Virtual machines (VMs) whether they are deployed in the cloud, on-premises, or physical are compute instances that can run on demand. You can use them just like servers, deploying operating systems and applications, or containerized workloads. Operating system updates for machines are one of the core elements of a zero-day vulnerability and the overall security strategy.
In this article, we will show you how to centrally manage and update your virtual machines using the new Azure Update Management Center (UMC).
Table of Contents
Introduction
As you probably know, when we start provisioning resources in any public cloud provider or on-premises, we need to always think about the types of resources we have and the shared responsibility model.
For infrastructure as service (IaaS) virtual machines, we are responsible for things like the OS, their runtime, the middleware, application, and data. When we think about the OS, this includes securing and hardening the OS, but also obviously patching it. And that’s kind of a huge part of it.
You probably already have a patching solution on-premises like System Center Configuration Manager (SCCM), you could bring that to the cloud if that’s working for you today, you could just use your existing investments if you want. You could also use the cloud-native technology in Azure called “Update Management” to patch Azure and non-Azure VMs, you can read more about this solution here.
In the existing Azure Automation Update Management solution, onboarding was a multistep procedure, access control with multiple actors was not possible and limitations on scale existed.
Microsoft took the update management for servers and virtual machines to a whole new level by announcing a new patch management solution called (update management center in public preview) and that’s what we want to focus on in this article.
The update management center (UMC) has been completely redesigned and doesn’t depend anymore on Azure Automation and Log Analytics Workspace, as required by the Azure Automation Update Management feature.
Update Management Center Overview
You can use the update management center (UMC) in Azure to centrally manage operating system updates, update configuration settings, and manage the process of installing required updates for your Windows and Linux virtual machines (VMs) in Azure, physical or VMs in on-premises environments, and in other cloud environments as well.
You can quickly assess the status of available updates and manage the process of installing required updates for your machines by reporting to the update management center.
Update management center (UMC) offers the same functionality as the original version available with Azure Automation today without the dependency on Azure Automation and Azure Monitor Logs, but it is designed to:
- Take advantage of newer technology in Azure.
- Deliver a native update capability.
- No onboarding steps are required.
- Granular role-based access control.
The following diagram illustrates how the new update management center assesses and applies updates to all Azure machines and non-Azure machines (Arc-enabled servers) for both Windows and Linux operating systems.
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Your account must be a member of the Azure Owner or Contributor role in the subscription.
3) One or more Azure virtual machines, physical or virtual machines managed by Arc-enabled servers. Please check the following table lists for the supported operating systems for update assessments and patching. Microsoft is working to support all Azure-endorsed Linux distros and OSes including custom images (Shared Image Gallery images). Stay Tuned!
4) Azure Windows/Linux VM agent – Update management center supports Azure VMs created using Azure Marketplace images, where the virtual machine agent is already included in the Azure Marketplace image. If you have created Azure VMs using custom VM images and not an image from the Azure Marketplace, then you need to manually install and enable the Azure virtual machine agent as described here: Azure Windows VM agent and Linux VM agent.
5) Since Update Management Center is in preview at the time of this writing, you enable the periodic assessment feature and scheduled patching (orchestration) for your subscription using the Azure portal, PowerShell, CLI, or the REST API as described by Microsoft.
- Sign in to the Azure portal, search for Preview features and select it from the available options.
- Choose your desired Azure subscription where you want to register the Update Management Center.
- In the Preview features page, search for InGuestAutoAssessmentVMPreview.
- Select Virtual Machine Guest Automatic Patch Assessment Preview from the list.
- In the Virtual Machine Guest Automatic Patch Assessment Preview pane, select Register to register the Compute provider with your subscription.
6) Update management center (preview) is available in all Azure public regions where virtual machines are available. However, for Azure Arc-enabled servers, the following regions are only supported. More regions will be added soon.
- Australia East
- East US
- South Central-US
- West Central-US
- West US 2
- North Europe
- West Europe
- South East Asia
- UK South
Once you verified that you have all the prerequisites in place, take the following steps.
Enable Update Management Center
Once you deploy your Azure VMs or Non-Azure VMs using Azure Arc, you can find the Update Management solution either in the “Updates” option of your VM blade as shown in the following figure. Then you can switch to the new Update Management Center experience.
Or you can manage VM updates at scale with the new Update management center experience by using the search bar in the Azure portal as shown in the figure below.
The Overview page for Update Management Center enables you to view the patching compliance and status for all your Azure and Non-Azure machines as shown in the figure below.
You can use the filters on top to drill down to a specific set of machines, view a breakdown of machines and their status based on multiple categories, and identify the machines that are non-compliant to quickly take corrective action. The “No updates data” status in yellow tells you the count of machines that have not been assessed in the past 7 days or do not have the periodic assessment setup yet.
How to enable periodic assessment in Update Management Center?
Periodic assessment
You can enable periodic assessment using Azure Policy at scale or you could use the Update settings to add selected machines to regularly check for updates as shown in the figure below.
Azure Policy
If you opt for the Azure policy option which gets integrated with Microsoft Defender for Cloud, then you can select one of the built-in policy definitions below:
- Configure periodic checking for missing system updates on azure virtual machines.
- Schedule recurring updates using Update Management Center.
- Machines should be configured to periodically check for missing system updates.
- Configure periodic checking for missing system updates on Azure Arc-enabled servers.
For assigning the policy to all Azure machines, select [Preview]: Configure periodic checking for missing system updates on azure virtual machines and click on the Policy.
For Arc-enabled servers, select [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers.
Based on your deployment of Azure and Non-Azure machines, you need to assign the policy on the desired scope (Management group, Subscription, or optionally Resource Group).
Next, on the Parameters tab, uncheck Only show parameters that need input or review so that you can see the values of parameters as shown in the figure below. In Assessment mode, select AutomaticByPlatform, select Operating system type, and click on next. You need to create a separate policy for Windows and Linux.
On the Remediation tab, check “Create a remediation task”, so that periodic assessment is enabled on your machines, and click on Next. Please note that by default, this assignment will only take effect on newly created virtual machines. Existing VMs can be updated via a remediation task after the policy is assigned.
On the Non-compliance message tab, provide the message that you would like to see in case of non-compliance. For example: “Your machine does not have periodic assessment enabled.” Click on Review+Create.
On the Review+Create tab, click on Create. This will trigger Assignment and Remediation Task creation which can take a minute or so.
You can monitor the compliance of resources under Compliance and remediation status under Remediation from the Policy home page.
Microsft Defender for Cloud will also show the recommendation: System updates should be installed on your machines (powered by Update Center) under Apply system updates security control.
Update Settings
If you opt for the Update settings option to add selected machines, then you need to select the update settings that you want to change for your machine and select Next.
Periodic assessment – enable periodic assessments to run every 24 hours. As noted in the prerequisites section, you must register for the periodic assessment in your Azure subscription to enable this feature.
Hot patching – for Azure VMs, you can enable hot patching on supported Windows Server Azure Edition Virtual Machines (VMs) that don’t require a reboot after installation.
Patch orchestration – provides the following options: Automatic by the operating system, Azure-orchestrated (Preview), Manual updates, or Image Default (Only supported for Linux Virtual Machines). Patch orchestration of the Azure machines should be set to Azure Orchestrated. For Azure Arc-enabled machines, it isn’t a requirement.
Please note that if you set the patch orchestration mode to Azure orchestrated (Preview) but don’t attach a maintenance configuration to an Azure machine, it is treated as Automatic Guest patching enabled machine and the Azure platform will automatically install updates as per its own schedule.
In the Machines tab, add and select the checkbox for your machine(s) and select Next to continue. Note that you can add up to 20 machines at once.
Once you enable periodic assessment, the automatic assessment will run every 24 hours and provide the latest OS update status for your machine(s).
The Machines page shows the list of all VMs under a given subscription. You can access the features of the Update management center from the menu on the top as shown in the figure below.
The, “Check for updates” allows you to assess updates on-demand while “One-time update” allows you to install patches on-demand. The “Scheduled updates” and “Updates Settings” options allow you to enable customized patching schedules. The “Browse maintenance configurations” lets you manage platform updates that don’t require a reboot using maintenance control. Maintenance control lets you decide when to apply updates to your machine(s).
The History page allows you to see the update process and the last ran update (time frame: Last 24 hours up to 30 days).
Update management center offers an easy-to-use single pane for all operating system and application patching scenarios for a single VM or VMs at scale.
Benefits of the Update management center
The new update management center solution offers many new features and provides enhanced functionality over the original Azure Automation Update Management version and some of those benefits are listed below:
Central visibility for updates —
- Oversee update compliance for the entire fleet of Windows and Linux machines including Azure machines and Azure Arc-enabled servers on a single dashboard.
- You can view the compliance status for each individual machine, easily deploy updates, and track results.
Native experience with zero onboarding —
- Built as native functionality on Azure Compute and Azure Arc for Servers platform for ease of use.
- No dependency on Log Analytics and Azure Automation.
- Azure policy support.
- Scale to the limits of ARM and resource RP.
- Global availability in all Azure Compute and Azure Arc regions.
Works with Azure roles and identity —
- Granular access control at per resource level instead of access control at Automation account and Log Analytics workspace level.
- Update management center now as Azure Resource Manager-based operations. It allows RBAC and roles based on ARM in Azure.
Enhanced flexibility —
- You can install updates right away or schedule them for a later date.
- Check updates automatically or on demand.
- Secure machines with new ways of patching such as Automatic VM guest patching in Azure, Hotpatch, or custom maintenance schedules.
- Use periodic assessment and scheduled patching at scale with Azure Policy.
- Sync patch cycles in relation to Patch Tuesday—the unofficial term for Microsoft’s scheduled security fix release every second Tuesday of the month.
Summary
In this article, we showed you how to get started with Azure Update Management Center to patch all your systems in Azure and Non-Azure machines.
Update management center is a new service from Azure, which provides easy, out-of-the-box, and native Guest OS update control across your fleet of virtual machines (VMs) in Azure, physical machines or VMs in on-premises environments, and in other cloud environments for both: Windows and Linux operating systems.
The update management center is not dependent on other services like Azure Automation and Log Analytics as we used to have with the Azure Update Management service. In addition to zero onboarding steps, and no dependency on Azure Automation and Log Analytics agents, you also get new capabilities such as flexible scheduling options and on-demand assessments that help you manage a patch workflow that is best suited for your needs.
At the time of this writing, the Update management center is offered at no additional cost during the public preview. A pricing model will be introduced when it becomes generally available. You would expect a lot of enhancement in the upcoming months.
Learn more about the Update management center on the Microsoft official documentation.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
