Manage Software Updates with Azure Update Management

Managing software updates, especially in small environments, can be a challenge. Azure Update Management can be a great solution to help and it works for cloud and on-premises servers as well as working on both Windows and Linux servers.

The answer is Azure Update Management so what is the problem we are trying to solve? At Arcible, we have some on-premises servers. To keep safe, secure, and compliant, these servers need patching just like any other server does. Our environment is small and not big enough to justify a Microsoft Endpoint Manager (formerly Configuration Manager) deployment and Windows Server Updates Services (WSUS) is too painful and manual to manage.

So if we aren’t using Microsoft Endpoint Manager or WSUS, what do we do? We want a solution that’s automated to reduce the admin overhead but while being lightweight and not costing much.

What is Azure Update Management?

Azure Update Management is part of Azure Automation. By using Azure Monitor Log Analytics to collect data from Windows and Linux server systems and ingesting this into the Azure Update Management Solution, Azure Automation can tell us what updates are missing from servers and also allow us to schedule automatic deployment and installation of those updates.

How much does Azure Update Management cost?

Here’s the best bit: it’s free [with some caveats]. The solution itself is totally free for as many nodes as you want to manage. The only part of the solution that incurs a cost is the underlying Azure Monitor Log Analytics Workspace.

Azure Monitor Log Analytics has two models for pricing which are either reserved capacity of Pay As You Go. If you plan to use Log Analytics extensively such as with Azure Sentinel and you will be ingesting large quantities of data, paying for reserved capacity may work. If you are only using it for collecting basic information for updates or will be using Log Analytics with a smaller number of servers, go with Pay As You Go. The Pay As You Go option is only a few pounds per gigabyte of data and the first five gigabytes are free.

To give you an example, at Arcible, we have three servers in Azure Update Management at the time of writing and on Pay As You Go for us is costing nothing at all.

How does Azure Update Management work?

The starting point is an Azure Automation account because this is where the Update Management module lives. This shows us the metrics, however, it’s not where the data actually lives. The data itself lives in Azure Monitor Log Analytics which collects the data from servers via the Microsoft Management Agent (MMA).

The MMA agent can be installed on Windows systems and Linux systems alike. The MMA agent can be installed on servers either inside Microsoft Azure or outside Azure on-premises or in another cloud provider like Amazon Web Services. The MMA agent requires the server to have Internet access to send the data.

The MMA agent for Azure Virtual Machines

If you have servers running in Azure as Virtual Machines the installation and configuration can be automated through the deployment of a VM Extension. If you use Azure Policy or Azure Blueprints you can automate and enforce the installation of the VM Extension and MMA agent on all your servers further cutting out the administration and helping to ensure compliance.

The MMA agent for non-Azure servers

If you have servers either physical or virtual outside of Microsoft Azure we can still install the MMA agent and have it report to Update Management.

How you install the MMA agent outside of Microsoft Azure is depends on your environment and there are many options available:

  • Manual installation using the setup package
  • Silent scripted installation
  • Package deployment via Microsoft Endpoint Manager
  • Automated installation via PowerShell Desired State Configuration (DSC)

The MMA agent without Internet access

If you have servers that don’t have Internet access that’s not a problem either. Using the Operations Management Server (OMS) Gateway we can provide a server to act as a proxy agent for other servers to report through. By deploying an OMS Gateway on the network, multiple servers without Internet access report to the gateway and the gateway aggregates the data collection and sends it to Azure Monitor Log Analytics.

The OMS Gateway is actually a great option if you are planning on deploying the MMA Agent on lots of servers instead of having each of the servers going outbound directly.

What about managing client updates?

It’s important to understand that Azure Update Management and specifically, the underlying Azure Monitor Log Analytics MMA Agent only works for servers. You can’t install the MMA Agent on a client operating system.

If you want to be able to manage software updates on clients such as Windows 10 endpoints, Microsoft Intune is the right solution for this and we’ll be covering managing client updates via Microsoft Intune in another post.

Azure Update Management compliance and reporting

With systems onboarded into Azure Update Management, we can view and report on the update status of the systems. Using the capabilities of the underlying Azure Monitor Log Analytics Workspace, we can set-up automated email reports and alerting.

Deploying updates with Azure Update Management

With Azure Update Management we can automate the deployment of updates so that each month as updates are released, they are automatically installed when we want them to be. This is where the third part of the solution comes in and that is a feature of Azure Automation known as the Hybrid Worker.

A Hybrid Worker is Azure Automation speak for a server that has the MMA Agent installed and is able to receive instructions from the Azure Automation account. All servers that are onboarded to the Azure Update Management solution are automatically enabled as Hybrid Workers. When we configure a Scheduled Update Deployment, Azure Automation sends the instructions to the server via the Hybrid Worker feature to instruct it what updates to install and when.

Configuring a Scheduled Update Deployment

With systems onboarded into Azure Update Management and giving us update compliance and reporting information, now we get to the best bit: automating the update process.

With an Update Deployment, we can configure which servers are targetted, which types of updates will be installed, and when they will be installed. When we are installing updates, we can configure pre and post update scripts that will run if you need to orchestrate specific start-up and shutdown tasks. If reboots are required, we can also control how and when those happen.

Finding out more about Azure Automation

If you want to find out more about Azure Automation you can read the Microsoft Docs at For information about the underlying Azure Monitor Log Analytics and the MMA Agent, you can check out

Setting up with Azure Update Management

As you can see from above, we’re using Azure Update Management at Arcible and it’s a great service. If you are interested in using Azure Update Management at your own organisation, get in touch with us to find out more.

We can help you investigate whether Azure Update Management is right for you, how to deploy it, and how to configure it to automate your software update processes. We can incorporate it into our Cloud Platform or our Security and Identity solutions.