Server update with Azure Update Management
Fanfare
Update management is not always easy in distributed infrastructures, especially if Linux servers are also deployed. On top of this, increasing numbers of companies are operating servers not only in local data centers, but in the cloud. In these cases, companies do not exclusively use Microsoft Azure, but also Amazon Web Services (AWS), the Google Cloud Platform, and other providers. Multicloud environments commonly exist, which adds further complexity to patch management.
Thanks to Azure Update Management, admins can manage all of their servers together in a centralized, automated interface, keeping Windows and Linux servers up to date globally. Virtual machines (VMs) running on other cloud providers can also be connected to the patch service. In addition to Windows Server, the supported operating systems include CentOS 6/7, RHEL 7/7, SUSE starting at version 12, and Ubuntu starting at version 14.04. However, you cannot update Windows 7, 8.1, or 10 with the solution. Microsoft recommends Endpoint Manager for those systems.
Azure Update Management focuses on monitoring the connected servers for missing updates, which the service displays in the Azure web portal. According to schedules, Update Management ensures that missing updates make it onto the desired servers. The source of the patches is not Microsoft Azure – the servers to be patched either turn to Microsoft servers on the web or use Windows Server Update Services (WSUS). Azure Update Management also controls the restart of servers after updates are installed, whether they are computers in the on-premises data center or VMs in the cloud.
Other Components
Azure Update Management is a free service for subscribers, fully managed in the cloud, with no on-premises components. To this end, the tool works with Azure Automation, allowing servers to be connected to Update Management automatically. Azure Automation in turn collects information from the connected servers for evaluation in Azure in interaction with the Microsoft Monitoring Agent. Therefore, you install a small agent on the servers, either manually or automatically, and the computers use it to generate logs and send them to the cloud.
The cloud service stores the logs of the Azure Monitor agent in Log Analytics, which is why you need a separate workspace as well as storage space there. However, unlike Azure Update Management itself, these components are commercial. Log Analytics usually also contains the data from Azure Monitor for monitoring the telemetry and logging the connected servers.
Azure Update Management and Azure Monitor can be combined. Put simply, Azure Update Management adds update management to Azure Monitor's capabilities. However, you can also use it without Azure Monitor, although you will need the workspace in Log Analytics in any case.
Azure Monitor also supports connectivity to Azure VMs and servers in on-premises data centers. The monitoring tool can run automated queries over the logs of the connected servers stored in Log Analytics, providing information about the servers, such as missing updates. This data can also be used by other services in Azure, such as Azure Update Management, which I discuss below.
With the aforementioned Azure Automation, Azure in turn executes actions and commands on the connected systems, including the installation of patches for Windows and Linux. Therefore, you make the settings for Azure Update Management in the Automation account area.
Connecting Local Servers in WAC
Azure Update Management can be set up in the Microsoft Azure web portal, but it is far more convenient from Windows Admin Center (WAC), which generally offers more features to manage local servers, as well as resources from Azure.
To begin, the Admin Center is connected to the Azure subscription in the WAC settings by selecting the gear icon at the top and select Settings | Azure . A wizard helps with the setup, and the whole process takes a maximum of five minutes.
Once WAC is connected to Azure, it can be used to link local servers with Azure Update Management. To do this, use either the Azure Hybrid Center item in WAC's main menu, or go to Manage updates on all your servers using Azure Update Management and click the Set up now link. Once selected, a window appears that lets you add servers.
First, select the Azure subscription you want to use; then, configure the location for Log Analytics and specify the name of the workspace, Azure Automation account, and resource group you want to use for Azure Update Management. This procedure is only necessary once. After clicking Set Up , WAC connects to Azure, automatically creates the respective scopes, and binds the corresponding server to Azure Update Management.
This step takes a few minutes. You can see the status in the WAC message area at top right. Once you have bound a server to Azure Update Management, the Admin Center displays information in the updates area (Figure 1). You can also go directly to the Azure portal in WAC to adjust settings for the server. Administration tasks for update management are handled later in the Azure web portal. Microsoft has not integrated these functions into WAC.
Azure Update Management now regularly checks the servers for missing updates and installs them according to a schedule. Incidentally, even after adding a server to Azure Update Management, you can still have patches installed in on-premises update control, with Group Policy, and through Server Manager.
Integrating Azure VMs and Linux Servers
Besides servers in your on-premises data center, Azure VMs can also be connected to Azure update management. In the Azure portal's Azure VM dashboard, select the Guest + host updates menu item . To connect to Azure Update Management, choose Update management and Enable . You can remove servers from Update management in the same way.
One of the strengths of Azure Update Management is that it can also integrate Linux servers and run status checks. The configuration is similar to managing updates for Windows. To connect Linux servers that are running as VMs in Azure, for example, open the Azure Update Management account and click Update management ; then, select Add Azure VMs to connect VMs in Azure, regardless of whether they are Windows or Linux machines. If you want to bring servers outside of Azure on board, use Add non-Azure machine .
When adding Azure VMs, you first select which Azure subscription you want to use and in which locations and resource groups the servers you currently want to add are stored. At the bottom of the window, the portal lists the individual VMs in Azure and shows which ones are already connected to Azure Update Management. Azure does not differentiate between the various operating systems. After selecting Enable , you have connected the selected computers to Azure Update Management (Figure 2).
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.