Keep all your Servers Patched using Azure Update Manager -- A Technical Guide

1 - What is Azure Update Manager :

Azure Update Manager is a service that helps manage updates for all your machines, including those running Windows and Linux, in Azure, on-premises and on other cloud platforms.

You can quickly assess the status of available updates and manage the process of installing required updates for your machines by reporting to the update management center.

2 - Benefits of Azure Update Manager :

Here are some key benefits of using Azure Update Manager:

• Native experience with zero integration : Azure Update Manager is integrated as a native feature on Azure Compute and the Azure Arc platform for servers for greater ease of use.
• No dependency on Log Analytics and Azure Automation : Unlike Azure Automation Update Management, Azure Update Manager is not dependent on Azure Automation or Azure Monitor logs.
• Azure Policy support : Azure Update Manager is compatible with Azure Policy.
• Global availability : Azure Update Manager is available in all Azure Compute and Azure Arc regions.
• Works with Azure roles and identity : Azure Update Manager offers granular access control at the individual resource level instead of access control at the Azure Automation account and Log Analytics workspace level.
• Azure Resource Manager-based operations : Azure Update Manager supports role-based access control and Azure Resource Manager-based roles in Azure.
• Increased flexibility : Azure Update Manager lets you take immediate action, either by installing updates immediately, or by scheduling them for a later date.

3 - Prerequisites :

To follow this article, you need to have the following:

1. Azure subscription - If you don't have an Azure subscription, you can create a free one here .
2. Your account must be a member of the Azure Owner or Contributor role in the subscription.

4 - Pricing for Azure Update Manager :

• Free for all Azure VM/Servers.
• 5$/Month for Arc-Enabled servers

5 - How Azure Update Manager can works :

• Manually (we will see more details abouts this method)
• Trough Azure Policies (we will see more details abouts this method)

6 - Update Options :

The Azure Update Manager services provide various update options:?

• Automatic OS image upgrade – This feature automatically applies the latest OS image to the scale set without user intervention.
• Automatic VM guest patching – Enabling automatic VM guest patching in Azure Update Manager ensures virtual machines are safely and automatically patched for security compliance.
• Hot patching – Hot patching is a feature that enables you to install security updates for your Windows Server Datacenter : Azure Edition virtual machines without the need for a reboot after installation.
• One-time update – Azure Update Manager lets you secure your machines immediately by installing updates on demand.
• Schedule patching – You can create a schedule to automate the process. You can choose the frequency of updates – daily, weekly, or hourly, depending on your needs. Once you set up the schedule, the updates will be installed automatically based on your specifications.

7 - Notable notes about Azure Update Manager :

• Windows Server supported versions : 2008 and above (Link to supported Matrix from here )
• All operating systems are assumed to be x64, for this reason, x86 isn't supported for any operating system.
• Update Manager supports operating system updates for both Windows and Linux.
• Update Manager doesn't support driver updates.

8 - Mindmap to configure Azure Update Manager :

Here are the steps to follow to set up Azure Update Manager :

9 - Start Config Azure Update Manager (AUM) :

In this blog, I've chosen to install two machines for testing: Windows server 2019 and Ubuntu Server 23.

we'll start by accessing Azure Update Manager by typing the name in the Azure search bar then select "Azure Update Manager"

on the main overview page, you can get an idea of the number of servers managed by AUM and their update status (2 VMs in our case) :

For more details, click on the machine menu on the left to see the number of pending updates for each VM.

We can see that there are 4 pending updates for VM1-Windows and 43 pending updates for VM2-Linux (this is about all updates cathegories : Security, critycal, service Packs, FeaturePacks...etc).

Updates can be applied in two ways :

1. Manually.
2. through Azure Policies.

A - Manually Updates using Azure Update Manager :

Here are the steps for manually updating Azure virtual machines (VMs) from the Azure Update Manager :

1. Go to "Machines" from the left-hand menu.
2. Select VMs you want to update
3. Clic on "Check for Updates" to search for available updates for selected VMs.
4. After checking for updates, you can choose to install them immediately by clicking on “One-time Update”.

B - Manage Updates through Azure Policies :

Using Azure Update Manager with Azure policies offers a number of benefits, such as centralized management of available updates, large-scale automatic updates, monitoring of update compliance, and instant deployment of critical updates.

In the following steps we will :

• Configure Policy for periodic checking for missing system updates on azure virtual machines.
• Create Maintenance configuration for schedule update installation.
• Configure Policy for Schedule recurring updates using Azure Update Manager.

i - Configure Policy for periodic checking for missing system updates on azure virtual machines :

Microsoft Azure's “Periodic checking for missing system updates on Azure virtual machines” policy is used to enable periodic evaluation of missing updates on your Azure virtual machines (VMs). This policy enables a feature on your machine that lets you see the latest updates available for your machines, and eliminates the need to perform a manual assessment every time you need to check the update status. After activating this setting, Update Manager retrieves updates from your machine once every 24 hours.

To get started, you can follow these steps :

• Select "Get Started" from the left-hand menu.
• Select "Assign Policy"

• Select Policy : "Configure periodic checking for missing system updates on azure virtual machines"

Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode , for Linux: https://aka.ms/computevm-linuxpatchassessmentmode .

• Select "Assign"

1. Select "Scope" buton
2. Select Subscription (No need to select ressource group if you want to update all your servers)
3. Clic on "Select"
4. Clic "Next"

this window allows us to filter the resources on which we will check for updates.

in this window I've added a few filter parameters without actually applying them, just to show you what you can do with them.

so I won't touch anything here and I'll click on “Next”.

Same thing, I won't touch anything here and I'll click on “Next”.

1. Select "Create a remediation task" (The policy will be evaluated against existing resources)
2. on Policy to remediate section select "Configure periodic checking for missing system updates on azure virtual machines".
3. Select "Next"

in this window, you can write non-compliance message.

Non-compliance messages help users understand why a resource is not compliant with the policy. The message will be displayed when a resource is denied and in the evaluation details of any non-compliant resource.

• Write non-Compliance message then select "Next"

• Select "Create" to Assign periodic checking for missing system updates on azure virtual Machines Policy to your subscription.

ii - Create Maintenance configuration for schedule update installation :

Creating a “Maintenance configuration for schedule update installation” in Microsoft Azure is an important step in managing updates for your virtual machines (VMs) in Azure.

This configuration lets you define a schedule for the installation of updates on your VMs. You can specify which machines are to be updated and which updates are to be installed. This configuration is particularly useful for ensuring that your VMs are always up to date with the latest security and functionality updates.

once the Configure periodic checking for missing system updates on azure virtual machines has been created, we'll move on to the creation of a maintenance configuration.

you can follow these steps:

• Select "Get Started" from the left-hand menu.
• Select "Schedule Updates"

1. Select Ressource Group
2. Add Configuration name and Select Region
3. Maintenance scope as "Guest (Azure VM, Arc-enabled VMs/servers)"
4. Select "Add Schedule" to Specify the start time and frequency of the maintenance configuration and the duration for each maintenance run.
5. Specify the start time and frequency of the maintenance configuration and the duration for each maintenance run.
6. Select "Save"
7. Select "Next"

In this section we will assign dynamic scope for maintenance configuration.

• Select "dynamic scope"

After selecting your subscription (Azure Subscription 1 in my case), you'll be able to filter updates by several types:

in the configuration I'm going to apply the updates on my two test servers (VM-Windows and VM-Linux), that mean all my servers will go down for a while to install the updates.

If you want to implement this on your production servers that are located at several sites, you can create two or more maintenance configuration and filter the updates by region so that your backup servers are always up and running, no service down.

Clic on "Select" to filter by different cathegories.

you can filter by :

• Resource groups

• Resource types

• Locations

• OS types

• Tags

I will let everuthing as default and Select "Save"

A new window will appear :

• Select "Change the required options to ensure schedule supportability" and clic "Save"

• We are back to the first maintenance configuration creation window.
• Clic "Next"

The “Resource” window is used to select and assign specific resources to a maintenance configuration, but since I've already set up a dynamic scope, I don't need to make any changes here.

• Clic "Next"

In the Updates window, click on "Include update classification" choose the type of updates you want to deploy. You can also "Include KB" packages or "Exclude KB".

The following tables list the update classifications in Update Management, with a definition for each classification.

• Critical updates : An update for a specific problem that addresses a critical, non-security-related bug.
• Security updates : An update for a product-specific, security-related issue.
• Update rollups : A cumulative set of hotfixes that are packaged together for easy deployment.
• Feature packs : New product features that are distributed outside a product release.
• Service packs : A cumulative set of hotfixes that are applied to an application.
• Definition updates : An update to virus or other definition files.
• Tools : A utility or feature that helps complete one or more tasks.
• Updates : An update to an application or file that currently is installed.

Select "Review + Create"

• Select "Create"

If you now return to the Azure Update Manager main window, you can see a change in the “Patch orchestration configuration of Azure virtual machines” section.

iii - Setup Policy for Schedule recurring updates using Azure Update Manager :

Microsoft Azure's “Schedule recurring updates using Azure Update Manager” policy is used to create and save recurring deployment schedules. This policy lets you specify which machines are to be updated as part of the schedule, and which updates are to be installed. You can create a schedule on a daily, weekly or hourly basis. This policy then automatically installs updates according to the schedule created for a single large-scale virtual machine (VM). Update Manager uses a maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates.

To get started, you can follow these steps :

• Select "Get Started" from the left-hand menu.
• Select "Assign Policy"

Select "Schedule recurring updates using Azure Update Manager" Policy :

Select "Assign"

1. Select buton with 3 points (...)
2. Select Subscription (No need to select Ressource group if you want to apply Policy for all ressource groups)
3. Click "Select" buton
4. Click "Next"

You can customize "Ressource selector" from here, in my case no need and clic "Next"

Here we need to enter maintenance configuration ID.

To get maintenance configuration ID :

• Type "maintenance" in Azure search bar and select "Maintenance Configurations"

• Select your maintenance configuration created in the previous section :

Go to properties on the left hand menu and copie the "id"

• Go back to policy window and paste copied ID and click "Next"

• Select "Create a remediation task" and be sure that policy to remediate is set to "Schedule recuring updates using azure update manager" then click "Next"

• You can add non-compliance message here.

Select "Create" to create policy.

we've finished configuring our update plan on Azure Update Manager, and here's the result after applying the updates (I chose all types of updates to be installed to see this green circle ??).

As we can see all VMs status in green with all updates installed.

To see update history, clic on History on the left-hand menu :

10 - Conclusion :

All in all, Azure Update Manager is proving to be an essential tool for managing Azure virtual machine updates. Its ability to automate and schedule updates, while offering precise control over the process, makes it a valuable asset for system administrators. What's more, with features such as dynamic scopes and maintenance configurations, Azure Update Manager offers unprecedented flexibility and adaptability, enabling efficient management of large-scale updates.

Thanks

Aymen El Jaziri

System Administrator