A little while ago, I blogged on OMS’ (Operations Management Suite) Update Management Solution. As great as this solution was, there were some limitations at the time, such having the ability to exclude specific patches, co-management with SCCM (Configuration Manager), and few others.
Since that post, there have been some great improvements to Update Management, so let’s go over some of the key updates, and do a quick setup walk-through:
- Both Windows (2008R2+) and (most) Linux Operating Systems are supported
- Can patch any machine in any cloud, Azure, AWS, Google, etc.
- Can patch any machine on-premises
- Ability to Exclude patches
One of the biggest improvements I want to highlight is, the ability to EXCLUDE patches, perhaps in time there will also be INCLUDE only patches. 😉
First, we need to get into our Azure VM properties.. Scroll down to the Update Management.
- If the machine belongs to a Log Analytics workspace, and/or does not have an Automation Account, then link it now, and/or link/create the Automation Account
- If you do not have an Log Analytics workspace and/or an Automation Account, then you have the ability to create it at run-time now.
In this scenario, I kept it clean as possible, so both the Log Analytics workspace needs to be created, and likewise for the Automation Account, and Update Management needs to be linked to the workspace.
Once enabled, it a few minutes to complete the solution deployment….
After Update Management has been enabled, and it has run its discovery on the VM, insights will be populated, like its compliance state.
Now we know this machine is not compliant, as it missing a security update(s), in addition, missing 3 other updates too. Next, we will schedule a patching deployment for the future. So let’s do that now.
Now we can create a deployment schedule with some base settings, name, time, etc. But one thing to note, we can now EXCLUDE specific patches! This is a great feature, as let’s say, we are patching an application server, and a specific version of .NET will break our application, as the application Dev team has not tested the application against the latest .NET framework.
In this demo, I am going to EXCLUDE patch, KB890830.
Next, we need to create a schedule. This can be an ad-hoc schedule, or a recurring schedule.
Once you hit create, we can now see the Deployment Schedule, under Scheduled Update Deployments.
You can also click on the deployment to see it’s properties, and which patches have been excluded.
After the deployment has initiated, you can take a look at its progress.
If we go into the Update Deployment (yes, I got impatient, and deleted the first one, and re-created it…), and click on the Deployment we created, we can see the details.
As you can see, patch, KB890830 was not applied! Awesome.
If we not go back to the Update Management module, we can now see the VM is compliant.