Updated – 21/09/2023 – Microsoft announced that Azure Update Manager, previously known as Update Management Center, is now generally available (GA).
Updated – 12/09/2023 – Azure Update Management Center v2 (preview) was renamed to Azure Update Manager (preview) before it reached general availability (GA).
Virtual machines (VMs) whether they are deployed in the cloud, on-premises, or physical are compute instances that can run on demand. You can use them just like servers, deploying operating systems and applications, or containerized workloads. Operating system updates for machines are one of the core elements of a zero-day vulnerability and the overall security strategy.
In this article, we will show you how to centrally manage and update your virtual machines using the new Azure Update Manager.
Table of Contents
As you probably know, when we start provisioning resources in any public cloud provider or on-premises, we need to always think about the types of resources we have and the shared responsibility model.
For infrastructure as service (IaaS) virtual machines, we are responsible for things like the OS, their runtime, the middleware, application, and data. When we think about the OS, this includes securing and hardening the OS, but also obviously patching it. And that’s kind of a huge part of it.
You probably already have a patching solution on-premises like System Center Configuration Manager (SCCM), you could bring that to the cloud if that’s working for you today, you could just use your existing investments if you want. You could also use the cloud-native technology in Azure called “Update Management” to patch Azure and non-Azure VMs. You can read more about this solution here.
In the existing Azure Automation Update Management solution, onboarding was a multistep procedure, access control with multiple actors was not possible and limitations on scale existed.
Microsoft took the update management for servers and virtual machines to a whole new level by announcing a new patch management solution called (Azure Update Manager) and that’s what we want to focus on in this article.
The Azure Update Manager known as the v2 version of automation Update management and the future of Update management in Azure, has been completely redesigned and doesn’t depend anymore on Azure Automation and Log Analytics Workspace, as required by the Azure Automation Update Management feature.
Azure Update Manager Overview
You can use Azure Update Manager, previously known as Update Management Center to centrally manage operating system updates, update configuration settings, and manage the process of installing required updates for your Windows and Linux virtual machines (VMs) in Azure, physical or VMs in on-premises environments, and in other cloud environments as well.
You can quickly assess the status of available updates and manage the process of installing required updates for your machines by reporting to the update management center.
Azure Update Manager offers the same functionality as the original version available with Azure Automation today without the dependency on Azure Automation and Azure Monitor Logs, but it is designed to:
- Take advantage of newer technology in Azure.
- Deliver a native update capability.
- No onboarding steps are required.
- Granular role-based access control.
The following diagram illustrates how the new Azure Update Manager assesses and applies updates to all Azure machines and non-Azure machines (Arc-enabled servers) for both Windows and Linux operating systems.
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
3) One or more Azure virtual machines, physical or virtual machines managed by Arc-enabled servers. Please check the following table lists for the supported operating systems for update assessments and patching. Microsoft is working to support all Azure-endorsed Linux distros and OSes including custom images (Shared Image Gallery images). Stay Tuned!
4) Azure Windows/Linux VM agent – The update management center supports Azure VMs created using Azure Marketplace images, where the virtual machine agent is already included in the Azure Marketplace image. If you have created Azure VMs using custom VM images and not an image from the Azure Marketplace, then you need to manually install and enable the Azure virtual machine agent as described here: Azure Windows VM agent and Linux VM agent.
5) Since Update Management Center is in (preview) at the time of this writing, you enable the periodic assessment feature and scheduled patching (orchestration) for your subscription using the Azure portal, PowerShell, CLI, or the REST API as described by Microsoft.
- Sign in to the Azure portal, search for Preview features, and select it from the available options.
- Choose your desired Azure subscription where you want to register the Update Management Center.
- In the Preview features page, search for InGuestAutoAssessmentVMPreview.
- Select Virtual Machine Guest Automatic Patch Assessment Preview from the list.
- In the Virtual Machine Guest Automatic Patch Assessment Preview pane, select Register to register the Compute provider with your subscription.
6) Update management center (preview) is available in all Azure public regions where virtual machines are available. However, for Azure Arc-enabled servers, the following regions are only supported. See the current list of all the supported regions for Azure Arc-enabled servers (more regions will be added soon).
- Australia East
- Central US
- East US
- East US 2
- North Central US
- South Central US
- West Central US
- West US
- West US 2
- West US 3
- North Europe
- West Europe
- France Central
- East Asia
- South East Asia
- South Africa North
- UK South
- Switzerland North
- Japan East
- Korea Central
- UK South
- UK West
Once you verified that you have all the prerequisites in place, take the following steps.
Enable Azure Update Manager
Once you deploy your Azure VMs or Non-Azure VMs using Azure Arc, you can find the Update Management solution either in the “Updates” option of your VM blade as shown in the following figure. You can switch to the new Azure Update Manager experience previously known as Update Management Center.
Or you can manage VM updates at scale with the new Update management center experience by using the search bar in the Azure portal as shown in the figure below.
The Overview page for Update Management Center enables you to view the patching compliance and status for all your Azure and Non-Azure machines as shown in the figure below.
You can use the filters on top to drill down to a specific set of machines, view a breakdown of machines and their status based on multiple categories, and identify the non-compliant machines to quickly take corrective action. The “No updates data” status in yellow tells you the count of machines that have not been assessed in the past 7 days or do not have the periodic assessment setup yet.
How to enable periodic assessment in Update Management Center?
- Configure periodic checking for missing system updates on Azure virtual machines.
- Schedule recurring updates using Update Management Center.
- Machines should be configured to periodically check for missing system updates.
- Configure periodic checking for missing system updates on Azure Arc-enabled servers.
For assigning the policy to all Azure machines, select [Preview]: Configure periodic checking for missing system updates on Azure virtual machines and click on the Policy.
For Arc-enabled servers, select [Preview]: Configure periodic checking for missing system updates on Azure Arc-enabled servers.
Based on your deployment of Azure and Non-Azure machines, you need to assign the policy on the desired scope (Management group, Subscription, or optionally Resource Group).
Next, on the Parameters tab, uncheck Only Show parameters that need input or review so that you can see the values of parameters as shown in the figure below. In Assessment mode, select AutomaticByPlatform, select Operating system type, and click on Next. You need to create a separate policy for Windows and Linux.
On the Remediation tab, check “Create a remediation task”, so that periodic assessment is enabled on your machines, and click on Next. Please note that by default, this assignment will only take effect on newly created virtual machines. Existing VMs can be updated via a remediation task after the policy is assigned.
On the Non-compliance message tab, provide the message that you would like to see in case of non-compliance. For example: “Your machine does not have periodic assessment enabled.” Click on Review+Create.
On the Review+Create tab, click on Create. This will trigger Assignment and Remediation Task creation which can take a minute or so.
You can monitor the compliance of resources under Compliance and remediation status under Remediation from the Policy home page.
Microsoft Defender for Cloud will also show the recommendation: System updates should be installed on your machines (powered by Update Center) under Apply system updates security control.
If you opt for the Update settings option to add selected machines, then you need to select the update settings that you want to change for your machine and select Next.
Periodic assessment – enable periodic assessments to run every 24 hours. As noted in the prerequisites section, you must register for the periodic assessment in your Azure subscription to enable this feature.
Hot patching – for Azure VMs, you can enable hot patching on supported Windows Server Azure Edition Virtual Machines (VMs) that don’t require a reboot after installation.
Patch orchestration – provides the following options: Automatic by the operating system, Azure-orchestrated (Preview), Manual updates, or Image Default (Only supported for Linux Virtual Machines). Patch orchestration of the Azure machines should be set to Azure Orchestrated. For Azure Arc-enabled machines, it isn’t a requirement.
Please note that if you set the patch orchestration mode to Azure orchestrated (Preview) but don’t attach a maintenance configuration to an Azure machine, it is treated as Automatic Guest patching enabled machine and the Azure platform will automatically install updates as per its schedule.
In the Machines tab, add and select the checkbox for your machine(s) and select Next to continue. Note that you can add up to 20 machines at once.
Once you enable periodic assessment, the automatic assessment will run every 24 hours and provide the latest OS update status for your machine(s).
The Machines page shows the list of all VMs under a given subscription. You can access the features of the Update management center from the menu on the top as shown in the figure below.
The, “Check for updates” allows you to assess updates on-demand while “One-time update” allows you to install patches on-demand. The “Scheduled updates” and “Updates Settings” options allow you to enable customized patching schedules. The “Browse maintenance configurations” lets you manage platform updates that don’t require a reboot using maintenance control. Maintenance control lets you decide when to apply updates to your machine(s).
The History page allows you to see the update process and the last run update (time frame: Last 24 hours up to 30 days).
The update management center offers an easy-to-use single pane for all operating systems and application patching scenarios for a single VM or VMs at scale.
Azure Update Manager Benefits
The new update management center solution offers many new features and provides enhanced functionality over the original Azure Automation Update Management version and some of those benefits are listed below:
Central visibility for updates —
- Oversee update compliance for the entire fleet of Windows and Linux machines including Azure machines and Azure Arc-enabled servers on a single dashboard.
- You can view the compliance status for each machine, easily deploy updates and track results.
Native experience with zero onboarding —
- Built as native functionality on Azure Compute and Azure Arc for Servers platform for ease of use.
- No dependency on Log Analytics and Azure Automation.
- Azure policy support.
- Scale to the limits of ARM and resource RP.
- Global availability in all Azure Compute and Azure Arc regions.
Works with Azure roles and identity —
- Granular access control at per resource level instead of access control at Automation account and Log Analytics workspace level.
- Update management center now as Azure Resource Manager-based operations. It allows RBAC and roles based on ARM in Azure.
Enhanced flexibility —
- You can install updates right away or schedule them for a later date.
- Check updates automatically or on demand.
- Secure machines with new ways of patching such as Automatic VM guest patching in Azure, Hotpatch, or custom maintenance schedules.
- Use periodic assessment and scheduled patching at scale with Azure Policy.
- Sync patch cycles about Patch Tuesday—the unofficial term for Microsoft’s scheduled security fix release every second Tuesday of the month.
Azure Update Manager Pricing
As mentioned earlier, Azure Update Manager is the successor to Azure Automation (AA) Update Management solution. While the Azure Automation-based model works great, it’s time to get serious about the Microsoft Monitoring Agent (MMA) to Azure Monitor Agent (AMA) migration path and that includes moving from AA-based update management to the new Azure Update Manager.
The reason is that the AA-based update model requires the MMA, while the new Azure Update Manager solution does not require either the MMA or the AMA. But there is also a financial impact for customers.
Microsoft has published an extensive and good FAQ from the Azure Update Manager team which you could find at this URL (Azure Update Manager frequently asked questions).
Among the answers is this: “Azure Update Manager is free for machines hosted on Azure or Azure Stack HCI. For Arc-enabled servers, it’s chargeable up to $5/server/month“. Since the old Azure Automation Update Management was free to all servers, including Azure Arc, this represents a significant cost increase for customers with large server populations outside of Azure.
There are two important things that you should know about this cost increase:
1) If you have been using Automation Update Management for free on Arc machines, you can use Azure Update Manager for free for one year (ending on September 18, 2024) on all subscriptions that were using Automation Update Management on Arc-enabled machines for free. After this period, Arc machines will be charged.
2) If you have purchased Microsoft Defender for Servers Plan 2, then you won’t have to pay to remediate the recommendations (Periodic assessment should be enabled on your machines and System updates should be installed on your machines using Azure Update Manager).
To summarize, if you own an Azure Arc-enabled server and use Defender for Cloud workload protection, it is recommended that you also use Defender for Servers P2 (DfS). If you follow this best practice, migrating to the new model will not have any cost implications. However, if you are not a DfS customer and rely on the free Azure Automation-based update solution, you have one year to budget for additional expenses. You can either add Defender for Servers P2 protection or opt for another update management solution for your servers.
In this article, we showed you how to get started with Azure Update Management Center to patch all your systems in Azure and Non-Azure machines.
Update management center is a new service from Azure, which provides easy, out-of-the-box, and native Guest OS update control across your fleet of virtual machines (VMs) in Azure, physical machines or VMs in on-premises environments, and in other cloud environments for both: Windows and Linux operating systems.
The update management center is not dependent on other services like Azure Automation and Log Analytics as we used to have with the Azure Update Management service. In addition to zero onboarding steps, and no dependency on Azure Automation and Log Analytics agents, you also get new capabilities such as flexible scheduling options and on-demand assessments that help you manage a patch workflow that is best suited for your needs.
At the time of this writing, the Update management center is offered at no additional cost during the public preview. A pricing model will be introduced when it becomes generally available. You would expect a lot of enhancement in the upcoming months.
Learn more about the Update management center on the Microsoft official documentation.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.