为 Azure 自动化更新管理配置 Windows 更新设置Configure Windows Update settings for Azure Automation Update Management

Azure 自动化更新管理依赖 Windows 更新客户端来下载和安装 Windows 更新。Azure Automation Update Management relies on the Windows Update client to download and install Windows updates. 有特定的设置,可供 Windows 更新客户端在连接到 Windows Server Update Services (WSUS) 或 Windows 更新时使用。There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. 其中许多设置可以通过以下方式来管理:Many of these settings can be managed with:

  • 本地组策略编辑器Local Group Policy Editor
  • 组策略Group Policy
  • PowerShellPowerShell
  • 直接编辑注册表Directly editing the Registry

更新管理遵循为了控制 Windows 更新客户端而指定的许多设置。Update Management respects many of the settings specified to control the Windows Update client. 如果你使用设置来启用非 Windows 更新,更新管理也会管理这些更新。If you use settings to enable non-Windows updates, Update Management will also manage those updates. 若要在更新部署发生前启用下载更新,更新部署可能会更快、更高效,且不太可能会超出维护时段。If you want to enable downloading of updates before an update deployment occurs, update deployment can be faster, more efficient, and less likely to exceed the maintenance window.

有关在 Azure 订阅中设置 WSUS 并安全地不断更新 Windows 虚拟机的其他建议,请查阅计划部署以使用 WSUS 在 Azure 中更新 Windows 虚拟机For additional recommendations on setting up WSUS in your Azure subscription and securely keep your Windows virtual machines up to date, review Plan your deployment for updating Windows virtual machines in Azure using WSUS.

预下载更新Pre-download updates

若要配置自动下载(而不自动安装)更新,可以使用组策略将“自动更新”设置配置为“3”。To configure the automatic downloading of updates without automatically installing them, you can use Group Policy to configure the Automatic Updates setting to 3. 使用此设置,可以在后台下载所需更新,并通知你更新可供安装。This setting enables downloads of the required updates in the background, and notifies you that the updates are ready to install. 这样,更新管理仍可控制计划,但允许在更新管理维护时段之外下载更新。In this way, Update Management remains in control of schedules, but allows downloading of updates outside the Update Management maintenance window. 此行为可防止更新管理中出现 Maintenance window exceeded 错误。This behavior prevents Maintenance window exceeded errors in Update Management.

可以在 PowerShell 中启用此设置:You can enable this setting in PowerShell:

$WUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
$WUSettings.NotificationLevel = 3
$WUSettings.Save()

配置重新启动设置Configure reboot settings

通过编辑注册表配置自动更新用于管理重启的注册表项中列出的注册表项可能会导致计算机重新启动,即使你在“更新部署”设置中指定了“永不重新启动”,也不例外。The registry keys listed in Configuring Automatic Updates by editing the registry and Registry keys used to manage restart can cause your machines to reboot, even if you specify Never Reboot in the Update Deployment settings. 配置这些最适合你环境的注册表项。Configure these registry keys to best suit your environment.

启用其他 Microsoft 产品的更新Enable updates for other Microsoft products

默认情况下,Windows 更新客户端配置为,只为 Windows 提供更新。By default, the Windows Update client is configured to provide updates only for Windows. 如果启用“更新 Windows 时提供其他 Microsoft 产品的更新”设置,你还将收到其他产品的更新,包括 Microsoft SQL Server 或其他 Microsoft 软件的安全修补程序。If you enable the Give me updates for other Microsoft products when I update Windows setting, you also receive updates for other products, including security patches for Microsoft SQL Server and other Microsoft software. 如果已下载并复制了适用于 Windows 2016 及更高版本的最新管理模板文件,则可以配置此选项。You can configure this option if you have downloaded and copied the latest Administrative template files available for Windows 2016 and later.

如果计算机运行的是 Windows Server 2012 R2,则无法通过组策略来配置此设置。If you have machines running Windows Server 2012 R2, you can't configure this setting through Group Policy. 在这些计算机上,运行以下 PowerShell 命令:Run the following PowerShell command on these machines:

$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceManager.Services
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.AddService2($ServiceId,7,"")

进行 WSUS 配置设置Make WSUS configuration settings

更新管理支持 WSUS 设置。Update Management supports WSUS settings. 可以按照指定 Intranet Microsoft 更新服务位置中的说明操作,指定用于扫描和下载更新的源。You can specify sources for scanning and downloading updates using instructions in Specify intranet Microsoft Update service location. 默认情况下,Windows 更新客户端配置为,从 Windows 更新下载更新。By default, the Windows Update client is configured to download updates from Windows Update. 如果你将 WSUS 服务器指定为计算机的源,但 WSUS 中没有批准更新,则更新部署失败。When you specify a WSUS server as a source for your machines, if the updates aren't approved in WSUS, update deployment fails.

若要将计算机限制为使用内部更新服务,请设置“不要连接任何 Windows 更新 Internet 位置”To restrict machines to the internal update service, set Do not connect to any Windows Update Internet locations.

后续步骤Next steps

按照管理 VM 的更新和修补程序中的说明来计划更新部署。Schedule an update deployment by following instructions in Manage updates and patches for your VMs.