Automation – #6 – Azure Update Management

Just another WordPress site

Automation – #6 – Azure Update Management

– now that you’ve built your resources and applications in the cloud you have to maintain them now this can be done in one of two ways the way that would be most cloud focused would be to treat them basically like a ttle you don’t really care for them you don’t maintain them you just throw them away and provision new ones but not everyone is ready for that level of Management or the applications that we’re using are still more legacy type applications and so they’re not built to work that way so what can we do well we have to maintain the systems that we have and part of that means patching and I’m going to show you how today with Azure Update Management I’m Dean Cefola and this is the Azure Academy now the world of patch management should be very familiar to all of you since we’ve had systems on prem for a very long time that we’ve had maintained and it’s basically the same story no matter what tool you use you have to identify a group of machines identify some patches that you want to add to those machines figure what your maintenance window is deploy the patches reboot rinse repeat now what we’re gonna go through today is of course how we can do this with native tools inside asier itself without the need of other products or services let’s take a look at our Docs we’re gonna go under products and then we’ll go down to management and governance and to automation now the Azure automation account is something that we haven’t really covered on the Azure Academy before so let me give you a quick overview the main capabilities around as your automation have to do with running run books so if we’re used to o palace or System Center Orchestrator or service management automation all these tools are basically run book driven type tools also configuration management which has to do with collecting inventory change tracking and monitoring on your systems and desired state in figuration which would be PowerShell DSC same kind of thing that you could do through chef or puppet then of course update management these things all work on Windows or on Linux systems basically if the operating system is supported in the cloud it’s supported by update management and then of course this works for Azure or on-premises and we’re gonna cover all of those scenarios today so under the update management section here we’re gonna go to the overview real quick and there’s a few key things that I want to point out here and the first is network planning and here are the list of the URLs that you need to be able to hit in Azure government or in the public Azure cloud and these have to connect over port 443 and if you do need a proxy you can use that as well and then at the top under the solution overview this is the basic way that this solution is going to function we have in Azure every VM has the azure VM agent now that agent is how we communicate with the operating system and we pull all of our data on Prem we don’t have that agent so we need to deploy one and that would be the Microsoft monitoring agent it’s the same agent that we’ve used in the past for log analytics and our automation account is basically going to function as our patch management server and it’s going to take care of understanding all the patches we want to deploy all the groups who want to setup and maintenance windows etc let’s go over to the azure portal and I’ve already built the automation account that we’re going to use for this today but I want to show you quickly how to deploy one so we’ll go to create a new resource and we’ll type automation and we’ll select that and we’ll hit the create button and then we just have to give it a name select our subscriptions select our resource group and a location where we’re going to deploy it and then we have the option for creating a run as account now the run as account for Azure automation will give us some authentication mechanisms so that we can manage all of our resources in Azure or with our commandlets through Azure Automation run books and basically this will set up a service principle in Azure Active Directory give it contributor rights over the subscription so that we can do all of our processes we’re going to need that and then would hit the create button and that’ll just take a moment to deploy the other thing that we’re going to need to make this work is a log analytics workspace now we’ve deployed those several times in the past so I’ll just take you to our resource group for the day here so here’s our automation account that we’re going to be using and in our automation account we’ll go to update management and then we can see I’ve got one VM already on-boarded here and now we want to add some more so what we can do for that is there is a plus Azure VMs up here and a link to go to add nan as your VMs

now this link takes you out to our Docs where it shows you how to download and install the Mme agent those of you who did not see our video on log analytics I’ll show you this real quick for many log analytics workspace you go to the Advanced Settings and then you download the agent you’ll need your workspace ID and your key in order to onboard the VM and when you do it looks something like this and for those of you who are thinking that this looks an awful lot like the system center operations manager agent that’s because it is and so this VM along with several others that I have on Prem here are all set up in Azure so let’s take a look at that so back in my Azure automation account we see that there’s a little bubble here that says six machines do not have update management enabled and I can click here to manage them so when I do I have the option of turning this on for all available machines all available and future machines which is how you onboard new systems and then I can choose just particular machines that I want and these are all on-premise so I’ll add each one of these and we’ll hit the enable button and those will start processing and join us for update management now I also want to add VMs in Azure and when I do I’ve got these five as your VMs and we’ll onboard those just by clicking the enable button so the onboarding process for all of our machines has completed you can see our on Prem and Azure VMs are sharing the same space here they are in as to what platform they are a part of as well as what OS they’re a part of now as we go down the screen here we can see critical updates that are missing security updates and then other and we have the update agent readiness now if any of these say anything other than ready there’ll be a button that you can click which will walk you through a series of tests to validate that all of the prereqs and settings and ports are all open so that you can do the update management and likely something in there is wrong now we have all of our VMs listed here but one of the other critical things when it comes to doing updates is reporting now before we deploy an update I want to take a look at the current state of our environment and we’re gonna find that in the log analytics workspace that is paired with this automation account so in the blade if we scroll down we’re going to see the linked workspace which is just a easy way for us to get there and then we can click on the link to go to that workspace and everything in log analytics breaks down into solutions now we can look at something like the workspace summary which will show all of the different solutions that we have loaded and I’m gonna pin this one here to my dashboard and then let’s pop in and take a look at it so we can see a breakdown of all of our Windows computers and our Linux computers as far as what type of updates they are missing and then you can do a breakdown further of the missing update types against Windows computers and against Linux computers and then additionally over here we have common queries that we can run and these are all loaded into your log analytics workspace already so if we wanted to check if we had a computer with automatic updates disabled we click on that it loads the query for us and then we can just hit run and thankfully all of our systems are set up so we don’t have anything here so the queries themselves you can build them under the update management section but we also have under the query Explorer solution based queries where you can just go right here and find all those ones that we saw from the solution itself so we could click on all computers with missing critical updates and then we can see all of the particular updates that we are missing and then you could drill into each of these to find out which machines are miss the particular updates so this is a good way to do some queries against what it is that you’re going to patch for and then all of your stuff can end up on your dashboard but I’ve just made a simple dashboard of all the systems that we have in Azure that we’re monitoring along with the system updates assessment so we can see the basic breakdown of what we need and at a glance you can see if there are systems that need patches so we’ll come back to this once we’re done and see what the status is but let’s go back to automation and now we want to start building our groups and our deployments so we’ll click on the schedule update deployments link at the top and we need to give this update a name and I’ll just call it update Thursday and we have to choose which OS we’ll be doing this for in this case we’ll pick Linux and then we’re going to have a choice of how to create our groups either we can use some dynamic group membership which is what I prefer or you can use static group membership now this works out if you have created other kinds of groups already especially within log analytics so jumping back to log analytics for a moment in our workspace we’ll go to the Advanced

Settings then we’ll go to the computer groups you can see the group members that we’ve got and these group members are all the ones related to our update onboarding so we could choose to use that group which would encompass everything or we can have an Active Directory group if you are linking with Active Directory and you can import those groups with this check box up here so you can use ad group membership to group systems together if you are doing that already or use the wsus groups if you have used that or config manager groups as well but for today we’re just going to go back to our automation account and we’re gonna do this more dynamically so we’ll click on this first item here to group our systems all my Linux systems are in Azure so I’ll select all of my subscriptions and I’m not going to select anything further from the resource groups or locations but I am going to use my maintenance window tag so we’ll check that and then we’ll hit the preview button and we can see it has discovered my Linux VMs that in Azure so we’ll hit okay and we’ll add those to our group and then hit the OK button so now that we’ve created a deployment group we now need to build the deployment itself so we have our update classifications here which are critical in security and other I’ll just be selecting the critical and security for our Linux systems and we have to build a schedule now the maintenance window is called Thursday 6:00 p.m. and this will be in Eastern time since that’s where I’m located and where the BMS are located then we have the choice of making this a one-time event or a reoccurring event and if we choose reoccurring we can make that happen weekly monthly daily or hourly so depending on how aggressive you are with patching which also means your systems and applications need to be resilient enough to be able to take outages from any one of their nodes so plan for that so this particular update deployment will make for weekly and this will be on Thursdays and we will not be setting an expiration for this and we’ll hit OK and now we have the option of adding any pre and post scripting on top of this because this is an azure automation account that runs this process we can run run books which are effectively scripts against the system’s before or after we do this process now we’re not going to do this for the Linux systems because I’ll show you how to unboard some of this stuff in a moment so we’ll just hit OK here we’ll set our maintenance window itself and that’s how long we’re gonna give the systems to patch and I’ll just give it 240 minutes and then we have the option for reboots and the default here is reboot if required which will be dependent on the particular patches that get installed or we can install the patches and never reboot if you have some other process around reboots or maintenance window times that you do rebooting choose to always reboot or we can run this as a reboot only and don’t install updates again going back to using this for other purposes beyond just update management so I’m going to set this for reboot if required and hit create so now that we’ve created that for our Linux systems we want to do the same of course for window now I did mention the pre and post scripting and for that we’re going to need to take a look at run books so the run books as I said in the beginning are part of the process automation now for adding all of the stuff that we’re going to use around updates we have to roust into the gallery to find these things and there are quite a lot of items out here and if you’re interested in more click the subscribe button and let me know what you’d like to see other videos on and we’ll be happy to create those we’re gonna look for update management specifically there’s one here for turn on VMs and another for turn off VMs so we’ll import this by clicking on it and then clicking the import button and you can rename it here if you like but I’ll just leave that alone and hit OK and then I’ll repeat the process here for turn off our VMs so for now we’ll just go back to the automation account and we can see that we’ve got our new run books here so if we click on one of these and click the edit button now in order to use these in our environment we do have to publish it so we’ll hit Yes to publish that run book and then go back and repeat or the other one so we’ll edit and then hit the publish and hit yes to complete the publish so now that those are published we can now take advantage of them so we’ll go back to update management and create a new schedule update and we’ll call this one updates Thursday for Windows and then we’ll again create through our dynamic groups so we’ll select all of our subscriptions as well as our maintenance window tag and we’ll hit the preview button here and those look like the correct VMs so we’ll add those and then we’ll go to our Non-Azure and hit preview and we can see our Non-Azure windows VMs which that looks good so we’ll hit OK there and now we have our

update classification so there are some more kinds of updates here on the windows side but I’m just gonna choose the critical and security patches for the moment and we also have the option to include or exclude particular updates so if there is a particular KB that you’re aware of that needs to be excluded or included that’s not necessarily part of the update list that we chose you can enter those KB’s here so for example I do know one KB that I want to includ and it needs to be without the kb prefix just to be sure that it’s in there and then we have our schedule so same kind of thing that we did on the linux systems we’ll set this for 6:00 p.m. Eastern time and we’ll make it reoccurring on a weekly basis of Thursday with no expiration and then we have our pre and post scripts so we’re gonna adhere the script to turn on our VMs as a pre script and then we’ll also add turn off VMs as a postscript so even if our VMs are powered off then the VMS will turn back on do their patching and then turn off once they are complete so we’ll hit OK there and then I’ll make my maintenance window 240 minutes and reboot if required so we’ll go ahead and hit create and if we look now under our deployment schedules we can see that we’ve got our windows Thursday and Linux Thursday so if we wanted to we could click on our Linux Thursday update and we could make some changes here perhaps we could add the pre script and post script that will do that just to be sure that we’ve covered that base and then we’ll hit save come to the magic moment and we’ve got our jobs running here and so if we go to the jobs themselves we’ve got the run books it’s running for validating that all our VMs are powered on and then we will go into patching them you can see the individual jobs for each VM itself and then we have these asher jobs which is the overall job or doing these patched deployment so this should be done in a few minutes and once it is our update management screen we’ll need some time to process everything and do the updates so we’ll take a look at this once it’s complete and although our systems have completed updating and they’re all showing as compliant and as you can see when you mouse over this little tooltip non compliant machines are the ones missing critical and security so they are compliant machines but we could schedule other software deployments to take care of all the rest of these missing updates which you can see definition updates as well as drivers and some other stuff here as well and looking at the history tab we can see all the different jobs that have run and we can use this drop down menu to filter them for example here’s all of the jobs that have succeeded and the jobs that have some failure in them when we look at these jobs we can see if the pre script Pro scripts have run successfully and how long it took the job to run against our maintenance windows what the start time was of the job and how many machines were a part of this job let’s click on this one here that failed so we see that there were some machines that failed they happen to all be my on-prem arc machines and the reason for this was the machines were powered off but if we go back to one of the previous jobs that succeeded and we can see all of these jobs ran in 1 or 0 minutes showing that there were no further updates necessary for all of these systems and then inside each of these jobs you can click on any one of the machines to look at just their logs and inputs and looking back at our dashboard we can click on our server update assessment here we can see that we’ve got some machines here that are completely up to date no other patch is needed others need some of these other patches but all security and critical updates are reporting good on the Linux side and the windows side so hope that you’ve enjoyed this look at the azure update management service a way to easily patch and maintain systems that require that in the cloud with native platform tools making it very simple to setup and maintenance is basically zero since it is a platform service allowing you to patch your windows Linux systems or anything that is on Prem do have you thought this video was good hit that thumbs up and click the subscribe button join us here at the Azure Academy where we’re all just trying to learn as much as we can about all areas of azure and if you have a suggestion or comment on this video please leave me a comment down below and let me know what it is that you’re thinking what new videos you’d like to see on the Azure Academy we’ll be happy to make those for you if you want an email notification when our videos come out which is roughly once a week then you can click on the notification bell as well thanks very much for joining us and we will see you

next time happy learning