将更新管理与 Microsoft Endpoint Configuration Manager 集成Integrate Update Management with Microsoft Endpoint Configuration Manager

在软件更新管理 (SUM) 周期中,已经投资购买 Microsoft Endpoint Configuration Manager 来管理电脑、服务器和移动设备的客户还可以依赖其在管理软件更新方面的优势和成熟度。Customers who have invested in Microsoft Endpoint Configuration Manager to manage PCs, servers, and mobile devices also rely on its strength and maturity in managing software updates as part of their software update management (SUM) cycle.

可以通过在 Microsoft Endpoint Configuration Manager 中创建和预暂存软件更新部署来报告和更新托管 Windows 服务器,并使用更新管理获取已完成的更新部署的详细状态。You can report and update managed Windows servers by creating and pre-staging software update deployments in Microsoft Endpoint Configuration Manager, and get detailed status of completed update deployments using Update Management. 如果使用 Microsoft Endpoint Configuration Manager 提供 Windows 服务器的更新合规性报告而不使用它管理 Windows 服务器的更新部署,则可以继续向 Endpoint Configuration Manager 进行报告,而使用 Azure 自动化更新管理来管理安全更新。If you use Microsoft Endpoint Configuration Manager for update compliance reporting, but not for managing update deployments with your Windows servers, you can continue reporting to Microsoft Endpoint Configuration Manager while security updates are managed with Azure Automation Update Management.

备注

虽然更新管理支持 Windows Server 2008 R2 的更新评估和修补,但它不支持由运行此操作系统的 Microsoft Endpoint Configuration Manager 管理的客户端。While Update Management supports update assessment and patching of Windows Server 2008 R2, it does not support clients managed by Microsoft Endpoint Configuration Manager running this operating system.

先决条件Prerequisites

  • 必须将 Azure 自动化更新管理添加到自动化帐户。You must have Azure Automation Update Management added to your Automation account.
  • 当前由 Microsoft Endpoint Configuration Manager 环境管理的 Windows 服务器还需要向也启用了更新管理的 Log Analytics 工作区进行报告。Windows servers currently managed by your Microsoft Endpoint Configuration Manager environment also need to report to the Log Analytics workspace that also has Update Management enabled.
  • Microsoft Endpoint Configuration Manager 的当前分支版本 1606 和更高版本中启用了此功能。This feature is enabled in Microsoft Endpoint Configuration Manager current branch version 1606 and higher. 若要将 Microsoft Endpoint Configuration Manager 中心管理站点或独立主站点与 Azure Monitor 日志和重要集合进行集成,请查看将 Configuration Manager 连接到 Azure Monitor 日志To integrate your Microsoft Endpoint Configuration Manager central administration site or a standalone primary site with Azure Monitor logs and import collections, review Connect Configuration Manager to Azure Monitor logs.
  • 如果 Windows 代理不从 Microsoft Endpoint Configuration Manager 接收安全更新,则必须将它们配置为与 Windows Server Update Services (WSUS) 服务器进行通信或有权访问 Microsoft 更新。Windows agents must either be configured to communicate with a Windows Server Update Services (WSUS) server or have access to Microsoft Update if they don't receive security updates from Microsoft Endpoint Configuration Manager.

如何使用现有 Microsoft Endpoint Configuration Manager 环境管理 Azure IaaS 中托管的客户端主要取决于已在 Azure 数据中心与基础结构之间建立的连接。How you manage clients hosted in Azure IaaS with your existing Microsoft Endpoint Configuration Manager environment primarily depends on the connection you have between Azure datacenters and your infrastructure. 此连接会影响你可能需要对 Microsoft Endpoint Configuration Manager 基础结构做的任何设计更改,还会影响与支持这些必要更改相关的成本。This connection affects any design changes you may need to make to your Microsoft Endpoint Configuration Manager infrastructure and related cost to support those necessary changes. 若要了解在继续操作之前需要评估哪些规划注意事项,请查看 Azure 上的 Configuration Manager - 常见问题解答To understand what planning considerations you need to evaluate before proceeding, review Configuration Manager on Azure - Frequently Asked Questions.

从 Microsoft Endpoint Configuration Manager 管理软件更新Manage software updates from Microsoft Endpoint Configuration Manager

如果打算继续从 Microsoft Endpoint Configuration Manager 管理更新部署,请执行以下步骤。Perform the following steps if you are going to continue managing update deployments from Microsoft Endpoint Configuration Manager. Azure 自动化会连接到 Microsoft Endpoint Configuration Manager,以便向连接到 Log Analytics 工作区的客户端计算机应用更新。Azure Automation connects to Microsoft Endpoint Configuration Manager to apply updates to the client computers connected to your Log Analytics workspace. 可以从客户端计算机缓存获取更新内容,就像部署是由 Microsoft Endpoint Configuration Manager 管理的一样。Update content is available from the client computer cache as if the deployment were managed by Microsoft Endpoint Configuration Manager.

  1. 使用部署软件更新中介绍的过程从 Microsoft Endpoint Configuration Manager 层次结构中的顶层站点创建软件更新部署。Create a software update deployment from the top-level site in your Microsoft Endpoint Configuration Manager hierarchy using the process described in Deploy software updates. 与标准部署不同的必须配置的唯一设置是选项“不安装软件更新”,此选项用于控制部署包的下载行为。The only setting that must be configured differently from a standard deployment is the option Do not install software updates to control the download behavior of the deployment package. 通过在下一步中创建计划的更新部署,可以在更新管理中管理此行为。This behavior is managed in Update Management by creating a scheduled update deployment in the next step.

  2. 在 Azure 自动化中,选择“更新管理”。In Azure Automation, select Update Management. 根据创建更新部署中介绍的步骤创建一个新部署,并从“类型”下拉列表中选择“导入的组”,以便选择合适的 Microsoft Endpoint Configuration Manager 集合 。Create a new deployment following the steps described in Creating an Update Deployment and select Imported groups on the Type dropdown to select the appropriate Microsoft Endpoint Configuration Manager collection. 请记住以下要点:Keep in mind the following important points:

    a.a. 如果在所选的 Microsoft Endpoint Configuration Manager 设备集合上定义了维护窗口,则它会存储在集合的成员中,而不是存储在计划的部署中定义的“持续时间”设置中。If a maintenance window is defined on the selected Microsoft Endpoint Configuration Manager device collection, members of the collection honor it instead of the Duration setting defined in the scheduled deployment.

    b.b. 目标集合的成员必须连接到 Internet(直接连接、通过代理服务器或者通过 Log Analytics 网关)。Members of the target collection must have a connection to the Internet (either direct, through a proxy server or through the Log Analytics gateway).

通过 Azure 自动化完成更新部署后,属于所选计算机组的成员的目标计算机将按计划的时间从本地客户端缓存中安装更新。After completing the update deployment through Azure Automation, the target computers that are members of the selected computer group will install updates at the scheduled time from their local client cache. 可以查看更新部署状态来监视部署结果。You can view update deployment status to monitor the results of your deployment.

从 Azure 自动化管理软件更新Manage software updates from Azure Automation

若要从属于 Microsoft Endpoint Configuration Manager 客户端的 Windows Server VM 管理更新,需要配置客户端策略,为通过更新管理进行管理的所有客户端禁用软件更新管理功能。To manage updates for Windows Server VMs that are Microsoft Endpoint Configuration Manager clients, you need to configure client policy to disable the Software Update Management feature for all clients managed by Update Management. 默认情况下,客户端设置以层次结构中的所有设备为应用目标。By default, client settings target all devices in the hierarchy. 有关此策略设置以及如何配置此设置的详细信息,请查看如何在 Configuration Manager 中配置客户端设置For more information about this policy setting and how to configure it, review How to configure client settings in Configuration Manager.

在执行此配置更改后,根据创建更新部署中介绍的步骤创建一个新部署,并从“类型”下拉列表中选择“导入的组”来选择合适的 Microsoft Endpoint Configuration Manager 集合 。After performing this configuration change, you create a new deployment following the steps described in Creating an Update Deployment and select Imported groups on the Type drop-down to select the appropriate Microsoft Endpoint Configuration Manager collection.

后续步骤Next steps

若要设置集成计划,请参阅计划更新部署To set up an integration schedule, see Schedule an update deployment.