Keeping up with all of the patches an organization needs already takes careful and quick planning. Mixing the location of OSes in the cloud and on premises adds another challenge.
Microsoft created Azure Update Management to centralize and automate Windows and Linux patching, wherever the systems are located. The service promises to simplify the process, but IT administrators must decide if the tool fits their organization’s needs and understand how to integrate it with their existing systems.
How to use Azure Update Management
Administrators enable Azure Update Management functionality through Azure Automation or Windows Admin Center, where they can check and schedule the updates available with the help of Azure Log Analytics. The Azure Update Management service uses different configurations to deploy updates, such as Microsoft Monitoring Agent, PowerShell and Automation Hybrid Runbook Worker for Windows and Linux.
Azure Update Management keeps track of each system’s status with multiple scans throughout the day, which Azure Log Analytics processes. If a new update is available, each OS retrieves an update from its source, such as Windows Server Update Services (WSUS) for Windows or a local repository for Linux systems.
The update service knows to add a new update by comparing logs of each system’s status. Once administrators schedule deployments, Azure Automation develops a master runbook to check each system against and confirm the system needs an update.
Confirm system compatibility
Before administrators dive into incorporating Azure Update Management into their tool set, they should confirm that their systems are compatible. Azure Update Management supports many Windows and Linux systems, both on premises and in the cloud, but there are exceptions: Windows Server 2008 R2 SP1 and newer server versions meet Azure Update Management requirements because they have .NET Framework 4.5.1 or later, as well as Windows PowerShell 4.0 or later. Windows agents connect with WSUS or Microsoft Update. But administrators cannot use Azure Update Management to patch Windows client OSes and Nano Server deployments.
Many Linux distributions can use Azure Update Management, including CentOS 6 x86 and x64 versions, Red Hat Enterprise Linux 6 x86 and x64 versions, and Ubuntu Linux 14.04 LTS. Compatible Linux systems use agents with access to public or private repositories.
How to integrate management tools
Azure Update Management can lighten an administrator’s update workload in combination with other automation and reporting tools.
Security services can block some updates, but PowerShell runbooks work with Azure Update Management to automatically turn off security services with scripts before the deployment and turn them back on after. Administrators can schedule deployments with System Center Configuration Manager and get a report back from Azure’s update service or vice versa. This also requires configuration with Azure Log Analytics for the storage and analysis of reports.
Microsoft’s Operations Management Suite (OMS) requires some adjustment to shift to Azure Update Management; admins must recreate deployments in Azure. Azure Automation can rebuild update deployments using the OMS details.
Beware of additional fees
To use the basic functionality of Azure Update Management, such as system checks and deployment updates, organizations do not have to pay; however, using the advanced features comes with a price that increases with the size of the environment.
For example, Microsoft charges organizations for advanced features based on the gigabytes of ingested and stored data in Azure Log Analytics per month after they use up the free 5 GB of data ingestion and 31 days of storage per month.
Administrators should estimate the cost of the update service and keep track of charges throughout its use to make sure the charges match expectations.