Automate Windows Update With Azure Automation Accounts

Introduction

To manage operating system upgrades for your Windows and Linux virtual machines in Azure, utilize Update Management in Azure Automation. Reporting to Update Management, you can rapidly examine the status of available updates and control the process of installing essential updates for your Virtual machines.

Update Management works with Azure Monitor Logs to save update assessments and deployment outcomes from assigned Azure and non-Azure machines as log data. The Automation Account and Log Analytics workspace must be linked in order to gather this data, and the Log Analytics agent for Windows and Linux must be installed and configured to report to this workspace.

Step 1

In my Azure tenant, I've already created a Virtual Machine with Windows Server 2019 Datacenter as its operating system.

Now I'm going to create an Azure Automation Account for Update Management in Automation Accounts.

In the Azure portal's search field, type Automation Accounts and then pick Automation Accounts.

Step 2

Create an Automation Account by clicking Create on the Automation Accounts page.

Select the Subscription

Select the Resource Group

Give the Automation Account a name; I've called mine AAWindowsUpdates.

Select the Region

Click Next

Step 3

Select the Managed Identities

System-assigned Managed Identity

This managed identity can be used in Hybrid tasks on Azure and non-Azure VMs with the Hybrid Runbook Worker, and it works with any Azure service that accepts AD authentication. It eliminates the requirement to renew certificates and eliminates the necessity for the Run As connection object to be specified in your runbook code.

Step 4

Network connectivity

You can connect to your automation account either publicly, via public IP addresses, or privately, using a private endpoint.

Step 5

Review & Create.

It will take 2 to 5min to create the account.

We need to complete some prerequisites in the Azure VM till we can create the account.

Let's navigate to the Azure VM and log in.

Step 6

Server Console Settings

Check all servers with the SConfig utility to confirm that the Windows Update option is set to "download only" (Server 2019/2016) or "manual" (older Windows Versions.) The "download only" option saves time during deployment by detecting and downloading required fixes well ahead of time.

Open Powershell Run AS Admin and Type SConfig and Set Windows Update Settings to Download Only.

Step 7

Azure Update Management

Navigate to Automation Accounts- Update Management and Add the Azure VMS.

Note - After you added the Azure VM it will take up to 12 hours for assessment.

In my scenario, I have already added the VM and you can see the Green Indicator and its compliance.

Step 8

Create a Deployment Schedule

Click Schedule Update Deployment

This opens the Update Deployment window.  The following “Items to update,”

Groups to Update

Machines to Update – Lists the virtual machines included in the current deployment.

Update classifications – Select the Update Classifications as your requirement

Include/exclude updates – You can Include or Exclude an Update from the KBIds.

Schedule settings – details of the next run of the deployment.

Pre-scripts + Post-scripts – not currently used

Maintenance window (minutes) – standard value used is 120 (minutes).

Reboot options – Always reboot

Click Save

Now you can see the created schedule in the Deployment Schedule Tab.

After the Deployment Schedule runs Successfully you can see it from the History Tab.

When you click it, you'll be sent to a dashboard with detailed information about the Windows Update deployment.

Summary

We covered how to Automate Windows Update using Azure Automation Accounts in this demo; if you have any queries, please leave a comment in the box below.