Introduction to Azure Update Manager
Azure Update Manager is a powerful tool that helps manage patching schedules for your systems. Regular patching is crucial for maintaining system security and performance. In this article, we will guide you through the process of setting up a once-a-month patching schedule using Azure Update Manager.
This document will cover creating a once-a-month patching schedule using Azure Update Manager. Below are the steps that will be covered.
- Create an Automation Account Runbook to change an Arc VM tag, and check for patches for the machine
- Create an Azure Update Manager Maintenance schedule and post event script to change the Arc VM tag
The Scenario
Patching is to be completed once a month. This example is picking the patching maintenance window date of Wednesday, April 9th. The day before, the machines will be assessed for patches, and Azure Tag will be used to add the virtual machines to an Azure Maintenance configuration. This maintenance configuration will use Dynamic Groups to determine if a machine would be patched or not patched. The Tag of ‘MonthlyPatching’ will be used, and when the value is set to True, the machine will be added to the Maintenance configuration schedule. Once the patching is completed, a Post Event script runs on the machines to set the Tag back to False to remove the machines from the schedule.
Automation Account Creation
Create an Automation account to run the PowerShell to change the machines tags to be patched and call the patch assessment API to check for updates on the machines.
Next, Next, Review and Create.
Go to the newly created Automation account. Click Identity. On the System assigned Identity click Azure role assignments.
- Tag Contributor
- Azure Connected Machine Resource Administrator
Click on the Runtime Environments (Preview) blade. This will be used to create a new PowerShell Runtime with the Az.connectedmachine module and Az.Resources Module added.
Click the Create button.
Click add from gallery. In the search box enter Az.Connected. Click Az.ConnectedMachine
Click Select to add this Module. Do this again for Az.Resources, AZ.Subscription, Az.Accounts. Set the Azure CLI package version to ‘None’.
The modules should appear as below:
Click Next and then Create.
Create the Runbook
Go to the Runbooks blade. Click Create to create a new runbook.
The Runtime Environment is the new environment name that was just created with the Az.Connectedmachine module.
Click Next and Review and Create, and Create.
Open the Runbook and click Edit in the portal.
Enter in the PowerShell found on (GitHub)
Schedule the Runbook
The Test pane is a great option to run the script to ensure that all is configured properly. It will display errors if the RBAC settings for the system managed identity fails, or if the modules are not loaded properly with the custom runtime environment.
Click Publish after the test is successful.
An Automation Account Schedule may be created to run the Runbook according to the patching schedule.
Click the Schedules blade under the Runbook Resources group. Add a schedule and link a schedule to the Runbook.
Azure Update Manager – Maintenance Configuration
Now that the Automation account is scheduled for the 2nd Tuesday of the Month, a maintenance configuration schedule can be created to install the patches. After the patches are completed, the post-event will set the tag back to False to avoid an unexpected charges for patching.
Search in the Azure search bar for Maintenance Configuration. Click Create to create a new schedule.
To Add a schedule, click the hyperlink and configure the schedule as noted below.
Azure Update Manager – Post Event scripts will be used to set the patched machine’s tag back to False to remove the machine until the next month patching cycle.
Implementing Post event scripts were covered in this other blog post: Azure Update Manager – Pre and Post Maintenance Events to Start/Stop Virtual Machines – Geek XING
A new Azure Update Manager script for the setting the tags during the Post Event may be found here on (GitHub).
Conclusion
Implementing a once-a-month patching schedule using Azure Update Manager is a straightforward process that can significantly enhance your system’s security and performance. By following the steps outlined in this blog post, you can create a customized patching schedule, set up an Azure Update Manager Maintenance schedule, and automate the patching process using PowerShell scripts and Automation accounts. Regular patching is essential for maintaining the integrity of your systems, and Azure Update Manager provides the tools and flexibility needed to manage this crucial task efficiently.
Remember to test your Runbook thoroughly, schedule it according to your patching needs, and configure post-event scripts to ensure your systems are ready for the next patching cycle. With Azure Update Manager, you can streamline your patching process and keep your systems up-to-date with minimal effort.
