Azure Update Manager with Azure Policies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we review the new Azure update manager hello everyone I'm Travis and this is caldos Microsoft recently announced that Azure update manager is now generally available in this video we'll look at what it is and how to enable it with Azure policies before that please like subscribe and share with a friend that helps others discover this channel check out my courses on Azure virtual Desktop Windows 365 and InTune management and hybrid identities with Windows ad and Azure ad now enter ID available at udemy.com links are below and thank you channel members your support is appreciated back to it before we talk about Azure update manager let's quickly review Azure automation update manager this is the predecessor to Azure update manager it's part of an Azure automation account and serves the same purpose automating and Reporting on patching for Windows and Linux servers the difference is that the Azure automation update manager relies on a log analytic itics account and the MMA or log analytics agent that agent will be retired in August of 2024 going forward the new Azure update manager is the best choice for managing server updates in and outside of azure Azure update manager is a standalone SAS service we don't have to link it to log analytics or Azure automation it supports Windows server and Linux that's one important thing to note about this feature it doesn't support Windows clients there are other services for client updates such as Windows autopatch and in tune Azure update manager supports Windows Server 2008 newer although if you're still running Server 2008 you should probably focus on updating that it supports red hat sentos and other Linux operating system it can also update images stored in an Azure compute Gallery the service can manage computers in Azure on premises or other clouds it uses the Azure VM agent to manage Azure VMS and the Azure connected machine agent for Arc enabled servers outside of azure when I item to keep in mind is the price there is no charge for Azure VMS and $5 per month for Arc enabled servers it's only free for Azure VMS coming up will enable Azure update Manager on a subscription there are a couple ways to do this we can scan the update status and deploy updates manually but that doesn't scale well instead this video uses Azure policies to enable assessments on subscriptions this way all existing and newly added VMS are included another policy is used to configure remediation again we want an automated process that updates existing and newly added VMS and I have a disclaimer on this video this is intended to illustrate how it works it's not a guide to implementing it in production there are a lot of configuration options that will determine how patching takes place for example you may want to create multiple schedules to update groups of VMS on different days or schedule updates across multiple time zones also my lab environment isn't the best example there are a lot of Windows client I and VMS that just haven't been turned on in a while what I'm saying is test it before you trust it with that let's go to the Azure portal and get started here we are in the Azure portal let's start by going to Azure update manager here we have an overview display of our update status patch orchestration update installation status and if we scroll down we have pending updates for Windows and Linux your view may look different from mine I recorded a video that started with a default nothing configured view but unfortunately that footage was not usable so the information you see here is what we'll get later on we'll just keep going with the steps needed to get to this point before we get this information updated we need to configure our assessments the assessment is what gets the information about the update status let's do this first by an individual computer if we go to machines and update manager here we have a list of all the Azure VMS with their status notice I have a few that are unsupported these are mostly Windows 10 or Windows 11 Azure virtual desktop session hosts and other windows clients Windows client OS is not supported with Azure update manager there's no way for the filter to remove unsupported VMS at least not at the time of recording we can change the grouping to group by update status we could select one or more virtual machine and then check for updates this will run a one-time check and again if you're just starting out you won't see any pending updates that would work but it's not an efficient way to assess all the computers in our subscriptions notice at the top we have the option to enable periodic assessments using Azure policies let's use that as a way to configure our assessments let's go to get started and from here we'll assign a policy there are two configuration policies one for a periodic checking of missing system updates on azure VMS and the other on Arc enabled servers the Azure VM policy will run the assessment on well Azure VMS the others for organizations that may want to manage patches outside of azure on Prem or other clouds let's select periodic checking for Azure VMS we'll go to assign we'll select our scope we can assign this to a management group that would include all subscriptions in that management group and an individual subscription or resource groups in a subscription for this example we'll set it to our subscription and we want it scoped to the subscription so we'll leave the resource Group blank and select and if you have multiple subscriptions you can either select a parent Management Group or run through these steps to assign it to multiple subscriptions add a description if you'd like and go next to Advanced we can leave that and go next to parameters un check only show parameters that need input or review make sure the assessment mode is set to automatic by platform and the OS type is Windows that is of course if you're running the assessment on Windows OS if you're doing both you'll have to run through these steps again only selecting the other OS type let's go next to remediation on the remediations tab select create a remediation task selecting this will enable assessments on existing VMS let's go next to non-compliant message and we can add a message we'll go next to review and create and create this will take some time to run the periodic check takes place every 24 hours Let's pause here and come back once the assessment has finished it's been a couple of days let's look at what the periodic scan has to show at overview we have some new information it shows patch orchestration is done by Windows automatic updates that will change to customer manage schedules for our servers in an upcoming step and if we scroll down we can see pending updates let's look at the status by machines we can click on the panel and it takes us to machines there are a total of 25 VMS eight with no update data these are probably VMS I used at some point and shut down you probably won't have a lot of deallocated VMS in a uction environment there's zero with no pending updates and six have pending updates and two VMS need to be rebooted and finally we have 11 unsupported VMS those are Windows 10 and windows 11 clients including my ABD session hosts so far we only assigned the policy for periodic assessments to the VMS we haven't configured any orchestration to apply the updates let's do that next let's go back to get started from here we have the option to to schedule updates we'll select that select the subscription and Resource Group for the maintenance configuration I'll create a new Resource Group for this example give it a name maintenance window 3day for this example you'll see why the name includes 3 days in a minute the region is where the maintenance configuration is located set the maintenance scope we'll use guest for this example that includes azure VMS and Arc enabled servers we could also select OS images for virtual machine scale sets or dedicated hosts we'll leave the reboot settings to reboot if required you may also consider forcing a reboot let's add a schedule we need to provide the start of the schedule I'll set this for today let's set the time to 3 p.m. and be sure that the time zone is correct we'll give this a 2our maintenance window that should be enough this is for monthly patching so we'll set the repeat for every month we can set a specific day but this also has the logic to base the updates on Patch Tuesday so if we select the second Tuesday that's Patch Tuesday we also get an offset most organizations want to leave a couple days between when the patch is released before it's applied I'll set this to 3 days after patch Tuesday the second Tuesday of the month based on my testing this configuration will first run run at 300 p.m. 3 days after the next Patch Tuesday if you want it to run sooner you can set on the to today's date in a time a couple hours in the future make sure to adjust the schedule after testing is done we walk through changing the schedule shortly we can also set an end date we'll save and now we'll go next to Dynamic Scopes I prefer Dynamic Scopes because if configured properly it will apply to new VMS when they're added let's add a scope we can set our subscriptions We'll add two of them for this example and then we can set filters we can filter down to Resource Group let's leave that empty I want this scope to apply to both subscriptions for the resource type we have the option for Azure virtual machines or Arc enabled servers let's remove the arc enabled servers from this we can specify a location if you wanted maintenance windows on different days across regions for example this is Handy if you're dealing with environments that span multiple time zones we can select the OS type this example will use Windows and we can define tags another strategy would be to assign patch tags to VMS to coordinate with different schedules we'll click okay to add the scope we'll save we have two options we can change the required option to ensure schedule supportability this option will update the patch orchestration from existing options to customer manage schedules continue with supported machines only will only include machines that already have patch orchestration set to customer manage schedules we'll leave it set to default and save we got a few errors that popped up and that's expected because within that group were Windows 10 and 11 clients those are the ones that AED and that's fine for this example let's go next to machines we could add individual resources let's skip that and go to updates here we can add or remove update classifications for Windows and Linux let's leave it set to critical and security updates you may want to add updates and create a daily reoccurring schedule for definition updates as I said at the beginning each organization has different require requirements for patching we could also include or exclude specific KBS by package ID we'll go next to tags add tags as needed we'll go to review and create and once validation passes click create once that finishes we still have one more step we need to attach the maintenance configuration to any servers we want to update we can do that one at a time but that would require manual action each time a new VM is added instead let's use policies to automatically attach the maintenance configuration to servers to do that we need to go to the maintenance configuration we just created we'll open it go to properties from properties find the ID and we need to copy that ID save that we'll need it for an upcoming step let's go back to update Manager and get started and from get started we'll go to assign policy here are all of our Azure update manager policies select schedule reoccurring updates using Azure update manager we'll assign this policy select your scope that can be a subscription Management Group or even a resource Group in a subscription if you have multiple subscriptions apply this to the parent Management Group or run through these steps for each subscription next let's go to parameters add the maintenance configuration ID we just copied next go to remediation make sure that system assign managed identity is selected and check the create remediation task box that will apply this policy to existing VMS as well as new VMS we'll go to review and create and create it'll take some time for this policy to take effect on existing VMS once the policy's applied the VMS will get updated during the next schedule run if you want updates to run sooner than the scheduled reoccurrence you may need to update that schedule you may also want to change the time updates run once in production next let's update our schedule go to maintenance configuration select the maintenance schedule we created earlier go to schedule and we can modify the schedule I want to change the time from 700 p.m. to 11: p.m. and again based on my testing the first time the schedule will run is 11: p.m. on the first day of the month this is the schedule I'm using to trigger an update before the next Patch Tuesday we'll pause here to give the policies time to apply and the updates time to run some time has passed and we have results now let's review the updates we'll start with update status by Machine the overview shows the number of computers and Status we have some pending updates some pending reboots some machines without any pending updates those have the updates applied and then some with no update data also notice the VMS that are part of azure update manager have switched to customer manage schedule let's look at the update installation status I'm recording this during a maintenance window so we have some completed Feld and in progress status let's go to history this gives us the history of the actions on the VMS let's go to machines and something I want to point out I'm forcing a lot of the scanning and updates by adjusting schedules I don't want to wait until Patch Tuesday to record the ending of this video what we see here is out of date updates ran but the assessment hasn't taken place yet that takes place every 24 hours if you want to see the results of an assessment right away you can select one or more and then check for updates that will initiate a onetime assessment on that computer we can also select one of these VMS and that takes us to the update page for that VM from here we can verify the assessment is enabled we used a policy to set that up we can verify that patch orchestration is set to customer manage schedules that's also configured with the Azure policy we can go to history we get the details of the past and current operations we have an assessment in progress on this that we initiated and if we go to scheduling we can view the maintenance configuration applied to this VM that is how to configure Azure update Manager for Azure VMS with Azure policies I hope that helps you better understand how to use Azure update manager please don't forget to like And subscribe and thanks for watching

Info

Channel: Travis Roberts

Views: 5,811

Rating: undefined out of 5

Keywords: Windows, Server, Linux, Updates, Azure Update Manager, Azure Policies, Azure, Policies, IT, update schedule, maintenance configuration, free, tutorial, Microsoft, walkthrough, training, Azure training, AZ-

Id: Da1EsoAzUoY

Channel Id: undefined

Length: 17min 9sec (1029 seconds)

Published: Sun Oct 08 2023