Automate Patching through Azure

Patching Automation for Windows and Linux Virtual Machines using Azure Automation Account’s Update Management and Log Analytics Workspace.

Microsoft Illustration of how Update Management assesses and applies security updates to all connected Windows Server and Linux servers.

Update Management incorporates Azure Monitor Logs to store update appraisals and update deployment results as log data, from doled out Azure and non-Azure machines, both Linux and Windows. To gather this information, the Automation Account and Log Analytics workspace are connected together, and the Log Analytics agent (MMA) for Windows and Linux is required on the machine and designed to report to this workspace.

Configure the VMs for Automated Patching:

Create a Log Analytics Workspace and an Azure Automation Account or use the existing ones.

1. Go to the VM > Updates in the left blade > Select Go to Updates using Automation.

Configuration — Go to Updates using automation

2. Select your Log Analytics Workspace and Automation account and Click on Enable.

Configuration — Update Management

3. Do not navigate to another window until the deployment starts.

4. Once the deployment is completed, wait for the machine to be assessed. This will take around 1 hour before everything is in place.

Validate the configurations for Automated Patching:

Go to Automation Account > Update Management > All the VMs that have been added (Both Windows and Linux) will be available here.

Update Management Dashboard

Schedule an Update Deployment for Automated Patching:

1. In the Automation Account on Update management blade > Click on Schedule Deployment.

Update Management Dashboard — Schedule update deployment

2. In the New update deployment, fill in the details like Name, select Operating System and then Select Machines to Update.

New Update Deployment

3. Select the machines you want to include in this deployment.

Update Deployment— Select Machines

4. Customize your selection from the below list of available classifications:

Update Deployment— Update Classification

5. In case you want to exclude/ include a specific update, mention the KB Article here:

Update Deployment— Include/Exclude updates

Update Deployment— Include/Exclude updates for Windows VM

6. Schedule when to deploy the patches and choose to make that recurring if you want:

Schedule — Schedule Settings

7. Provide a maintenance window and select the reboot options as per client approvals and create the schedule:

Schedule — Maintenance window and Reboot Options

8. Similarly, a separate schedule can be created for Linux VMs where the exclude/ include option works with Package details instead of KB Articles:

Update Deployment — Include/Exclude updates for Linux VM

The above configurations will enable the Automation account to push the patches onto both Windows and Linux environments as per the specified schedules automatically.

In case of any questions or concerns, find me at abhibothera.github.io.

About me:

Senior Cloud Engineer | 7x Microsoft Azure Certified |Solutions Architect | Azure DevOps | AVD | Security | Former Research Scholar at Georgia Tech.