Blog Post

Azure Governance and Management Blog
3 MIN READ

Generally Available: Azure Update Manager

shashban's avatar
shashban
Icon for Microsoft rankMicrosoft
Sep 18, 2023

With the evolution of the IT landscape, there is a growing demand for seamless management of resources across the cloud and edge. We are pleased to announce that Azure Update Manager, previously known as Update Management Center, is now generally available.

 

Azure Update Manager provides a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multi cloud environments. It is an evolution of Azure Automation Update management solution with new features and functionality, for assessment and deployment of software updates on a single machine or on multiple machines at scale.

 

Benefits and value additions

  • Oversee update compliance for your entire fleet of machines in Azure (Azure VMs), on-premises, and multi cloud environments (Arc-enabled Servers).
  • View and deploy pending updates to secure your machines instantly.
  • Manage extended security updates (ESUs) for your Azure Arc-enabled Windows Server 2012/2012 R2 machines. Get consistent experience for deployment of ESUs and other updates.
  • Define recurring time windows during which your machines receive updates and may undergo reboots using scheduled patching. Enforce machines grouped together based on standard Azure constructs (Subscription, Location, Resource Group, Tags etc.) to have common patch schedules using dynamic scoping. Sync patch schedules for Windows machines in relation to patch Tuesday, the unofficial term for Microsoft's scheduled security fix release on the second Tuesday of each month.
  • Enable incremental rollout of updates to Azure VMs in off-peak hours using automatic VM guest patching and reduce reboots by enabling hotpatching.
  • Automatically assess machines for pending updates every 24 hours, and flag machines that are out of compliance. Enforce enabling periodic assessments on multiple machines at scale using Azure Policy.
  • Create custom reports for deeper understanding of the updates data of the environment.
  • Granular access management to Azure resources with Azure roles and identity, to control who can perform update operations and edit schedules.

 

Notable notes

  • The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be retired in August 2024. Azure Automation Update management solution relies on this agent and may encounter issues once the agent is retired. It does not work with Azure Monitoring (AMA) Agent. Therefore, customers of the solution are encouraged to move to Azure Update Manager for their software update needs. All capabilities of Azure Automation Update Management Solution will be available on Azure Update Manager before the retirement date. Learn more.
  • Azure Update Manager has been redesigned to offer new capabilities without a dependency on Log Analytics agent or Azure Monitor agent. It relies on the Microsoft Azure VM agent for managing update workflows on the Azure VMs and the Azure Connected Machine agent for managing Arc-enabled servers. When an update operation is performed for the first time on a machine, an extension is pushed to the machine that interacts with these agents to assess missing updates and deploy updates. The native design on Azure Compute and Azure Arc for Servers platform enables zero-step onboarding and simplifies operations on an ongoing basis.
  • Azure Update Manager is available at no additional charge for managing Azure VMs. For Arc-enabled Servers, the price is $5 per server per month (assuming 31 days of usage). Learn more.

Getting Started

To get started by searching for Azure Update Manager in the portal.

or from the Updates blade of the virtual machine resource

 

Coming soon!!!

  • Manage SQL updates to Azure SQL VMs along with OS updates are managed using Azure Update Manager. This is available in preview.
  • Built in ability to execute scripts before or after deploying updates to machines as a part of a schedule (aka pre and post tasks).
  • Create alerts based on updates data for your environment.

Learn More

Edits

  • Extremely excited to see rich comments and discussions. These have been captured and FAQs updated for them. Please keep them coming in. 

 

Updated Sep 25, 2023
Version 8.0
azure arc
governance
guest configuration
management
policy

80 Comments

Show More
  • shashban's avatar
    shashban
    Icon for Microsoft rankMicrosoft
    Sep 19, 2023

    Karl-WE We will be updating the Azure Automanage and Windows Admin Center to rely on Azure Update Manager instead of the old solution soon. The pricing pages and TCO calculator will also take updates for the same. 

     

    Azure Stack HCI VMs can be managed with Update Manager only after they are Arc enabled and considered at par with Arc-enabled Servers for management changes.

     

  • Karl-WE's avatar
    Karl-WE
    MVP
    Sep 19, 2023

    Dear shashban I am still confused about the announcement of costs for this service. 

    We are seeing the product has been renamed from Azure Update Management Center to Azure Update Management.

    In the Azure Calculator the service (with the old name) still displays it is for free.

     

     

     

  • Karl-WE's avatar
    Karl-WE
    MVP
    Sep 19, 2023

    Seeing the roadmap of this product and deprecation of log analytics agent, when will this service replace Azure Update in Automanage and Windows Admin Center, both still deploying the older variant.

    Thank you! 

  • Karl-WE's avatar
    Karl-WE
    MVP
    Sep 19, 2023

    shashban second the question of PratheepSinnathurai.

     

    Have customers that committed to the preview and get of WSUS with its limitations. $5 per Arc Enabled Server per month is huge. $1 or $2 could be feasible. Would like to keep in mind it was published in the Azure Cost calculator as a free service, no matter it was in preview.

     

    The idea of migrating to AzUM from WSUS becomes quite obsolete with the current price tag, you cannot get any ROI for SMB or corps unless you manage your WSUS on a daily or weekly basis. 

     

     

    What about VMs on Azure Stack HCI, do they receive the same benefits as Azure VMs?

     

     

  • PratheepSinnathurai's avatar
    PratheepSinnathurai
    Copper Contributor
    Sep 19, 2023

    Can you provide more insights about the Costs for Azure Arc Enabled Servers?
    When will the costs start? Is it part of the Machine Configuration Costs or are those costs additional?

  • shashban's avatar
    shashban
    Icon for Microsoft rankMicrosoft
    Sep 19, 2023

    Dave Lee The support for configuring schedules for VMs created from specialized images or using Azure Migrate, Azure Backup, Azure Site Recovery is currently limited. On-demand operations for assessment and patching are supported.

    We are going to overcome the limited support on schedules soon. 

  • Dave Lee's avatar
    Dave Lee
    Copper Contributor
    Sep 18, 2023

    Does it now support VMs migrated using Azure Migrate or ASR, or is it still limited to VMs built from supported marketplace images?

  • NMLVS's avatar
    NMLVS
    Brass Contributor
    Sep 18, 2023

    Great news.

     

    How would I find out which servers have not been patched in X months? Or a last patch date? Or not possible using this tool right now?

     

     

    The 'Machines' page does give an overview of patch compliance once you have run a 'check for updates', but it does not give me a 'Last Patch Date', or how many patches are missing as the patch ID is rolled up, the problem I have here is that as September patches have just been released my servers that have missed 1 month or 12 months now look the same to the tool.

     

    For example I have 2 servers and they both show the same amount of patches missing (2023-09), even though one server has never been patched, but the other one is up to date minus the September KB.

     

    I've been looking for a solution to my problem which I've found by using security.microsoft.com Software Inventory, but I have to go via each Server OS type to export this data.

     

    If you go here:

    https://security.microsoft.com/vulnerability-management-inventories/applications/microsoft-_-windows_server_2022/overview

    Then 'Missing KBs'

    Click on 'July 2023' > Export Exposed Devices

    This way I get a list of all devices that are missing Certain Month.

     

     

     Hoping the tool as it grows could include some sort of last patch date / data similar to what I can get in security portal.