Plan your Update Management deployment

Step 1: Automation account

Update Management is an Azure Automation feature, and therefore requires an Automation account. You can use an existing Automation account in your subscription, or create a new account dedicated only for Update Management and no other Automation features.

Step 2: Azure Monitor Logs

Update Management depends on a Log Analytics workspace in Azure Monitor to store assessment and update status log data collected from managed machines. Integration with Log Analytics also enables detailed analysis and alerting in Azure Monitor. You can use an existing workspace in your subscription, or create a new one dedicated only for Update Management.

If you are new to Azure Monitor Logs and the Log Analytics workspace, you should review the Design a Log Analytics workspace deployment guide.

Step 3: Supported operating systems

Update Management supports specific versions of the Windows Server and Linux operating systems. Before you enable Update Management, confirm that the target machines meet the operating system requirements.

Step 4: Log Analytics agent

The Log Analytics agent for Windows and Linux is required to support Update Management. The agent is used for both data collection, and the Automation system Hybrid Runbook Worker role to support Update Management runbooks used to manage the assessment and update deployments on the machine.

On Azure VMs, if the Log Analytics agent isn't already installed, when you enable Update Management for the VM it is automatically installed using the Log Analytics VM extension for Windows or Linux. The agent is configured to report to the Log Analytics workspace linked to the Automation account Update Management is enabled in.

Non-Azure VMs or servers need to have the Log Analytics agent for Windows or Linux installed and reporting to the linked workspace.

Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.

Step 5 - Network planning

To prepare your network to support Update Management, you may need to configure some infrastructure components. For example, open firewall ports to pass the communications used by Update Management and Azure Monitor.

Review Azure Automation Network Configuration for detailed information on the ports, URLs, and other networking details required for Update Management, including the Hybrid Runbook Worker role. To connect to the Automation service from your Azure VMs securely and privately, review Use Azure Private Link.

For Windows machines, you must also allow traffic to any endpoints required by Windows Update agent. You can find an updated list of required endpoints in Issues related to HTTP/Proxy. If you have a local Windows Server Update Services (WSUS) deployment, you must also allow traffic to the server specified in your WSUS key.

If your IT security policies do not allow machines on the network to connect to the internet, you can set up a Log Analytics gateway and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.

Step 6: Permissions

To create and manage update deployments, you need specific permissions. To learn about these permissions, see Role-based access - Update Management.

Step 7: Windows Update Agent

Azure Automation Update Management relies on the Windows Update Agent to download and install Windows updates. There are specific group policy settings that are used by Windows Update Agent (WUA) on machines to connect to Windows Server Update Services (WSUS) or Microsoft Update. These group policy settings are also used to successfully scan for software update compliance, and to automatically update the software updates. To review our recommendations, see Configure Windows Update settings for Update Management.

Step 8: Linux repository

Any Linux distribution must be updated from the distribution's online file repository by using methods supported by that distribution.

Step 9: Plan deployment targets

Update Management allows you to target updates to a dynamic group representing Azure or non-Azure machines, so you can ensure that specific machines always get the right updates at the most convenient times. A dynamic group is resolved at deployment time and is based on the following criteria:

• Subscription
• Resource groups
• Locations
• Tags

For non-Azure machines, a dynamic group uses saved searches, also called computer groups. Update deployments scoped to a group of machines is only visible from the Automation account in the Update Management Deployment schedules option, not from a specific Azure VM.

Alternatively, updates can be managed only for a selected Azure VM. Update deployments scoped to the specific machine are visible from both the machine and from the Automation account in Update Management Deployment schedules option.

Next steps

Enable Update Management and select machines to be managed using one of the following methods:

• Using an Azure Resource Manager template to deploy Update Management to a new or existing Automation account and Azure Monitor Log Analytics workspace in your subscription. It does not configure the scope of machines that should be managed, this is performed as a separate step after using the template.

• From your Automation account for one or more Azure and non-Azure machines, including Azure Arc-enabled servers.

• For a selected Azure VM from the Virtual machines page in the Azure portal. This scenario is available for Linux and Windows VMs.