Update Management: Pre/post tasks, dynamic groups, and update inclusion
Posted on September 21, 2018
Three new features are available in Azure Update Management. These features drastically improve the power and flexibility of Update Management.
Pre/post deployment tasks (preview)
You can now specify Azure Automation runbooks to run immediately before and after installing updates. These pre- and post- tasks enable you to do things like:
- Start VMs, patch them, and shut them down again.
- Stop a service on the machine, patch it, and start the service again.
For more information, including sample scripts, see the pre/post documentation.
Dynamic groups (preview)
You can use dynamic groups to create periodic update deployments for Azure VMs. This new feature enables:
- Targeting of Azure VMs based on Azure-native concepts: subscriptions, resource groups, locations, and tags.
- Dynamic resolution of the target machines for an update deployment. After the update deployment is created, any new machines added to Update Management that meet the search criteria will be automatically picked up without requiring the user to modify the update deployment itself.
As an example, the following group target for the update deployment will select all onboarded VMs in the selected resource groups that have the tag PatchWindow=SundayNight. This deployment can be set to run weekly. When additional onboarded VMs are tagged with PatchWindow=SundayNight, they will automatically be picked up and updated in the next deployment run.
For more information, see Using dynamic groups.
You can now specify inclusion lists for updates. When you use inclusion lists, you can whitelist updates so you can control exactly what updates are applied during a deployment run. This can be useful if you want to ensure that only patches you have approved are rolled out to your service.
For more information, see the update inclusion documentation.
See related feedback from Azure customers
Dynamic Update Deployments started
Update deployments needs to be dynamic. As of now if we target a group of 5 servers the deployment is static and will always target only these 5 servers, even if the group changes and have 100 servers in it. The update deployment should be able to evaluate the group membership at each runtime.Martin Modin [MSFT]
In our environment all large amount of vm's is not started all the time. But need to be up to date. I could create runbooks to start the vm just before the scheduled update and deallocate at the end. But controlling this from the schedule itself could be helpfull.Bart Danse