Azure Update Manager - Patch Management

Introduction

Azure Update Manager is a Software as a Service (SaaS) solution by Microsoft designed to simplify and automate software update management for Windows and Linux machines.

  • Purpose: It helps organizations keep their systems up to date with the latest patches and updates across Azure, on-premises, and multi-cloud environments.
  • Evolution: It builds upon the Azure Automation Update Management solution, offering enhanced features and functionality for both single-machine and large-scale deployments.
  • Dependency Change: Azure Update Manager eliminates reliance on legacy agents like the Azure Log Analytics agent (Microsoft Monitoring Agent or MMA) and Azure Monitor agent.
  • New Approach: Instead, it leverages native capabilities like the Microsoft Azure VM agent for managing updates on Azure VMs and the Azure Connected Machine agent for Arc-enabled servers.
  • Simplified Onboarding: Azure Update Manager offers zero-step deployment on Azure Compute and Azure Arc for server platforms, simplifying operations and reducing administrative overhead.
  • Cost-Effective: It is available at no additional charge for managing Azure VMs, making it a cost-effective solution for organizations.

Previous Solution: Azure Automation Update Management

Azure Automation Update Management was the predecessor to Azure Update Manager.

It relied on agents like the Azure Log Analytics agent (Microsoft Monitoring Agent or MMA) for managing updates.

Benefits of Azure Update Manager

  • Comprehensive Coverage: Manages updates across Azure, on-premises, and multi-cloud environments.
  • Simplified Operations: Eliminates dependencies on legacy agents, streamlining update management.
  • Cost-Effective: Available at no additional charge for managing Azure VMs.
  • Native Integration: Leverages native capabilities for update management on Azure VMs and Arc-enabled servers.
  • Zero-Step Onboarding: Simplifies deployment on Azure Compute and Azure Arc for server platforms, reducing administrative overhead.

To get started search for Azure Update Manager in the portal.

Update Manager

Or from the Updates blade of the virtual machine resource.

Machine resource

Update Assessment

Update Assessment

In the previous solution, assessing VMs for update status was automatic, providing patch counts effortlessly. However, in the new solution, this process requires manual intervention. To assess VMs in the new solution.

  1. Manual Check: Users need to manually click on "Check for Updates" to assess VMs and retrieve patch counts.
  2. Azure Policy Option: Alternatively, users can create an Azure policy to assess VMs daily, ensuring regular updates and compliance with patch management protocols.

This shift in process from automatic to manual assessment underscores the importance of proactive monitoring and management in the new Azure Update Manager solution.

Main Note. Although Azure Policy offers an option to assess VMs daily for updates, practical testing revealed that this feature may not function as expected. After engaging with Microsoft support, it was confirmed that the Azure Policy approach did not yield the desired results. As an alternative, leveraging a prototype script integrated into a CI/CD pipeline proved to be an effective method to automate the assessment of VMs for updates. This approach ensures consistent evaluation of VM update status while overcoming limitations encountered with Azure Policy.

Automate the Assessment

To automate the assessment of VMs daily, we can develop a prototype script and integrate it into a CI/CD pipeline. Here's a concept of how this can be achieved.

  1. Prototype Script Development: Create a script using a language like PowerShell or Python to assess VMs for updates. This script will utilize Azure Update Manager APIs to retrieve update status information for VMs.
  2. CI/CD Pipeline Integration: Incorporate the prototype script into a CI/CD pipeline using tools like Azure DevOps or GitHub Actions. Configure the pipeline to trigger the script execution on a daily basis.
  3. User Managed ID (UMID): Utilize User Managed ID for authenticating the script's access to Azure resources. This ensures secure access management without exposing sensitive credentials.
  4. Custom RBAC Permissions: Define custom RBAC permissions using the Principle of Least Privilege (PLOP) to grant specific actions to the UMID. Below are the proposed permissions.
    RBAC permissions

Implementing this approach ensures automated daily assessment of VMs' update status while maintaining security and compliance through RBAC and UMID usage.

Summary

Now, that I've covered Azure Update Manager, its benefits, the transition from the previous Azure Automation Update Management solution, and the challenges encountered with Azure Policy, we have gained valuable insights into effective software update management strategies. By understanding the capabilities and limitations of these tools, we are better equipped to navigate the complexities of patch management in diverse environments. Armed with this knowledge, we can make informed decisions and implement robust solutions to ensure the security and efficiency of our systems.


IFS R&D International (Pvt) Ltd
IFS develops and delivers enterprise software for customers around the world