Azure Sentinel is a cloud SIEM and SOAR. It is therefore used for the supervision of a customer environment, from which it...
Manage updates with Azure Update ManagementLukas Beran
I have my lab in Azure, where I run about 10 virtual servers with Windows 10 and Windows Server. And there is also one web server running Ubuntu 18.04. So far I have handled updates manually, so I had to log on to all servers, check for updates, install updates, restart. But Azure Update Management can do this automatically instead of me.
In addition, I have some servers permanently stopped and only turn them on when I need them. For these servers (including Windows 10 clients), I usually don’t install any updates, which means that when I start the server and need to do something, it usually starts installing updates.
And the great thing about it is that Azure Update Management is free of charge. You only pay for data stored in Log Analytics workspace.
Azure Update Management
But Azure offers a service called Azure Update Management. This service uses two additional components – Azure Monitor and its Log Analytics Workspace to collect information from servers, including update information, and Azure Automation for orchestration.
Azure Update Management can find and install updates on Windows Server as well as CentOS, RHEL, SUSE and Ubuntu. Windows client is not officially supported, but the update has also successfully installed on my Windows 10 VM 🙂
Connecting servers to Azure Update Management
In any case, an agent must be installed on all systems, either Linux Log Analytics Agent or Windows Agent.
Both Linux and Windows Agents will install itself automatically during integration into Log Analytics workspace, so it is not usually necessary to install them manually. Just open the workspace and go to Workspace Data Sources: Virtual machines, select a virtual machine and click Connect in the top menu.
Adding servers to Azure Automation
Before we can add servers to Azure Automation and begin to configure update orchestration, we need to create an Azure Automation account. So we will create a new resource in Azure, which will be Automation.
Now we have everything ready and we can add virtual servers to Azure Update Management. Switch to Update Management and click Add Azure VMs at the top to select the servers you want to add to the management.
Create an update installation plan
Now all we have to do is set up a schedule to update the servers. In the top menu, select Schedule update deployment and name it somehow. Next, we need to choose whether we will update Windows or Linux. So if you have both Linux and Windows, you’ll have to have at least two plans.
I want to update all Windows servers in one of my subscriptions and one Resource Group. So I choose Groups to update and select one subscription from the Subscriptions and one resource group from the Resource groups drop-down list. Click Preview to see which specific servers are defined in this setting. Click Add to confirm the setting.
Next under Update classifications, we can select the types of updates we want to find and install.
In the Schedule settings section, choose when updates should be installed. I want to install updates every night at 3 am. I leave the update window the default two hours and allow automatic restart if required.
Automatically turn the server on and off for updates
An interesting option is to set the server to turn on automatically when the server is off. And then automatically turn off the server after updates if the server was turned off before the updates.
To do this, we can use pre-written Update Management – Turn On VMs and Update Management – Turn Off VMs from the Runbooks gallery. We need to import these scripts from the gallery into our runbooks and then edit and publish them to start using them.
At this point, we can add scripts to the update schedule as Pre and Post scripts.
Next, we need to import the ThreadJob module, which is a requirement for VM on / off scripts. In the Automation Account we go to Modules and in the top menu click on Browse gallery. Find the ThreadJob module and click Import.
Lastly, we need to update the modules within the Azure Automation account to avoid VM startup or shutdown errors. Modules can no longer be updated directly from the Azure portal, but you must use the PowerShell script Update-AutomationAzureModulesForAccount.ps1. Download it to your computer and upload it to the Runbooks. After publishing, run the script and wait for it to finish.