Azure Update Management is a service included as part of your Azure Subscription that enables you to assess your update status across your environment and manage your Windows and Linux server patching from a single pane of glass, both for on-premises and Azure.
Update Management is available at no additional cost (you only pay for log data stored in the Azure Log Analytics service) and can easily be enabled on Azure and on-premises VMs. To try it, simply navigate to your VM tab in Azure and enable Update management on one or more of your machines.
Over the past year we’ve been listening to your feedback and bringing powerful new capabilities to Azure Update Management. Here’s a look at some of the new features we have developed with your help.
Groups
One of the biggest asks from the community this year is for more flexibility in targeting update deployments, specifically support for groups with dynamic membership. Instead of specifying a static set of machines when you create an update deployment, groups allow you to specify a query that will be evaluated each time an update deployment occurs.
We have released a preview feature that enables you to create an Azure-native query that targets onboarded Azure VMs using flexible Azure-native concepts. For instance, in the following screenshot a query is configured to automatically pick up onboarded VMs that have the tag PatchWindow=SundayNight. As you onboard new VMs, you can simply add this tag and the VMs will automatically start participating in the next patch cycle for this update deployment.
We’ve also added the ability to immediately preview your query while authoring the update deployment. This shows the VMs that would be patched if this update deployment were to run right now.
Onboarding new machines
From the virtual machines view you can easily onboard multiple machines into Update Management, even across subscriptions. More details can be found in the documentation.
Pre/post scripts
One of the big asks from the community is for the ability to run custom tasks before and after an update deployment. Some of the more common scenarios include starting VMs before deploying updates (another top UserVoice request), starting and stopping services on machines, and starting a backup job before deploying updates.
To address this, we added “pre/post scripts,” a way to invoke Azure automation runbooks as part of an update deployment. We also published samples to help you get started with your specific needs.
See the documentation for more information on using pre/post scripts.
Update inclusion
Azure Update Management provides the ability to deploy patches based on classifications. However, there are scenarios where you may want to explicitly list the exact set of patches. Common scenarios include whitelisting patches after canary environment testing and zero-day patch rollouts.
With update inclusion lists you can choose exactly which patches you want to deploy instead of relying on patch classifications.
More information on how patch inclusion works can be found in the documentation.
Reboot control
Patches often require reboots. Unfortunately reboots affect application availability. We’ve gotten feedback that you would like the ability to control when those reboots happen; reboot control is the result.
With the new reboot control feature, we provide you with flexible options for controlling your reboots. You can suppress reboots during an update run, always reboot, or even create a separate update deployment that only reboots your servers and doesn’t install any patches. With this functionality, the downtime caused by server reboots can be decoupled from your patching cycle.
Some of you have also given the feedback that you want to control reboots yourself, ensuring services are taken down and brought up in a manner consistent with your internal controls. Using the pre/post scripts feature in conjunction with reboot control is a great way to suppress reboots during the patch cycle then do an orchestrated reboot of your servers as a post script.
Try it out!
Update Management is continually improving. If you haven’t started using it, now is a great time to get started. We love hearing feedback from our users on UserVoice and your feedback directly drives features. Give it a try and let us know how to make Azure Update Management even better!