Server update with Azure Update Management

Fanfare

Manually Deploying and Removing Agents

You can also connect servers to Azure Update Management by manually installing the agent. To do this, go to the download page for the agent in the Log Analytics workspace in Overview via Managing Windows and Linux Agents . You can download the agent here and pick up the IDs that are required to link it to Log Analytics and thus to Update Management. You can install the agent either manually or in a scripted process. An agent is also required on Linux servers. You can download it with the command:

wget https://raw.githubusercontent. com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w 3a25ad6b-cf60-47a9-a61c-6ba32aa70779 -s WF8SXVgDaDQXmF8NZbSBertX72H2fhLTGCbmyNfLIOTsZt53QshdNd1/2rOrI9TOlSVKp7qweD6qy7tfj8vbNm8ldg== -d opinsights.azure.com

In this example, the command includes the IDs that are required when installing on Linux. It looks different for each subscription. It is also possible to script the connection here. If you want to remove machines manually from Update Management, you just need to remove the agent with appwiz.cpl. The operation then also erases the server from the Log Analytics area. After refreshing the view, you can then control updates again without Azure Update Management.

Management in the Azure Portal

In the Azure Update Management web portal, you can use Update Management to see which servers are not up to date by clicking on the automation account created for Azure Update Management in the resource group where you integrated it and then selecting Update management . Here you will see all the servers that are not compliant (i.e., missing updates), as well as the compliant servers and other information (Figure 3).

Figure 3: The Azure portal tags servers without current updates as Non-compliant.

Connecting machines to Azure Update Management was the first step in providing patches to the respective servers. You can then create your own server groups with update deployment in Azure Update Management and release updates by rules on the basis of those groups, which means that you can orchestrate the rollout of updates without having to run local servers for patch management. As mentioned, it does not matter where the connected servers are located.

In the Update Management Overview , below the update management account, you will see several menu items for the individual computers that play an essential role in management. Under Machines you can first check out an overview of the connected computers and their important information, including the number of missing updates and whether the management agent on the server can currently connect to Azure. You will also see the installed operating system and whether the computer is an Azure VM or an external computer. The Missing updates tab shows you which patches are currently not yet installed on the computers. Azure Update Management also shows you the number of computers on which the updates are missing.

Creating Update Schedules

A deployment schedule automates update control on connected devices and lets you define schedules, enable specific updates, and specify the patches you want the servers to install automatically. You can create schedules from Schedule update deployment under Update management in the Update management Dashboard. First, give the schedule a name (e.g., Monthly Patchday ). After that, select whether it applies to Windows or Linux computers. You can create different schedules in this way.

Next, select the computer groups you want to connect. Under Groups to update , you define whether you want to link VMs from Azure or from outside. Groups can be filtered by subscription, resource group, storage location, and tag. After defining the groups, you then select the machines you want to update with the schedule.

One important aspect is the selection of individual update classifications. For example, traditional updates, rollups, security updates, critical updates, and feature packs are available for selection. You can exclude or include individual updates from the installation on the basis of Knowledge Base IDs.

You also specify the timing here. Besides one-off execution, you can perform regular updates. To create the update schedule, specify whether computers will reboot. As part of setting up a schedule, you also store any scripts you want to run on the computers before and after installing the patches here. Once saved, the update schedule is activated and the connected computer should appear as Compliant . Updates differ at this point between updates for Windows and Linux.

Deployment schedules are under Scheduled update deployments . You can create multiple schedules, and they will all appear at this point. Clicking on a deployment schedule lets you customize its settings. You can see in the History whether the deployment schedules are working on the computers and under Missing updates the exact update IDs. If you simply click on an update, Microsoft's support page opens with detailed instructions on the corresponding update. If you double-click on the line of an update, the window changes to the Log Analytics area for update management.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus