Now that the Azure Update Management is configured, we need to start onboarding machines. First, we must enable the scope of the machines we want to onboard.
Installing the Microsoft Monitoring Agent
Every server that we want to manage through Update Management needs an agent. There are different ways how you can install the agent:
- Group Policy
- Azure Arc for Servers Extensions
- Configuration Manager
To install the agent, we first need to get the Log Analytics Workspace ID and Key.
- In the Azure portal, navigate to the Log Analytics workspace you want to collect data from.
- Click “Agents” under the “Workspace Data Sources” section.
- Click “Windows Server” and select the appropriate version of the Microsoft Monitoring Agent for your environment.
- Click the “Download” button to download the agent installation package.
- Run the downloaded setup file and follow the prompts to install the agent on your server.
- During the installation, select the “Connect the agent to Azure Log Analytics (OMS)” option and click “Next”.
- In the “Azure Log Analytics (OMS) Workspace” field, enter the Workspace ID and Workspace Key for your Log Analytics workspace. These can be found in the “Advanced Settings” section of the Log Analytics workspace overview page.
- Follow the remaining prompts to complete the installation.
- Once the installation is complete, the agent will start collecting data and sending it to your Log Analytics workspace.
After the agent installation, it may take some time before it shows up in the Update Management.
Scheduling Updates and Maintenance Windows
Scheduling updates and maintenance windows is an essential part of keeping your machines secure and up-to-date. By configuring Azure Update Management, you can easily create maintenance windows and schedule update deployments for all of your machines. This will ensure that critical updates are installed on a regular basis, as well as enable you to deploy guest patches in a production environment.
You can build your machine groups based on the following information or features:
- Active Directory Groups
- Windows Server Update Services groups
- Configuration Manager Device Collections
- Saved Computer Groups
- These are based on the KQL queries that you can build yourself
Update Management allows you to create scheduled jobs or one-time jobs. One-time jobs are good if you need to do out-of-band patching or you want to reboot some nodes outside of business hours.
Understanding Update Classifications and Security Vulnerabilities
When it comes to understanding update classifications and security vulnerabilities, Azure Update Management offers a number of features to make the process easier. It is important to classify software updates so that you can ensure only necessary patches and updates are installed on your virtual machines. Azure Update Management allows you to configure software update classifications and set up a Log Analytics Workspace to monitor patch status and update assessment. This makes it possible for you to quickly identify any security vulnerabilities that need addressing.
During the Update Deployment wizard, you can choose the following classifications:
- Critical Updates
- Security Updates
- Update Rollups
- Feature packs
- Service Packs
- Definition Updates
Creating a new Updates Deployment
To create the Updates deployment, follow these steps:
- In the Update Management pane, click “Schedule update deployment“.
- In the “New Update Deployment” tab, configure the following settings
- Groups to update
- You can specify Azure or non-Azure machines. If you built the Computer Groups before in Log Analytics, then you can select them under this node.
- Machines to update
- You can select machine names manually. Sometimes it may be needed to do out-of-band patching and patch only certain machines.
- Update Classifications – 8 different ones that I mentioned before
- Include / Exclude Updates
- Include or exclude certain updates
- Schedule Settings
- Define when servers can be patched or maybe it is a one-time job
- Pre-Scripts + Post-Scripts
- If you have certain apps or services that require different handling, then you can write PowerShell automation around patching
- Maintenance Window (minutes)
- The maintenance window has a duration of 120 minutes, in which all the updates should be applied. If this is not sufficient, you can extend the window.
- Reboot Options
- Reboot if required
- Never Reboot
- Always Reboot
- Only reboot – will not install updates
- Click Create
You can create different deployments for different servers. We are not limited to only one update deployment.
Best Practices for Azure Update Management
- Regularly check for updates: It’s important to check for updates and schedule them promptly and regularly. This helps ensure VMs are protected against potential security threats and stay updated with the latest security updates.
- Plan maintenance windows: Schedule updates during maintenance windows to minimize downtime and reduce the impact on operations. This also helps ensure that updates are installed promptly and VMs are kept up to date.
- Test updates before installing: Before installing updates, it’s best practice to test them in a test environment to ensure that they do not negatively impact your environment. This helps prevent potential issues and ensures that updates are installed smoothly.
- Monitor the update process: Regularly monitor the update process to ensure that updates are installed correctly and without issue. This helps prevent potential problems and ensures VMs are protected against security threats.
Azure Update Management is a comprehensive solution for managing updates to VMs in Azure or on-premises. Its key benefits include staying ahead of potential security threats, integrating with other security solutions, reducing downtime, and maintaining a secure environment.
With its advanced features and benefits, Azure Update Management is an essential service for organizations looking to ensure the security of their environment. Whether you’re looking to automate the update process, reduce downtime, or comply with security regulations and standards, Azure Update Management can help you achieve your goals.