The new Azure Update Center is GA Part 1 – three big reasons to migrate to Update Center and forget the classic Update Management Center

Microsoft released a completely new designed Update solution for Azure which supports VMs running in Hybrid- and Cloud-only environments with the name Azure Update Center (formerly known as Update Management Center). Center for Update Management of Azure VMs. This new solution is completely new and not based on the Azure Automation solution. The Azure Automation solution is based on the Microsoft Monitoring Agent (MMA – Log Analytics Agent) which will be retired on 31 august 2024. The new solution cut off a lot of dependencies and fully compatible with Azure Arc. The reason that the solution, which has been in preview for a long time, is now announced as GA is that this solution supports the extended security updates for Windows Server 2012, which recently went out of extended support.

The new Azure Update Center in preview named as Update Management Center v,was needed, because of an consistent Update Management over all VMs including VMs, that are integrated via Azure Arc.

The new solution offers significante improvements:

  • Zero on-boarding with Azure Policy support
  • No dependencies on Log Analytics or Azure Automation
  • Built as native functionallity on Azure Compute and Azure Arc for Servers
  • Support Azure RBAC and roles based of ARM in Azure
  • No manual intervention is needed as long as Azure-VM- or Arc-agent is running
  • Gathered information available for analysis via Azure Resource Graph
  • Support for automatic VM guest patching and hotpatching
  • Manage Extended Security Updates (ESU) for out of supoort WS2012

In this article I will give you a overview about the solution and how you can configure this solution for your VMs. Since I’ve been using it in a large Azure environment since the Public Preview release, I’ll point out some recommendations and pitfalls.

Contents

Why Microsoft release the a new Update Management solution?

There are several reasons why Microsoft released a new Update Management solution in Azure.

  1. The old Azure Update Managemnt Center v1 relieson the Automation Account and needs a Log Analytics Agent on each server which is managed by UMC v1. The future of Azure Automation is uncertain, but more serious is that the support for the Log Analytics Agent will ended August 2024.
  2. UMC v1 doesn`t support Azure Arc machines by default over the integrated Arc Agent. For integration the Log Analytics Agent is needed.
  3. Microsoft offers the new Extended Security Updates (ESU) for the soon to be discontinued Windows Server 2012 version for Azure Arc enabled Servers and Azure Update Center fully support this solution

Supported OS versions

The new Update Management Center supports actual only Linux and Windows Server OS from the Azure Marketplace. The full list of supported images is available here.

Not supported OS versions and images

VMs they are created from Azure Migrate, Azure Backup, Azure Site Recovery arenĀ“t fully supported at the moment. This support has been missing since the Public Preview, so I expected this to come with the GA announcement, but that is not the case.

Windows Client versions (Windows 10/11) are not supported. They work but will not supported and I think this support is not planed, because Windows 10/11 clients are intended for device management via Intune.

CIS images currently not supported.

Available regions

UMC is available in all Azure public regions. However for Azure Arc they are only specifiec regions supported.

Prerequisites

Before we dive into the solution I will give a overview about the prerequisites and the needed permissions.

VM prerequisites

The Update Management Center relies on a new Azure Extension. This extension is automatically integrated into the Azure VM Agent for Windows and Linux which is built-in on Azure VM marketplace images.

It also integrated into the Azure Arc servers agent.

This results in the requirement that the Azure VM Agent is mandatory and must be installed and activated. I say this because I have seen several customer environments where the agent was disabled or not installed after migrated VM to Azure. This means also, when you encounter problems in seeing the VM in the Azure Update Center solution please check the status of the Azure agent and check if the actual version is installed.

Needed Roles and permissions

Currently there is now preconfigured Azure Update Center RBAC role available and minimum role requirements are as follows:

Azure VM = Azure Virtual Machine Contributor

Azure Arc-enabled server = Azure Connected Machine Resource Administrator

Permissions

For the full overview of the needed permissions please review Azure Update Manager permissions overview on Microsoft Learn

Network prerequisites

Allow traffic to any endpoints required by Windows Update Agent:

  • *.download.windowsupdate.com
  • *.dl.delivery.mp.microsoft.com
  • *.delivery.mp.microsoft.com

The Update Center trigger the Update check whcih will then use the central Microsoft Update service to check for available updates, therefore is also mandatory that the VMs can reach the given URLs. Support for WSUS is also given

Configuration via Azure Policy

The new solution brings an essential improvement that lies in the support of Azure Policies. This Policy can be used to automatically enable Azure Update Center for Azure VMs or Azure Arc-enabled Servers (please note that often the preview name Update Management Center is still displayed).

Please note using Azure Automanage machine configuration (guest configuration) - formerly known as Azure Policy guest configuration  - for Azure Arc machines will charge around 6$ per month per resource.

How it works

In the second part I will dive into how the Azure Update Center works and which options are provided.

Questions

Will UMC support Azure Migrate VMs?

We are waiting for support for VM’s created via Azure Migrate as well. Without this we are not even looking at Update Management Center (Preview).

Links

Leave a Reply

Your email address will not be published. Required fields are marked *