One of the most innovative and useful solutions for companies in the security management field is certainly Azure Update Management.
For many companies, the management of security updates is a major challenge from both an organizational and technical point of view; not all organizations have the ability to use Configuration Manager to distribute updates and the WSUS solution is obsolete and inflexible.
Azure Update Management allows you to manage updates related to Windows and Linux operating systems, both in On-Premise and Cloud environments; another fundamental aspect not to be underestimated is that the solution is Free.
This solution uses Azure Monitor and the respective workspace to collect information regarding the systems and Azure Automation to manage the distribution of updates. Additionally, the individual systems included in the solution leverage the following components during the update scanning and evaluation process:
- Microsoft Monitoring Agent (MMA) (for Windows or Linux);
- PowerShell Desired State Configuration (DSC) (for Linux);
- Hybrid Worker Runbook;
- Microsoft Update or Windows Server Update Services (WSUS) (for Windows)
Below is an overview of the systems update process through Azure Update Management:
Now it is possible to activate this solution on the following operating systems:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 (RTM and SP1 Standard)
- CentOS 6 (x86/x64) and 7 (x64)*
- Red Hat Enterprise 6 (x86/x64) and 7 (x64)*
- SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)*
- Ubuntu 14.04 LTS, 16.04 LTS and 18.04 LTS (x86/x64)*
*Linux agents need to have access to an update repository.
The solution can also be activated on VMs present on tenants other than the one where Azure Update Management has been activated (only for Windows systems).
At the moment this feature cannot be activated for Windows Client, Windows Server 2016 Nano Server and Azure Kubernetes Service Nodes operating systems.
Windows systems must be configured to communicate with a WSUS server or directly to Microsoft Update; for Linux systems, they must be configured to access a public or private update repository.
Below is a quick guide to proceed with the creation of the prerequisites necessary for the solution; obviously if you already have an Azure Monitor workspace and an Azure Automation Account, the procedure below is not essential.
- Connect to the Azure Portal;
- On the Home Page, select More services and search for Log Analytics workspaces in the search field;
- Select the desired resource and press the Add button to create a new workspace;
- Complete the creation wizard according to your needs:
- Return to the Home Page and search for Automation Accounts in the search field;
- Select the desired resource and press the Add button to create a new account;
- Complete the wizard according to your needs:
Below is a quick guide to activate the Azure Update Management solution:
- Connect to the Azure Portal;
- Access the Home page and select the Virtual Machines resource;
- Select the affected VM;
- Inside the blade, select the Update Management option in the Operations section;
- Proceed with the solution activation, making sure to enter the workspace and automation account created previously;
- Press the Enable button to complete the activation;
NOTE: as indicated in the following technical note, once the solution is activated, each system will be displayed as Hybrid Runbook Worker within the System hybrid worker group section of the Hybrid worker groups panel.
- Access the All services -> Automation Account section and select the automation account indicated above in the VM configuration;
- Select the Update Management option and verify that the configured VM is visible;
NOTE: it may be necessary to wait about 15 minutes before viewing the VM in the relevant section.
- Using the Add Azure VMs and Add non-Azure machine buttons, you can add additional systems to the solution;
To schedule updates on the various systems included within the solution, it is necessary to follow the steps below:
- Create a new Schedule Update Deployment through the appropriate button;
- Selecting the Groups to update or Machines to update option within the new blade, it will be possible to introduce the VMs within the new deployment;
NOTE: On this solution it is possible to have, as a target, dynamic groups of virtual machines, generated by queries based on native Azure concepts (such as Resource Group, Location and Tags). As for systems not in an Azure environment, it is possible to add these systems dynamically to the distribution through specific searches saved on Azure Monitor.
- Within the Update Classifications drop-down menu, you can define the type of updates to be authorized;
- Selecting the Include / Exlude Updates option, you can define which updates must be applied and which, if any, excluded from the application (eg: operating system upgrade);
- Through the Schedule settings option, the day and time at which the updates will be applied will be defined;
NOTE: One of the very useful features present in the solution is the Pre / Post-Scripts one; this feature allows you to automatically perform one or more tasks before and after the update process.
- Once the configurations are finished, press the Create button;
Check Updates status
On the days and at the defined time, a runbook will be run to allow the system to be updated; to consult the execution of deployments, access the History section and select the relevant deployment:
In this section you can view the updates installed on the VMs and the status of the latter; in the event that the deployment ends in error, you can access the All Logs section to determine the causes of the problem in installing updates.
Here are some useful references to the official Microsoft documentation:
- Update Management solution in Azure
- Manage updates and patches for your Azure VMs
- Cross-tenant update deployments
Azure Update Management is the optimal solution to allow the update of Windows and Linux systems in Cloud (and non-Cloud) environments where the introduction of Microsoft Endpoint Configuration Manager is too expensive in technical and economic terms.