup file and follow the prompts to install the agent on your server.
  6. During the installation, select the “Connect the agent to Azure Log Analytics (OMS)” option and click “Next”.
  7. In the “Azure Log Analytics (OMS) Workspace” field, enter the Workspace ID and Workspace Key for your Log Analytics workspace. These can be found in the “Advanced Settings” section of the Log Analytics workspace overview page.
  8. Follow the remaining prompts to complete the installation.
  9. Once the installation is complete, the agent will start collecting data and sending it to your Log Analytics workspace.

After the agent installation, it may take some time before it shows up in the Update Management.

Scheduling Updates and Maintenance Windows

Scheduling updates and maintenance windows is an essential part of keeping your machines secure and up-to-date. By configuring Azure Update Management, you can easily create maintenance windows and schedule update deployments for all of your machines. This will ensure that critical updates are installed on a regular basis, as well as enable you to deploy guest patches in a production environment.

You can build your machine groups based on the following information or features:

  • Active Directory Groups
  • Windows Server Update Services groups
  • Configuration Manager Device Collections
  • Saved Computer Groups
    • These are based on the KQL queries that you can build yourself

Update Management allows you to create scheduled jobs or one-time jobs. One-time jobs are good if you need to do out-of-band patching or you want to reboot some nodes outside of business hours.

Understanding Update Classifications and Security Vulnerabilities

When it comes to understanding update classifications and security vulnerabilities, Azure Update Management offers a number of features to make the process easier. It is important to classify software updates so that you can ensure only necessary patches and updates are installed on your virtual machines. Azure Update Management allows you to configure software update classifications and set up a Log Analytics Workspace to monitor patch status and update assessment. This makes it possible for you to quickly identify any security vulnerabilities that need addressing.

During the Update Deployment wizard, you can choose the following classifications:

  • Critical Updates
  • Security Updates
  • Update Rollups
  • Feature packs
  • Service Packs
  • Definition Updates
  • Tools
  • Updates

Creating a new Updates Deployment

To create the Updates deployment, follow these steps:

  1. In the Update Management pane, click “Schedule update deployment”.
  2. In the “New Update Deployment” tab, configure the following settings
    1. Groups to update
      • You can specify Azure or non-Azure machines. If you built the Computer Groups before in Log Analytics, then you can select them under this node.
    2. Machines to update
      • You can select machine names manually. Sometimes it may be needed to do out-of-band patching and patch only certain machines.
    3. Update Classifications – 8 different ones that I mentioned before
    4. Include / Exclude Updates
      • Include or exclude certain updates
    5. Schedule Settings
      • Define when servers can be patched or maybe it is a one-time job
    6. Pre-Scripts + Post-Scripts
      • If you have certain apps or services that require different handling, then you can write PowerShell automation around patching
    7. Maintenance Window (minutes)
      • The maintenance window has a duration of 120 minutes, in which all the updates should be applied. If this is not sufficient, you can extend the window.
    8. Reboot Options
      • Reboot if required
      • Never Reboot
      • Always Reboot
      • Only reboot – will not install updates
  3. Click Create

You can create different deployments for different servers. We are not limited to only one update deployment.

Best Practices for Azure Update Management

  • Regularly check for updates: It’s important to check for updates and schedule them promptly and regularly. This helps ensure VMs are protected against potential security threats and stay updated with the latest security updates.
  • Plan maintenance windows: Schedule updates during maintenance windows to minimize downtime and reduce the impact on operations. This also helps ensure that updates are installed promptly and VMs are kept up to date.
  • Test updates before installing: Before installing updates, it’s best practice to test them in a test environment to ensure that they do not negatively impact your environment. This helps prevent potential issues and ensures that updates are installed smoothly.
  • Monitor the update process: Regularly monitor the update process to ensure that updates are installed correctly and without issue. This helps prevent potential problems and ensures VMs are protected against security threats.

Conclusion

Azure Update Management is a comprehensive solution for managing updates to VMs in Azure or on-premises. Its key benefits include staying ahead of potential security threats, integrating with other security solutions, reducing downtime, and maintaining a secure environment.

With its advanced features and benefits, Azure Update Management is an essential service for organizations looking to ensure the security of their environment. Whether you’re looking to automate the update process, reduce downtime, or comply with security regulations and standards, Azure Update Management can help you achieve your goals.

Leave a Comment

Contact me

If you’re interested in learning about Maximizing Your Security with Azure Update Management. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents