Azure Update management - error HRESULT: 0x80072F8F

%3CLINGO-SUB%20id%3D%22lingo-sub-2724980%22%20slang%3D%22en-US%22%3EAzure%20Update%20management%20-%20error%20HRESULT%3A%200x80072F8F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2724980%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAzure%20Update%20management%20not%20working%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EEnvironment%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAzure%20Windows%20based%20VM%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EForced%20Tunnelling%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EOnpremise%20Firewall%20supports%20only%20IP%20Addresses%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EUpdate%20management%20error%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAssessmentError%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EException%20from%20HRESULT%3A%200x80072F8F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAssessmentErrorStackTrace%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ESystem.Runtime.InteropServices.COMException%20(0x80072F8F)%3A%20Exception%20from%20HRESULT%3A%200x80072F8F%20at%20Microsoft.EnterpriseManagement.Mom.Modules.ChangeTracking.WUA.IUpdateSearcher2.EndSearch(ISearchJob%20searchJob)%20at%20Microsoft.EnterpriseManagement.Advisor.PatchManagement.WindowsUpdateHelper.GetUpdateSnapshot(TimeSpan%20timeout%2C%20Boolean%20onlineSearch%2C%20DateTime%20lastTimeUpdateApplied%2C%20IAutomaticUpdates2%20automaticUpdates%2C%20UpdateModuleState%20state)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ETroubleshooting%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EDue%20to%20Forced%20Tunnelling%20the%20traffic%20has%20to%20go%20to%20the%20onpremise%20FW.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EUnfortunately%20the%20onpremise%20FW%20allows%20only%20IP%20Addresses%20and%20as%20per%20the%20following%20article%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-network-configuration%23update-management-and-change-tracking-and-inventory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-network-configuration%23update-management-and-change-tracking-and-inventory%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIt%20suggest%20to%20allow%20port%20443%20for%20url%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%3CSPAN%20class%3D%22_12FoOEddL7j_RgMQN0SNeU%22%3EAzure%20Public%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E*.ods.opinsights.azure.com%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E*.oms.opinsights.azure.com%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E*.blob.core.windows.net%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E*.azure-automation.net%20%26amp%3B%20*.oms.opinsights.azure.com%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThough%2C%20no%20IP%20address%20that%20I%20can%20NSlookup%20for%20*.azure-automation.net%E2%80%9D%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ETherefore%2C%20trying%20the%20alternate%20approach%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3COL%20class%3D%22_1eJr7K139jnMstd4HajqYP%22%3E%3CLI%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3ETried%20enabling%20service%20Tags%20via%20Azure%20Firewall%2C%20but%20as%20the%20traffic%20still%20goes%20to%20Onpremise%20FW%20we%20either%20need%20the%20IP%20Address%20for%20the%20URL%20to%20be%20allowed%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EElse%2C%20use%20User%20Defined%20Route%20(UDR)%20to%20direct%20the%20Traffic%20for%20Service%20TAGS%3A%20%E2%80%9CAzure%20Monitor%E2%80%9D%20%26amp%3B%20%E2%80%9CGuestAndHybridManagement%E2%80%9C%20via%20UDR%20and%20allowed%20the%20same%20using%20CLI%2C%20still%20no%20good.%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EChecking%20for%20suggestions.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThanks%20in%20advance%20to%20reading%20through.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2724980%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPatch%20%26amp%3B%20Change%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Azure Update management not working

Environment:

Azure Windows based VM

Forced Tunnelling

Onpremise Firewall supports only IP Addresses

Update management error:

AssessmentError

Exception from HRESULT: 0x80072F8F

AssessmentErrorStackTrace

System.Runtime.InteropServices.COMException (0x80072F8F): Exception from HRESULT: 0x80072F8F at Microsoft.EnterpriseManagement.Mom.Modules.ChangeTracking.WUA.IUpdateSearcher2.EndSearch(ISearchJob searchJob) at Microsoft.EnterpriseManagement.Advisor.PatchManagement.WindowsUpdateHelper.GetUpdateSnapshot(TimeSpan timeout, Boolean onlineSearch, DateTime lastTimeUpdateApplied, IAutomaticUpdates2 automaticUpdates, UpdateModuleState state)

Troubleshooting:

Due to Forced Tunnelling the traffic has to go to the onpremise FW.

Unfortunately the onpremise FW allows only IP Addresses and as per the following article:

https://docs.microsoft.com/en-us/azure/automation/automation-network-configuration#update-management...

It suggest to allow port 443 for url:

Azure Public

*.ods.opinsights.azure.com

*.oms.opinsights.azure.com

*.blob.core.windows.net

*.azure-automation.net & *.oms.opinsights.azure.com

Though, no IP address that I can NSlookup for *.azure-automation.net”

Therefore, trying the alternate approach:

 

  1. Tried enabling service Tags via Azure Firewall, but as the traffic still goes to Onpremise FW we either need the IP Address for the URL to be allowed

  2. Else, use User Defined Route (UDR) to direct the Traffic for Service TAGS: “Azure Monitor” & “GuestAndHybridManagement“ via UDR and allowed the same using CLI, still no good.

Checking for suggestions.

Thanks in advance to reading through.

0 Replies