更新管理概述Update Management overview

可以使用 Azure 自动化中的更新管理,为 Azure、本地环境和其他云环境中的 Windows 和 Linux 虚拟机管理操作系统更新。You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux virtual machines in Azure, in on-premises environments, and in other cloud environments. 可以快速评估所有代理计算机上可用更新的状态,并管理为服务器安装所需更新的过程。You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers.


不能使用配置了更新管理功能的计算机从 Azure 自动化运行自定义脚本。You can't use a machine configured with Update Management to run custom scripts from Azure Automation. 此计算机只能运行 Microsoft 签名的更新脚本。This machine can only run the Microsoft-signed update script.

在部署更新管理并启用计算机进行管理之前,请确保你了解以下部分中的信息。Before deploying Update Management and enabling your machines for management, make sure that you understand the information in the following sections.

关于更新管理About Update Management

通过更新管理进行管理的计算机依赖于以下项进行评估和更新部署:Machines that are managed by Update Management rely on the following to perform assessment and to deploy updates:

  • 用于 Windows 或 Linux 的 Log Analytics 代理Log Analytics agent for Windows or Linux
  • 用于 Linux 的 PowerShell 所需状态配置 (DSC)PowerShell Desired State Configuration (DSC) for Linux
  • 自动化混合 Runbook 辅助角色(在计算机上启用更新管理时自动安装)Automation Hybrid Runbook Worker (automatically installed when you enable Update Management on the machine)
  • 适用于 Windows 计算机的 Microsoft 更新或 Windows Server Update Services (WSUS)Microsoft Update or Windows Server Update Services (WSUS) for Windows machines
  • 适用于 Linux 计算机的专用或公共更新存储库Either a private or public update repository for Linux machines

下图说明了更新管理如何评估安全更新并将其应用于工作区中的所有连接的 Windows 服务器和 Linux 服务器:The following diagram illustrates how Update Management assesses and applies security updates to all connected Windows Server and Linux servers in a workspace:


更新管理可用于在同一租户的多个订阅中以原生方式部署计算机。Update Management can be used to natively deploy to machines in multiple subscriptions in the same tenant.

发布包后,Linux 计算机需要 2-3 小时才会显示修补程序以供评估。After a package is released, it takes 2 to 3 hours for the patch to show up for Linux machines for assessment. 对于 Windows 计算机,发布后,需要 12-15 小时才会显示修补程序以供评估。For Windows machines, it takes 12 to 15 hours for the patch to show up for assessment after it's been released. 当计算机完成更新合规性扫描时,代理会将信息批量转发到 Azure Monitor 日志。When a machine completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor logs. 在 Windows 计算机上,符合性扫描默认情况下每 12 小时运行一次。On a Windows machine, the compliance scan is run every 12 hours by default. 对于 Linux 计算机,符合性扫描默认情况下每小时执行一次。For a Linux machine, the compliance scan is performed every hour by default. 如果 Log Analytics 代理重启,则会在 15 分钟内启动符合性扫描。If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes.

除了按扫描计划扫描,更新符合性扫描还会在 Log Analytics 代理重启的 15 分钟内、更新安装前和更新安装后启动。In addition to the scan schedule, the scan for update compliance is started within 15 minutes of the Log Analytics agent being restarted, before update installation, and after update installation.

更新管理根据所配置的与之进行同步的源来报告计算机的更新情况。Update Management reports how up to date the machine is based on what source you're configured to sync with. 如果将 Windows 计算机配置为向 Windows Server Update Services (WSUS) 报告,则结果可能与 Microsoft 更新所显示的内容不同,具体取决于 WSUS 上次通过 Microsoft 更新进行同步的时间。If the Windows machine is configured to report to Windows Server Update Services (WSUS), depending on when WSUS last synced with Microsoft Update, the results might differ from what Microsoft Update shows. 对于配置为向本地存储库(而非公共存储库)报告的 Linux 计算机来说,行为也是如此。This behavior is the same for Linux machines that are configured to report to a local repo instead of to a public repo.


若要正确地向服务进行报告,更新管理要求启用某些 URL 和端口。To properly report to the service, Update Management requires certain URLs and ports to be enabled. 若要了解有关这些要求的详细信息,请参阅网络配置To learn more about these requirements, see Network configuration.

可以创建计划的部署,在需要更新的计算机上部署和安装软件更新。You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. 归类为“可选”的更新不包括在 Windows 计算机的部署范围内。Updates classified as optional aren't included in the deployment scope for Windows machines. 只有必需的更新会包括在部署范围内。Only required updates are included in the deployment scope.

计划的部署定义哪些目标计算机接收适用的更新。The scheduled deployment defines which target machines receive the applicable updates. 它通过以下某种方式来实现此目的:显式指定特定的计算机,或选择基于特定计算机集的日志搜索(或基于根据指定条件动态选择 Azure VM 的 Azure 查询)的计算机组It does so either by explicitly specifying certain machines or by selecting a computer group that's based on log searches of a specific set of machines (or on an Azure query that dynamically selects Azure VMs based on specified criteria). 这些组与范围配置不同,后者用于控制接收配置以启用更新管理的目标计算机。These groups differ from scope configuration, which is used to control the targeting of machines that receive the configuration to enable Update Management. 这会阻止它们执行和报告更新符合性,并安装已批准的所需更新。This prevents them from performing and reporting update compliance, and install approved required updates.

定义部署时,还可以指定要批准的计划,并设置可以安装更新的一个时段。While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. 此时段称为维护时段。This period is called the maintenance window. 假设需要重启,并选择了相应的重启选项,则会预留 20 分钟的维护时段进行重启。A 20-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. 如果修补时间比预期时间长且维护时段少于 20 分钟,则不会进行重启。If patching takes longer than expected and there's less than 20 minutes in the maintenance window, a reboot won't occur.

通过 Azure 自动化中的 runbook 安装更新。Updates are installed by runbooks in Azure Automation. 无法查看这些 runbook,它们不需要任何配置。You can't view these runbooks, and they don't require any configuration. 创建更新部署时,会创建一个在指定的时间为所包含的计算机启动主更新 runbook 的计划。When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included machines. 此主 Runbook 会在每个代理上启动一个子 Runbook 来安装必需的更新。The master runbook starts a child runbook on each agent to install the required updates.

目标计算机会按更新部署中指定的日期和时间,以并行方式执行部署。At the date and time specified in the update deployment, the target machines execute the deployment in parallel. 在安装之前,会运行扫描来验证更新是否仍然是必需的。Before installation, a scan is run to verify that the updates are still required. 对于 WSUS 客户端计算机,如果更新未在 WSUS 中获得批准,则更新部署会失败。For WSUS client machines, if the updates aren't approved in WSUS, update deployment fails.

不支持在多个 Log Analytics 工作区(也称为多宿主)中对计算机注册更新管理。Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.


支持的操作系统Supported operating systems

下表列出了适用于更新评估和修补的支持的操作系统。The following table lists the supported operating systems for update assessments and patching. 修补需要一个系统混合 Runbook 辅助角色(在你通过更新管理启用虚拟机或服务器进行管理时自动安装)。Patching requires a system Hybrid Runbook Worker, which is automatically installed when you enable the virtual machine or server for management by Update Management. 有关混合 Runbook 辅助角色系统需求的信息,请参阅部署 Windows 混合 Runbook 辅助角色部署 Linux 混合 Runbook 辅助角色For information on Hybrid Runbook Worker system requirements, see Deploy a Windows Hybrid Runbook Worker and a Deploy a Linux Hybrid Runbook Worker.


仅自动化帐户和 Log Analytics 工作区映射表中列出的特定区域支持 Linux 计算机的更新评估。Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace mappings table.

操作系统Operating system 说明Notes
Windows Server 2019(包括 Server 核心的数据中心/标准)Windows Server 2019 (Datacenter/Standard including Server Core)

Windows Server 2016(不包括 Server 核心的数据中心/标准)Windows Server 2016 (Datacenter/Standard excluding Server Core)

Windows Server 2012 R2(Datacenter/Standard)Windows Server 2012 R2(Datacenter/Standard)

Windows Server 2012Windows Server 2012
Windows Server 2008 R2(RTM 和 SP1 Standard)Windows Server 2008 R2 (RTM and SP1 Standard) 更新管理仅支持对此操作系统进行评估和修补。Update Management supports assessments and patching for this operating system. Windows Server 2008 R2 不支持混合 Runbook 辅助角色The Hybrid Runbook Worker is supported for Windows Server 2008 R2.
CentOS 6、7、8 (x64)CentOS 6, 7, and 8 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository. 基于分类的修补需要借助 yum 来返回 CentOS 的 RTM 版本中没有的安全数据。Classification-based patching requires yum to return security data that CentOS doesn't have in its RTM releases. 有关 CentOS 上基于分类的修补的详细信息,请参阅 Linux 上的更新分类For more information on classification-based patching on CentOS, see Update classifications on Linux.
Red Hat Enterprise 6、7、8 (x64)Red Hat Enterprise 6, 7, and 8 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository.
SUSE Linux Enterprise Server 12、15 和 15.1 (x64)SUSE Linux Enterprise Server 12, 15, and 15.1 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository. 对于 SUSE 15.x,需要在计算机上安装 Python 3。For SUSE 15.x, Python 3 is required on the machine.
Ubuntu 14.04 LTS、16.04 LTS 和 18.04 LTS (x64)Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 LTS (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository.


更新管理不支持对 Azure 虚拟机规模集中的所有实例安全地自动执行更新管理。Update Management does not support safely automating update management across all instances in an Azure virtual machine scale set. 建议使用自动 OS 映像升级来管理规模集的 OS 映像升级。Automatic OS image upgrades is the recommended method for managing OS image upgrades on your scale set.

不支持的操作系统Unsupported operating systems

下表列出了更新管理不支持的操作系统:The following table lists operating systems not supported by Update Management:

操作系统Operating system 注释Notes
Windows 客户端Windows client 不支持客户端操作系统(例如 Windows 7 和 Windows 10)。Client operating systems (such as Windows 7 and Windows 10) aren't supported.
Windows Server 2016 Nano ServerWindows Server 2016 Nano Server 不支持。Not supported.
Azure Kubernetes 服务节点Azure Kubernetes Service Nodes 不支持。Not supported. 使用对 Azure Kubernetes 服务 (AKS) 中的 Linux 节点应用安全和内核更新中所述的修补过程Use the patching process described in Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)

系统要求System requirements

以下信息介绍操作系统特定的要求。The following information describes operating system-specific requirements. 有关其他指南,请参阅网络规划For additional guidance, see Network planning. 若要了解 TLS 1.2 的要求,请参阅强制 Azure 自动化执行 TLS 1.2To understand requirements for TLS 1.2, see TLS 1.2 enforcement for Azure Automation.


软件要求:Software Requirements:

Windows 代理必须配置为与 WSUS 服务器通信或需要有权访问 Microsoft 更新。Windows agents must be configured to communicate with a WSUS server, or they require access to Microsoft Update.

可以将更新管理与 Microsoft Endpoint Configuration Manager 配合使用。You can use Update Management with Microsoft Endpoint Configuration Manager. 若要了解有关集成方案的详细信息,请参阅将更新管理与 Microsoft Endpoint Configuration ManagerTo learn more about integration scenarios, see Integrate Update Management with Windows Endpoint Configuration Manager. 对于由 Configuration Manager 环境中的站点托管的 Windows 服务器,需要适用于 Windows 的 Log Analytics 代理The Log Analytics agent for Windows is required for Windows servers managed by sites in your Configuration Manager environment.

默认情况下,从 Azure 市场部署的 Windows VM 设置为从 Windows 更新服务接收自动更新。By default, Windows VMs that are deployed from Azure Marketplace are set to receive automatic updates from Windows Update Service. 将 Windows VM 添加到工作区时,此行为不会更改。This behavior doesn't change when you add Windows VMs to your workspace. 如果不主动使用更新管理来管理更新,则会应用默认行为(即自动应用更新)。If you don't actively manage updates by using Update Management, the default behavior (to automatically apply updates) applies.


可以修改组策略,以便仅由用户而非系统来执行计算机重启。You can modify Group Policy so that machine reboots can be performed only by the user, not by the system. 如果在用户不进行手动交互的情况下,更新管理无权重启计算机,则托管计算机可能会停滞。Managed machines can get stuck if Update Management doesn't have rights to reboot the machine without manual interaction from the user. 有关详细信息,请参阅配置自动更新的组策略设置For more information, see Configure Group Policy settings for Automatic Updates.


软件要求:Software Requirements:

  • 计算机需要有权访问专用或公共的更新存储库。The machine requires access to an update repository, either private or public.
  • 需要 TLS 1.1 或 TLS 1.2 才能与更新管理进行交互。TLS 1.1 or TLS 1.2 is required to interact with Update Management.
  • 已安装 Python 2.x。Python 2.x installed.


仅特定区域支持 Linux 计算机的更新评估。Update assessment of Linux machines is only supported in certain regions. 请参阅自动化帐户和 Log Analytics 工作区映射表See the Automation account and Log Analytics workspace mappings table.


若要创建和管理更新部署,需要特定的权限。To create and manage update deployments, you need specific permissions. 若要了解这些权限,请参阅基于角色的访问 - 更新管理To learn about these permissions, see Role-based access – Update Management.

更新管理组件Update Management components

更新管理使用本部分中所述的资源。Update Management uses the resources described in this section. 启用更新管理时,这些资源会自动添加到自动化帐户。These resources are automatically added to your Automation account when you enable Update Management.

混合 Runbook 辅助角色组Hybrid Runbook Worker groups

启用更新管理以后,任何直接连接到 Log Analytics 工作区的 Windows 计算机都会自动配置为系统混合 Runbook 辅助角色,为支持更新管理的 runbook 提供支持。After you enable Update Management, any Windows machine that's directly connected to your Log Analytics workspace is automatically configured as a system Hybrid Runbook Worker to support the runbooks that support Update Management.

更新管理托管的每个 Windows 计算机都会作为自动化帐户的一个“系统混合辅助角色组”列在“混合辅助角色组”窗格中。Each Windows machine that's managed by Update Management is listed in the Hybrid worker groups pane as a System hybrid worker group for the Automation account. 这些组使用 Hostname FQDN_GUID 命名约定。The groups use the Hostname FQDN_GUID naming convention. 不能在帐户中通过 Runbook 将这些组作为目标进行操作。You can't target these groups with runbooks in your account. 如果尝试,则尝试会失败。If you try, the attempt fails. 这些组仅用于为更新管理提供支持。These groups are intended to support only Update Management. 若要详细了解如何查看配置为混合 Runbook 辅助角色的 Windows 计算机的列表,请参阅查看混合 Runbook 辅助角色To learn more about viewing the list of Windows machines configured as a Hybrid Runbook Worker, see view Hybrid Runbook Workers.

如果对更新管理和混合 Runbook 辅助角色组成员身份使用同一帐户,则可以将 Windows 计算机添加到自动化帐户中的用户混合 Runbook 辅助角色组,为自动化 runbook 提供支持。You can add the Windows machine to a user Hybrid Runbook Worker group in your Automation account to support Automation runbooks if you use the same account for Update Management and the Hybrid Runbook Worker group membership. 此功能是在 7.2.12024.0 版本的混合 Runbook 辅助角色中添加的。This functionality was added in version 7.2.12024.0 of the Hybrid Runbook Worker.

数据收集Data collection

受支持的源Supported sources

下表介绍了更新管理支持的连接的源:The following table describes the connected sources that Update Management supports:

连接的源Connected source 支持Supported 说明Description
Windows 代理Windows agents Yes 更新管理从 Windows 代理收集有关系统更新的信息,然后开始安装必需的更新。Update Management collects information about system updates from Windows agents and then starts installation of required updates.
Linux 代理Linux agents Yes 更新管理从 Linux 代理收集有关系统更新的信息,然后开始在受支持的发行版上安装必需的更新。Update Management collects information about system updates from Linux agents and then starts installation of required updates on supported distributions.

收集频率Collection frequency

更新管理使用以下规则扫描托管计算机中的数据。Update Management scans managed machines for data using the following rules. 可能需要 30 分钟到 6 小时,仪表板才会显示托管计算机提供的已更新数据。It can take between 30 minutes and 6 hours for the dashboard to display updated data from managed machines.

  • 每个 Windows 计算机 - 更新管理每天对每个计算机扫描两次。Each Windows machine - Update Management does a scan twice per day for each machine.

  • 每个 Linux 计算机 - 更新管理每小时执行一次扫描。Each Linux machine - Update Management does a scan every hour.

使用更新管理的计算机的每月平均 Azure Monitor 日志数据使用情况大约为 25 MB。The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. 此值仅为近似值,且随时可能基于环境而更改。This value is only an approximation and is subject to change, depending on your environment. 建议监视环境,以跟踪实际使用情况。We recommend that you monitor your environment to keep track of your exact usage. 有关分析 Azure Monitor 日志数据使用情况的详细信息,请参阅管理使用情况和成本For more information about analyzing Azure Monitor Logs data usage, see Manage usage and cost.

网络规划Network planning

查看 Azure 自动化网络配置,以了解有关更新管理所需的端口、URL 和其他网络的详细信息。Check Azure Automation Network Configuration for detailed information on the ports, URLs, and other networking details required for Update Management.

对于 Windows 计算机,还必须允许流量发送到 Windows 更新所需的任何终结点。For Windows machines, you must also allow traffic to any endpoints required by Windows Update. 可以在与 HTTP/Proxy 相关的问题中找到所需终结点的更新列表。You can find an updated list of required endpoints in Issues related to HTTP/Proxy. 如果你有本地 Windows 更新服务器,则还必须允许流向 WSUS 密钥中指定的服务器的流量。If you have a local Windows Update server, you must also allow traffic to the server specified in your WSUS key.

若要详细了解混合 Runbook 辅助角色所需的端口,请参阅混合 Runbook 辅助角色的更新管理地址For more information about ports required for the Hybrid Runbook Worker, see Update Management addresses for Hybrid Runbook Worker.

如果 IT 安全策略不允许网络上的计算机连接到 Internet,则可以设置 Log Analytics 网关,然后将计算机配置为通过该网关连接到 Azure 自动化和 Azure Monitor。If your IT security policies do not allow machines on the network to connect to the internet, you can set up a Log Analytics gateway and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.

更新分类Update classifications

下表定义了更新管理支持的 Windows 更新分类。The following table defines the classifications that Update Management supports for Windows updates.

分类Classification 说明Description
关键更新Critical updates 解决关键、非安全相关错误的特定问题的更新。An update for a specific problem that addresses a critical, non-security-related bug.
安全更新Security updates 产品特定、安全相关问题的更新。An update for a product-specific, security-related issue.
更新汇总Update rollups 一起打包以便于部署的一组累积修补程序。A cumulative set of hotfixes that are packaged together for easy deployment.
功能包Feature packs 在产品版本以外发布的新产品功能。New product features that are distributed outside a product release.
服务包Service packs 应用于应用程序的一组累积修补程序。A cumulative set of hotfixes that are applied to an application.
定义更新Definition updates 对病毒或其他定义文件的更新。An update to virus or other definition files.
工具Tools 可帮助完成一个或多个任务的实用工具或功能。A utility or feature that helps complete one or more tasks.
更新Updates 对当前已安装的应用程序或文件的更新。An update to an application or file that currently is installed.

下表定义了受支持的 Linux 更新分类。The next table defines the supported classifications for Linux updates.

分类Classification 说明Description
关键和安全更新Critical and security updates 特定问题或产品特定、安全相关问题的更新。Updates for a specific problem or a product-specific, security-related issue.
其他更新Other updates 本质上不是关键更新或不是安全更新的所有其他更新。All other updates that aren't critical in nature or that aren't security updates.


适用于 Linux 计算机的更新分类在支持的 Azure 中国云中使用时不可用。Update classification for Linux machines are not available when used in the supported Azure china cloud.

没有 Linux 更新分类,它们显示在“其他更新”类别下。There are no classification of Linux updates and they are reported under the Other updates category. 更新管理使用受支持的分发版发布的数据,尤其是其发布的 OVAL(开放式漏洞与评估语言)文件。Update Management uses data published by the supported distributions, specifically their released OVAL (Open Vulnerability and Assessment Language) files. 由于网络访问受限,更新管理无法访问以上文件。Because internet access is restricted, Update Management cannot access the files.

对于 Linux,更新管理可以区分云中类别“安全性”和“其他”下的关键更新和安全更新,同时显示因云中数据扩充而产生的评估数据 。For Linux, Update Management can distinguish between critical updates and security updates in the cloud under classification Security and Others, while displaying assessment data due to data enrichment in the cloud. 为了进行修补,更新管理依赖于计算机上提供的分类数据。For patching, Update Management relies on classification data available on the machine. 与其他发行版不同,CentOS 在 RTM 版本中未提供此信息。Unlike other distributions, CentOS does not have this information available in the RTM version. 如果已将 CentOS 计算机配置为返回以下命令的安全数据,则更新管理可以基于分类进行修补。If you have CentOS machines configured to return security data for the following command, Update Management can patch based on classifications.

sudo yum -q --security check-update

当前没有受支持的方法可用来在 CentOS 上提供原生分类数据。There's currently no supported method to enable native classification-data availability on CentOS. 目前,仅向可能已自行启用此功能的客户提供有限的支持。At this time, limited support is provided to customers who might have enabled this feature on their own.

若要对 Red Hat Enterprise 版本 6 上的更新进行分类,需要安装 yum 安全插件。To classify updates on Red Hat Enterprise version 6, you need to install the yum-security plugin. 在 Red Hat Enterprise Linux 7 上,yum 本身已包含该插件,无需安装任何内容。On Red Hat Enterprise Linux 7, the plugin is already a part of yum itself and there's no need to install anything. 有关详细信息,请参阅以下 Red Hat 知识文章For more information, see the following Red Hat knowledge article.

当安排要在 Linux 计算机上运行的更新时(例如,配置为仅安装与“安全性”分类匹配的更新),安装的更新可能不同于与该分类匹配的更新,或者是与该分类匹配的更新的子集。When you schedule an update to run on a Linux machine, that for example is configured to install only updates matching the Security classification, the updates installed might be different from, or are a subset of the updates matching this classification. 在评估待处理的 Linux 计算机 OS 更新时,“更新管理”使用 Linux 发行版供应商提供的开放漏洞和评估语言 (OVAL) 文件进行分类。When an assessment of OS updates pending for your Linux machine is performed, Open Vulnerability and Assessment Language (OVAL) files provided by the Linux distro vendor is used by Update Management for classification.

基于 OVAL 文件将 Linux 更新分类为“安全性”或“其他”,其中包括用于解决安全问题或漏洞的更新 。Categorization is done for Linux updates as Security or Others based on the OVAL files, which includes updates addressing security issues or vulnerabilities. 但是,当运行更新计划时,会在 Linux 计算机上使用适当的包管理器(例如 YUM、APT 或 ZYPPER)安装更新。But when the update schedule is run, it executes on the Linux machine using the appropriate package manager like YUM, APT or ZYPPER to install them. Linux 发行版的包管理器可能具有不同的机制来对更新进行分类,其结果可能与更新管理从 OVAL 文件获得的结果有所不同。The package manager for the Linux distro may have a different mechanism to classify updates, where the results may differ from the ones obtained from OVAL files by Update Management. 若要通过包管理器手动检查计算机并了解哪些更新与安全性有关,请参阅 Linux 更新部署故障排除To manually check the machine and understand which updates are security relevant by your package manager, see Troubleshoot Linux update deployment.

将更新管理与 Configuration Manager 集成Integrate Update Management with Configuration Manager

已经投资购买了 Microsoft Endpoint Configuration Manager 来管理电脑、服务器和移动设备的客户还依赖 Configuration Manager 的优势和成熟度来帮助管理软件更新。Customers who have invested in Microsoft Endpoint Configuration Manager for managing PCs, servers, and mobile devices also rely on the strength and maturity of Configuration Manager to help manage software updates. 若要了解如何将更新管理与 Configuration Manager 集成,请参阅将更新管理与 Windows Endpoint Configuration Manager 集成To learn how to integrate Update Management with Configuration Manager, see Integrate Update Management with Windows Endpoint Configuration Manager.

Windows 上的第三方更新Third-party updates on Windows

更新管理依赖于本地配置的更新存储库来更新受支持的 Windows 系统(WSUS 或 Windows 更新)。Update Management relies on the locally configured update repository to update supported Windows systems, either WSUS or Windows Update. 借助 System Center Updates Publisher 等工具,可通过 WSUS 导入和发布自定义更新。Tools such as System Center Updates Publisher allow you to import and publish custom updates with WSUS. 在这种情况下,允许更新管理借助第三方软件来更新使用 Configuration Manager 作为其更新存储库的计算机。This scenario allows Update Management to update machines that use Configuration Manager as their update repository with third-party software. 若要了解如何配置 Updates Publisher,请参阅安装 Updates PublisherTo learn how to configure Updates Publisher, see Install Updates Publisher.

启用更新管理Enable Update Management

可以通过以下方式启用更新管理并选择要管理的计算机:Here are the ways that you can enable Update Management and select machines to be managed:

  • 使用 Azure 资源管理器模板将更新管理部署到订阅中新的或现有的自动化帐户和 Azure Monitor Log Analytics 工作区。Using an Azure Resource Manager template to deploy Update Management to a new or existing Automation account and Azure Monitor Log Analytics workspace in your subscription. 它不会配置应管理的计算机范围,而是在使用模板后在单独的步骤中执行此操作。It does not configure the scope of machines that should be managed, this is performed as a separate step after using the template.

  • 自动化帐户为一个或多个 Azure 和非 Azure 计算机启用。From your Automation account for one or more Azure and non-Azure machines.

  • 从 Azure 门户中的“虚拟机”页为所选 Azure VM 启用。For a selected Azure VM from the Virtual machines page in the Azure portal. 此方案适用于 Linux 和 Windows VM。This scenario is available for Linux and Windows VMs.


更新管理要求将 Log Analytics 工作区链接到自动化帐户。Update Management requires linking a Log Analytics workspace to your Automation account. 有关受支持区域的明确列表,请参阅 Azure 工作区映射For a definitive list of supported regions, see Azure Workspace mappings. 区域映射不会影响在单独的区域中管理自动化帐户内 VM 的功能。The region mappings don't affect the ability to manage VMs in a separate region from your Automation account.

后续步骤Next steps