New Models

Scheduling and Automating Updates

On the Azure Update Management web portal, you can see which servers are not up to date by clicking the Automation Account you created in the resource group where you integrated Azure Update Management, and then click Update management . You can view the noncompliant servers (i.e., the servers that are missing updates), the compliant servers, and other information here.

Integrating computers with Azure Update Management is the first step in providing updates to those computers. A deployment schedule then lets you automate update controls on the integrated computers. You can define schedules, release specific updates, and configure which updates you want the servers to install automatically – completely independent of the data center in which the computers are running.

You can create schedules from the Schedule update deployment item, which can be found under Update Management in the Azure Update Management account area. To begin, assign a name to the schedule (e.g., Monthly Patch Day ), and then select whether the schedule is for Windows or Linux computers. When done, decide on the computer groups you want to connect. On the Groups configuration page, you can configure whether you want to integrate VMs from Azure or from outside. Groups can be filtered by Azure subscription, location, storage locations, and tags. After defining the groups, add the machines you want to update with the schedule.

The section where you select individual update classifications is important. Conventional updates, roll-ups, security updates, critical updates, and feature packs are available, and you can exclude or include individual updates from installation by their knowledgebase IDs.

In the update management Overview, below the update management account, several menu items are listed for each computer; they play an essential role in managing the computers. The Machines tab lists the computers integrated with Azure Update Management along with some basic information. The information includes the number of updates missing on the machine and whether the management agent can currently connect to Azure, if the machine is not an Azure VM.

The Missing updates tab shows which updates are currently not installed on the computers and how many computers are missing updates. A distinction is made between updates for Windows and updates for Linux. If you have created a provisioning schedule, then it can be seen in the menu item Deployment schedules . Of course, multiple schedules are possible; you can click on a schedule to customize its settings.

The History tab tells you whether the deployment schedules are working on the computers. In deployment schedules you can add specific updates on the basis of knowledgebase IDs or exclude specific IDs. You can see the exact IDs again in Missing updates . Clicking on an update opens the Microsoft support page with detailed instructions on the update in question. If you double-click on a row with an update, the window changes to the Log Analytics area for update management.

VM-Specific Update Methods

As part of the VM creation process in Azure, you can make further adjustments that update the VMs – in Azure Update Management, in part, but also with functions that have nothing to do with Azure Update Management.

For example, if you use Windows Server 2022 Datacenter: Azure Edition, you can set the hot patch function for Azure VMs in the cloud or on Azure Stack HCI. Hot patching lets you install updates without having to restart the entire server each time. If individual services or areas of a server require a restart after installing updates, then only those restart. This process takes a fraction of a second, and users do not notice any interruptions in most cases. In other words, the workloads remain permanently active.

From the Azure portal when creating a VM, four settings in Patch orchestration options (Figure 2) also have a permanent effect on how updates are installed for the various sources:

• Automatic by OS (Windows Automatic Updates)
• Azure-orchestrated
• Manual updates
• Image default

Figure 2: The Guest OS updates section presents four patch orchestration options.

Not all options are applicable to all images, however. If you select Automatic by OS , Windows servers can be updated automatically by the Windows Automatic Updates feature. One example of provisioning this is the update built into the VM operating system, or you can use Azure Update Management. (See also the "Automatic VM Guest Patches" box.)

The Azure-orchestrated option lets you specify that Windows and Linux servers are no longer updated by the operating systems' built-in update functions, but only by Azure itself. However, this only works for selected images in Azure. If the feature is not available for a particular image, the setup wizard grays out this option.

Manual updates means that Azure does not install any updates automatically, so manual work is required involving the use of policies to manage updates. You can do this in Azure with Azure Update Management, for example, but also with Windows Server Update Services (WSUS). In this case, you need a WSUS server in Azure or in the local data center if you are using Azure Stack HCI. The server then supplies the Azure VMs with updates. The option for Image default is used for Linux servers if Azure-orchestrated is not available.

After creating the VM, you can change the settings retroactively in many cases. To do this, look for the update settings button in the Updates menu. When you get there, select the update approach for your various Azure VMs. You need to use the Try new Update Management Center link for this menu item to appear. (I used a Preview edition of the Update Management Center, so slight changes in options and arrangements might occur as the product matures.) After Microsoft has activated this new view, the menu item immediately becomes available.

Azure Update Management Center

Once you have created an Azure VM, the Updates item is available on the dashboard; you can use it to connect the VM to Azure Update Management. More menu items appear here after enabling the new user interface, and if you don't need the new interface anymore, you can easily return by choosing the link to exit. In parallel, you can open the new Azure Update Management Center at this point. This is where you control the installation of VM updates in the Azure portal. First, let Check for updates scan the VMs to check for missing updates. If some updates are missing, the portal displays them. You can then specify whether you want to handle the update process manually once only. In this case, select One-time update . If you want to install the updates at a later time, choose Scheduled updates .

After creating an Azure VM, it makes perfect sense to refresh it first to make sure that the options work. After selecting One-time update , select the VMs you want to update in this step. For each VM, Azure shows the status and how many updates are missing. Next, define which updates you want to apply. You can select the Include update classification item and check Select all .

When done, you still need to decide whether the VMs will always restart or whether you leave the restart decision to the VM. Finally, you will see a summary and Azure will proceed to install the updates on the VM. You can view the status on the Azure portal. You do not need to switch to the operating system interface to do this.

If you use the Azure Update Management Center, all connected Azure VMs can be managed with a single action in the portal. You can view various charts on the Update Management Center dashboard showing which VMs are missing updates and how many VMs are connected to the environment (Figure 3). For selected machines, select Machines | Update settings and enable periodic assessment.

Figure 3: Microsoft visualizes update management in the Azure Update Management Center, which is still in preview.

Azure Policy lets you run an automated scan across all connected VMs. To do this, in the Azure Update Management Center, enable periodic assessment in Machines . After doing so, Azure automatically scans all your Azure VMs for missing updates and installs them according to the settings you stored in the Update Management Center and in the VM settings.