Microsoft released a completely new designed Update solution for Azure which supports VMs running in Hybrid- and Cloud-only environments with the name Azure Update Manager (formerly known as Update Management Center). This new solution is completely new and not based on the Azure Automation solution. The Azure Automation solution is based on the Microsoft Monitoring Agent (MMA – Log Analytics Agent) which will be retired on 31 august 2024.
The new solution cut off a lot of dependencies and fully compatible with Azure Arc. The reason that the solution, which has been in preview for a long time, is now announced as GA is that this solution supports the extended security updates for Windows Server 2012, which recently went out of extended support.
Please note: Azure Update Center is based on Azure Automation and needs the Microsoft Monitoring Agent. The MMA has been discontinued and will no longer be supported after August 2024. Support for Update Center has therefore also been discontinued.
The new Azure Update Manager in preview named as Update Management Center, was needed, because of an consistent Update Management over all VMs including VMs, that are integrated via Azure Arc.
The new solution offers significante improvements:
- Zero on-boarding with Azure Policy support
- No dependencies on Log Analytics or Azure Automation
- Built as native functionallity on Azure Compute and Azure Arc for Servers
- Support Azure RBAC and roles based of ARM in Azure
- No manual intervention is needed as long as Azure-VM- or Arc-agent is running
- Gathered information available for analysis via Azure Resource Graph
- Support for automatic VM guest patching and hotpatching
- Manage Extended Security Updates (ESU) for out of supoort WS2012
In this article I will give you a overview about the solution and how you can configure this solution for your VMs. Since I’ve been using it in a large Azure environment since the Public Preview release, I’ll point out some recommendations and pitfalls.
Contents
Why Microsoft release the a new Update Management solution?
There are several reasons why Microsoft released a new Update Management solution in Azure.
- The old Azure Update Managemnt Center v1 relies on the Automation Account and needs a Log Analytics Agent on each server which is managed by UMC v1. The future of Azure Automation is uncertain, but more serious is that the support for the Log Analytics Agent will ended August 2024.
- UMC v1 doesn`t support Azure Arc machines by default over the integrated Arc Agent. The discontinued Log Analytics Agent is required for integration.
- Microsoft offers the new Extended Security Updates (ESU) for the soon to be discontinued Windows Server 2012 version for Azure Arc enabled Servers and Azure Update Manager fully support this solution
Supported OS versions
The new Update Manager supports actual only Linux and Windows Server OS from the Azure Marketplace. The full list of supported images is available here.
Not supported OS versions and images
VMs they are created from Azure Migrate, Azure Backup, Azure Site Recovery arenĀ“t fully supported at the moment. This support has been missing since the Public Preview, so I expected this to come with the GA announcement, but that is not the case.
Windows Client versions (Windows 10/11) are not supported. They work but will not supported and I think this support is not planed, because Windows 10/11 clients are intended for device management via Intune. But I think this can be challenge, because sometimes Windows Client OS will used for different workloads which are not covered by Intune.
CIS images currently not supported.
Available regions
Update Manager is available in all Azure public regions. However Azure Arc they is only supported in certain regions.
Prerequisites
Before we dive into the solution I will give a overview about the prerequisites and the needed permissions.
VM prerequisites
The Update Management Center relies on a new Azure Extension. This extension is automatically integrated into the Azure VM Agent for Windows and Linux which is built-in on Azure VM marketplace images.
It also integrated into the Azure Arc servers agent.
This results in the requirement that the Azure VM Agent is mandatory and must be installed and activated. I say this because I have seen several customer environments where the agent was disabled or not installed after migrated VM to Azure. This means also, when you encounter problems in seeing the VM in the Azure Update Center solution please check the status of the Azure agent and check if the actual version is installed.
Needed Roles and permissions
Currently there is no preconfigured Azure Update Center RBAC role available and minimum role requirements are as follows:
Azure VM = Azure Virtual Machine Contributor
Azure Arc-enabled server = Azure Connected Machine Resource Administrator
Permissions
For the full overview of the needed permissions please review Azure Update Manager permissions overview on Microsoft Learn
Network prerequisites
Allow traffic to any endpoints required by Windows Update Agent:
*.download.windowsupdate.com*.dl.delivery.mp.microsoft.com*.delivery.mp.microsoft.com
The Update Center trigger the Update check whcih will then use the central Microsoft Update service to check for available updates, therefore is also mandatory that the VMs can reach the given URLs. Support for WSUS is also given
Configuration via Azure Policy
The new solution brings an essential improvement that lies in the support of Azure Policies. This Policy can be used to automatically enable Azure Update Center for Azure VMs or Azure Arc-enabled Servers (please note that often the preview name Update Management Center is still displayed).
Please note using Azure Automanage machine configuration (guest configuration) - formerly known as Azure Policy guest configuration - for Azure Arc machines will charge around 6$ per month per resource.
How it works
In the second part I will dive into how the Azure Update Center works and which options are provided.
Questions
Will UMC support Azure Migrate VMs?
We are waiting for support for VM’s created via Azure Migrate as well. Without this we are not even looking at Update Management Center (Preview).
Links
- Azure Update Manager overview
- Windows Update issues troubleshooting
- Azure virtual machine extensions and features
- We’re retiring the Log Analytics agent in Azure Monitor on 31 August 2024
- Microsoft Defender for Cloud – strategy and plan towards Log Analytics Agent (MMA) deprecation
- Automatic VM Guest Patching for Azure VMs
- Free Extended Security Updates only on Azure for Windows Server 2012 /R2and SQL Server 2012
- Update management center (preview) support matrix
- Azure Update Manager
- Azure Windows VM Agent overview