Migrate Server Patching to Azure Update Patch Management Using Azure Arc

What is Azure Arc: Azure Arc is a service in Azure where we can be able to do automatic
patching of our machines whether its on-premises, cloud migrated, cloud Pc. Update
management is a part of Azure ARC.

Key Benefits:
Provides native experience with zero on-boarding
o Built as native functionality on Azure Compute and Azure Arc for Servers platform
for ease of use.
o No dependency on Log Analytics and Azure Automation.
o Azure policy support.
o Global availability in all Azure Compute and Azure Arc regions.

• Works with Azure roles and identity.

o Granular access control at per resource level instead of access control at
Automation account and Log Analytics workspace level.
o Update management center now as Azure Resource Manager based
operations. It allows RBAC and roles based of ARM in Azure.
• Enhanced flexibility
o Ability to take immediate action either by installing updates immediately
or schedule them for a later date.
o Check updates automatically or on demand.
o Helps secure machines with new ways of patching such as automatic
VM guest patching in Azure, hotpatching or custom maintenance
schedules.
o Sync patch cycles in relation to patch Tuesday—the unofficial term for
Microsoft's scheduled security fix release on every second Tuesday of
each month.

The following diagram illustrates how update management center (preview) assesses and applies
updates to all Azure machines and Arc-enabled servers for both Windows and Linux.

1
Fig: High Level Design – Update Management Center

2
Update Management Center Overview

Steps By Steps Procedure/ Pre-requisite :

1. Create Azure Log Analytics Workspace
2. Create Azure Automation Account
3. Integration of Azure Update management with Log Analytics and Azure
Automation Account
4. Azure Update management Post Configuration
5. Overview for Onboarding the Servers.

3
 1. Create Azure Log Analytics Workspace

Use the Log Analytics workspaces menu to create a workspace.

In the Azure portal, enter Log Analytics in the search box. As you begin typing, the list filters
based on your input. Select Log Analytics workspaces.

1. Select Add.
2. Select a Subscription from the dropdown.
3. Use an existing Resource Group or create a new one.
4. Provide a name for the new Log Analytics workspace, such
as DefaultLAWorkspace. This name must be unique per resource group.
5. Select an available Region. For more information, see which regions Log Analytics
is available in. Search for Azure Monitor in the Search for a product box.

4
6. Select Review + Create to review the settings. Then select Create to create the
workspace. A default pricing tier of pay-as-you-go is applied. No charges will be incurred
until you start collecting enough data. For more information about other pricing tiers,
see Log Analytics pricing details.

2. Create Azure Automation Account

5
1. Sign in to the Azure portal.
2. From the top menu, select + Create a resource.
3. Under Categories, select IT & Management Tools, and then select Automation.

6
Note that: The region should be same as the Log Analytics Workspace.

7
8
9
Integrate Automation account with the Log Analytics workspace.

1. In the Azure portal, select All services, and then enter automation. As you begin
entering this text, the list filters based on your input. Select Automation Account,
and then select the Automation account that you created earlier.
2. In the Automation Account pane, select Update Management in the Update
Management section.
3. In the Update Management pane, configure the following items:
1. Select a different Subscription in the drop-down list if the default selection isn't
appropriate.

10
 2. For Log Analytics workspace, select your existing Log Analytics workspace; for
example, HybridWorkspace-yourname.
4. After providing the required information in the Update Management pane,
select Enable.

Now Click onto the Manage machines from the update management and then select
➔ Enable on all available and future machines. And then click Enable.

Onboard Windows server to Azure Arc

To use Azure Arc for servers, there are a couple of prerequisites that you should be aware which
you can find here. Since Azure Arc for servers is currently in public preview, we will need to
register the required resource providers.

Azure PowerShell:

11
Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

Azure CLI

az account set --subscription "{Your Subscription Name}"

az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

To onboard a server which can run Linux or Windows, physical or virtual, and can run on-premises
or at another service provider, you open Azure Arc in the Azure Portal. There you can
select manage servers.

Azure Arc Portal

Here we will see your existing servers which you have on-boarded.

12
Azure Arc Server in Portal

We can click on Add to add another server. You will be able to add a single server or get
instructions to onboard servers at scale.

Add server to Azure Arc

13
Here you can go through a wizard that will help you to generate a script, which you can copy or
download to run it on your server. You can select the subscription and resource group, as well
as the region where you want to join your server.
You will also be able to configure a proxy server if your server is behind a proxy. Since this will
use the Azure Resource Manager, you will also be able to use tags. After you are done with the
wizard, you can download or copy the command to run that on your server.

Generate Script

After you have run that command on your on-premises server, your server will show up as an
Azure resource in a couple of minutes.
If you are using Windows Admin Center on Windows Server to manage your servers or
with Azure Stack HCI, you can also use it to add a server to Azure Arc.

14
Patching Servers with Azure Update Management Center
Select the machine that we have one boarded to the Azure Arc. And then select updates. From the
top we can be able to see one time update, check for update, schedule updates or update settings.

15
16