Managing updates and patches for VMs in Azure

  1. Home
  2. Managing updates and patches for VMs in Azure

Go back to AZ-500 Tutorials

In this tutorial, we will learn about the process of managing updates the VMs in Azure. 

You should know that the Software updates in Azure Automation Update Management provide a set of tools and resources for managing the complex task of tracking and applying software updates to machines in Azure and hybrid cloud. However, an useful software update management process is necessary for maintaining operational efficiency as well as overcoming security issues, and reducing the risks for cybersecurity threats. But, because of the changing nature of technology and the continual appearance of new security threats, effective software update management requires consistent and continual attention.

Before attempting to manage updates for your VMs, make sure that you’ve enabled Update Management on them using one of these methods:

  • Firstly, enable Update Management from an Automation account
  • Secondly, enable Update Management by browsing the Azure portal
  • Thirdly, enable Update Management from a runbook
  • Lastly, enable Update Management from an Azure VM

Limiting the scope for the deployment

Update Management uses a scope configuration within the workspace for targeting the computers to receive updates. 

AZ-500 practice tests

Compliance assessment

  • Before deploying software updates to your machines,  firstly, review the update compliance assessment results for enabled machines. And, for every software update, there is a recording for its compliance state. Then, after completing the evaluation, it is collected and moved in bulk to Azure Monitor logs.
  • However, for Windows machines, the compliance scan runs after every 12 hours by default. In addition to the scan schedule, the scan for update compliance starts within 15 minutes of the Log Analytics agent for Windows after restarting, before update installation, and after update installation. Moreover, it is also important to check recommendations for configuring the Windows Update client with Update Management for avoiding any issues.
  • On the other hand, for a Linux machine, the compliance scan is performed every hour by default. And, if the Log Analytics agent for Linux restarts then a compliance scan starts within 15 minutes.

Deploying updates

After Checking the compliance results, the software update deployment phase is the process of deploying software updates. For installing updates, first, schedule a deployment that aligns with your release schedule and service window. Then, you can choose which update types to include in the deployment. 

Exclude updates

  • Packages may be used to upgrade the OS on some Linux variants, such as Red Hat Enterprise Linux. This might cause Update Management to execute and the OS version number to change. This behavior is deliberate since Update Management employs the same ways to update packages as a local administrator on a Linux computer.
  • Use the Exclusion function to prevent upgrading the OS version through Update Management deployments.
  • The package name to exclude in Red Hat Enterprise Linux is redhat-release-server.x86_64.

Linux update classifications

  • You can choose update classes when deploying updates to a Linux computer. This option allows you to filter updates based on the parameters you provide.
  • When the update is installed, this filter is applied locally on the system. Because Update Management performs update enrichment in the cloud, you can mark some updates as having a security effect in Update Management even if the local system lacks that information.
  • Further, when applying important updates to a Linux computer, there may be updates that aren’t listed as having a security effect and hence aren’t installed. Update Management, on the other hand, may still flag that system as noncompliant since it has more information about the relevant update.
  • On CentOS RTM versions, updating via update categorization does not operate.
  • Select all classes to ensure that CentOS updates are implemented appropriately.
  • If ONLY Other updates is selected as the categorization for SUSE, certain other security updates may be installed if they are connected to zypper (package management) or its dependencies. This behaviour is a zypper restriction. You may be necessary to redo the update deployment and then validate the deployment using the update log in some circumstances.

Reviewing update deployments

After completing the deployment, review the process for determining the success of the update deployment by machine or target group. 

Managing updates and patches for VMs in Azure  concept in Az-500 Online Course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu