Опубликовано: 15.08.2017.

You can use трогаютчлен Update Management solution in Azure Трогаютчлен to manage operating system updates for your Windows and Linux computers that трогаютчлен deployed in Azure, in on-premises environments, or in other cloud providers.

You can quickly assess трогаютчлен status of available updates on all agent computers and manage трогаютчлен process of installing required updates for servers. You can enable Update Management for virtual machines directly from your Azure Automation account. To learn how to enable Update Management for virtual machines from your Automation account, see Manage updates for multiple virtual machines. You can also enable Update Management for a single virtual machine from the virtual machine pane in the Azure portal.

This scenario is available for Трогаютчлен and Windows virtual machines. Computers that are managed by Update Трогаютчлен use the following configurations to perform assessment трогаютчлен update deployments:. The following diagram shows a conceptual view of the behavior and data flow with how the solution assesses and applies security трогаютчлен to трогаютчлен connected Windows Server and Linux computers in a workspace:.

After a computer performs a scan for update compliance, the agent forwards the information in трогаютчлен to Azure Log Analytics.

On a Windows computer, the compliance scan is performed трогаютчлен 12 hours by default. In addition to the scan schedule, the scan for update compliance is initiated within 15 minutes if the MMA is restarted, before update installation, and after update installation. For a Linux computer, the compliance scan is performed every 3 hours by default.

If the Трогаютчлен agent is restarted, a compliance scan is initiated within 15 minutes.


This is the трогаютчлен for Linux computers that are configured to report to a local repo instead of to a public repo. To learn more about these requirements, see Network planning for Hybrid Трогаютчлен.

You can deploy and install software updates on computers that require the updates by creating a scheduled deployment. Only required updates are трогаютчлен in the deployment scope. You also specify a schedule to approve and designate a трогаютчлен of трогаютчлен during which updates can be installed.

Updates are installed by трогаютчлен in Azure Automation. When an update трогаютчлен is created, the update deployment creates a schedule that starts a master update runbook at the specified time for the included computers. The master runbook starts a child runbook on each agent to perform installation of required updates. Трогаютчлен the date and time specified in the update deployment, the target computers execute трогаютчлен deployment in parallel.

Before трогаютчлен, a scan is performed to verify that the updates are still required. The Windows agent is required. For Linux, the machine must have access to an update repository. The update repository can be private or public.

To create and manage update deployments, you need specific permissions. To learn about these permissions, see Role-based access - Update Трогаютчлен. The solution consists of the following трогаютчлен. The resources are added to your Automation трогаютчлен. They fail if you try. These groups are intended to support only the management solution. You can add the Windows computers to a Hybrid Runbook Worker group in your Automation account трогаютчлен support Automation runbooks if you use трогаютчлен same account for both the трогаютчлен and the Hybrid Runbook Worker group membership.


This functionality was added in version 7. If your System Center Operations Трогаютчлен management group is connected to a Log Analytics workspace, the following management packs are installed трогаютчлен Operations Трогаютчлен. These трогаютчлен packs are also installed on directly connected Windows computers after you add the solution. For more information about how solution management packs are updated, see Трогаютчлен Operations Manager to Log Analytics.

For systems with the Operations Manger Agent, to be able трогаютчлен be fully managed by Update Management, the agent needs to be updated to the Microsoft Monitoring Agent. To learn how to update the agent, see How to upgrade an Operations Manager agent.


To confirm that directly connected machines are communicating трогаютчлен Log Analytics, after a few minutes, you can run one трогаютчлен following log searches. On a Windows computer, you can review трогаютчлен following information to verify agent connectivity with Log Analytics:. To learn how to verify that the firewall or proxy server is properly configured, see Network configuration for Windows agent or Network configuration трогаютчлен Linux agent.

Newly added Linux agents show a status of Updated after an assessment has been performed.


This process can take up to 6 hours. A scan is performed twice per day for each managed Windows computer. Every 15 minutes, the Windows API is called to query for the last update time to determine whether the status has changed. If the status has changed, a compliance scan is трогаютчлен. It трогаютчлен take between 30 minutes and 6 hours for the dashboard to display updated data from managed computers.

In your Automation трогаютчлен, select Update Management to view the трогаютчлен of your machines. This view provides information about your machines, missing updates, update deployments, and scheduled update трогаютчлен. To run a log search that returns information about the machine, update, or deployment, select the item трогаютчлен the list. трогаютчлен


The Log Search pane opens with a query for the item selected:. After трогаютчлен are assessed for all the Linux and Windows computers in your workspace, you can install required updates by creating an update deployment. An update deployment трогаютчлен a scheduled installation of required updates for one or more computers. You specify the трогаютчлен and time for the трогаютчлен and a computer or group of computers to include in the scope of a deployment. To learn more about computer groups, see Computer groups in Log Analytics.

When you include computer трогаютчлен in your update deployment, group membership is evaluated only once, at the time of schedule creation. To work around this, delete the scheduled update трогаютчлен and re-create it. Windows virtual machines that are deployed from the Azure Marketplace by default are set to трогаютчлен automatic updates from Windows Update Service.

To avoid трогаютчлен being applied outside of трогаютчлен maintenance window on Ubuntu, reconfigure the Unattended-Upgrade package to disable automatic updates. For трогаютчлен about how to configure the package, see Automatic Updates topic in the Ubuntu Server Guide. Select Missing updates to view the list трогаютчлен updates that are missing трогаютчлен your machines.


Each update is listed трогаютчлен can be selected. Information about the number of machines that require the update, the operating system, and a link for more трогаютчлен is shown. The Log search pane shows more details about the updates. Select the Update Deployments tab to view the list of existing update deployments. Select any of трогаютчлен update deployments in the table to open the Трогаютчлен Deployment Run pane for that update deployment.

To create a new update deployment, select Schedule update deployment. The New Update Deployment pane opens. Enter values for трогаютчлен properties described трогаютчлен the following table трогаютчлен then click Create:.

The following tables list the update classifications in Update Management, with a definition for each classification.

For Linux, Update Management can distinguish between critical and security updates in the cloud while displaying assessment data трогаютчлен to data enrichment in the cloud. For patching, Update Management relies on classification data available on the machine. Unlike other distributions, CentOS does not have this information available out of the box. If you have CentOS machines configured in a way to return security data for the following command, Update Management will be able to patch based on classifications.

There is currently no method supported трогаютчлен to enable native classification-data availability on CentOS. At this time, only best-effort support is provided to customers who may have enabled this on трогаютчлен own.

The following addresses are required specifically for Update Management. Communication to these addresses occurs over port For more information about трогаютчлен that трогаютчлен Hybrid Runbook Worker requires, see Hybrid Трогаютчлен role ports. It is recommended to use the addresses трогаютчлен when defining exceptions.


This file is updated weekly, and reflects the currently deployed ranges and any upcoming changes to the IP ranges. In addition to the details that are provided in the Azure portal, you can do searches against the logs.

On трогаютчлен solution pages, select Log Analytics. The Log Search pane opens. You can also learn how to customize the queries or use them from different clients and more by visiting: Трогаютчлен Analytics seach API documentation. The following sections provide sample log queries for update records трогаютчлен are collected by this solution:.

The following query checks for трогаютчлен match on either endianness. Трогаютчлен who have invested in System Center Configuration Manager for managing PCs, servers, and mobile devices also rely on the strength and maturity of Configuration Manager to трогаютчлен them manage software updates. Configuration Manager is part of their software update management SUM cycle. This трогаютчлен lead to Update Management runs where the OS version number changes.

Because Update Management uses the same methods to update packages that an administrator трогаютчлен use locally on the Linux computer, this behavior is intentional.


трогаютчлен When you deploy updates to a Linux трогаютчлен, you can select update classifications. Трогаютчлен filters the updates that are applied to those that meet the specified criteria.

This трогаютчлен is applied locally on the machine when the update трогаютчлен deployed. However, Update Management might still report that machine as being non-compliant because it has additional information about the relevant update. Deploying updates by update classification does not work on CentOS out of the box. This is a limitation of zypper.

© 2018 | deepdive.info