Update Management: Pre/post tasks, dynamic groups, and update inclusion
Updated: September 21, 2018
Three new features are available in Azure Update Management. These features drastically improve the power and flexibility of Update Management.
Pre/post deployment tasks (preview)
You can now specify Azure Automation runbooks to run immediately before and after installing updates. These pre- and post- tasks enable you to do things like:
- Start VMs, patch them, and shut them down again.
- Stop a service on the machine, patch it, and start the service again.
For more information, including sample scripts, see the pre/post documentation.
Dynamic groups (preview)
You can use dynamic groups to create periodic update deployments for Azure VMs. This new feature enables:
- Targeting of Azure VMs based on Azure-native concepts: subscriptions, resource groups, locations, and tags.
- Dynamic resolution of the target machines for an update deployment. After the update deployment is created, any new machines added to Update Management that meet the search criteria will be automatically picked up without requiring the user to modify the update deployment itself.
As an example, the following group target for the update deployment will select all onboarded VMs in the selected resource groups that have the tag PatchWindow=SundayNight. This deployment can be set to run weekly. When additional onboarded VMs are tagged with PatchWindow=SundayNight, they will automatically be picked up and updated in the next deployment run.
For more information, see Using dynamic groups.
You can now specify inclusion lists for updates. When you use inclusion lists, you can whitelist updates so you can control exactly what updates are applied during a deployment run. This can be useful if you want to ensure that only patches you have approved are rolled out to your service.
For more information, see the update inclusion documentation.