Introduction
To manage operating system upgrades for your Windows and Linux virtual machines in Azure, utilize Update Management in Azure Automation. Reporting to Update Management, you can rapidly examine the status of available updates and control the process of installing essential updates for your Virtual machines.
Update Management works with Azure Monitor Logs to save update assessments and deployment outcomes from assigned Azure and non-Azure machines as log data. The Automation Account and Log Analytics workspace must be linked in order to gather this data, and the Log Analytics agent for Windows and Linux must be installed and configured to report to this workspace.
Step 1
In my Azure tenant, I've already created a Virtual Machine with Windows Server 2019 Datacenter as its operating system.
Now I'm going to create an Azure Automation Account for Update Management in Automation Accounts.
In the Azure portal's search field, type Automation Accounts and then pick Automation Accounts.
Step 2
Create an Automation Account by clicking Create on the Automation Accounts page.
Select the Subscription
Select the Resource Group
Give the Automation Account a name; I've called mine AAWindowsUpdates.
Select the Region
Click Next
Step 3
Select the Managed Identities
System-assigned Managed Identity
This managed identity can be used in Hybrid tasks on Azure and non-Azure VMs with the Hybrid Runbook Worker, and it works with any Azure service that accepts AD authentication. It eliminates the requirement to renew certificates and eliminates the necessity for the Run As connection object to be specified in your runbook code.
Step 4
Network connectivity
You can connect to your automation account either publicly, via public IP addresses, or privately, using a private endpoint.
Step 5
Review & Create.
It will take 2 to 5min to create the account.
We need to complete some prerequisites in the Azure VM till we can create the account.
Let's navigate to the Azure VM and log in.
Step 6
Server Console Settings
Check all servers with the SConfig utility to confirm that the Windows Update option is set to "download only" (Server 2019/2016) or "manual" (older Windows Versions.) The "download only" option saves time during deployment by detecting and downloading required fixes well ahead of time.
Open Powershell Run AS Admin and Type SConfig and Set Windows Update Settings to Download Only.
Step 7
Azure Update Management
Navigate to Automation Accounts- Update Management and Add the Azure VMS.
Note - After you added the Azure VM it will take up to 12 hours for assessment.
In my scenario, I have already added the VM and you can see the Green Indicator and its compliance.
Step 8
Create a Deployment Schedule
Click Schedule Update Deployment
This opens the Update Deployment window. The following “Items to update,”
Groups to Update
Machines to Update – Lists the virtual machines included in the current deployment.
Update classifications – Select the Update Classifications as your requirement
Include/exclude updates – You can Include or Exclude an Update from the KBIds.
Schedule settings – details of the next run of the deployment.
Pre-scripts + Post-scripts – not currently used
Maintenance window (minutes) – standard value used is 120 (minutes).
Reboot options – Always reboot
Click Save
Now you can see the created schedule in the Deployment Schedule Tab.
After the Deployment Schedule runs Successfully you can see it from the History Tab.
When you click it, you'll be sent to a dashboard with detailed information about the Windows Update deployment.
Summary
We covered how to Automate Windows Update using Azure Automation Accounts in this demo; if you have any queries, please leave a comment in the box below.