Update Management Center (UMC)

Long awaited: On July 18th, Microsoft announced the Public Preview of Update Management Center in Azure:
Announcing Public Preview of Update management center – Microsoft Tech Community


Introduction

UMC is a native Azure service for patching your servers, wherever they are. As mentioned, the service is in public preview and it looks like, there’s a lot more to come. But, my first impression shows already some really nice benefits:

  • No more Log Analytics Workspace and Azure Automation Account (native Update console in Azure)
  • Azure Arc Connected Machine Agent only: No more messing around with different agents. Simply install the Azure Arc Agent (you’ll get the other Azure Arc benefits)
  • Use of Azure Arc Private Link: Now you can patch your servers through the S2S VPN tunnel
  • More Options for your update deployments

Step 1: Create an Azure Arc Resource Group

If you follow the Azure landing zone concept, I would suggest, you should create a new resource group for Azure Arc in the management subscription. Name like: p-rgr-azurearc-01


Step 2: Create a Service Principal in Azure Arc

Enter Azure Arc in the Azure Portal search bar and click on Service Principal. Now click create a new service Principal:

On the following page, you can choose the resource group you create in Step 1. Please copy/paste the ID and the secret to a safe please. You’ll need it later.


Step 2: Create Azure Arc Connected Machine Agent Powershell Script

In the Azure Arc console, click on servers:
 
The assistant will guide through a few simple questions (Please note: UMC isn’t available in Switzerland north, you would have to choose West Europe).
Now you can make use of Azure Private Link and patch your servers through your S2S VPN tunnel. Check the documentation here:
For the demo, we’ll leave it on public endpoint. At the end, you’ll get a ready to use Powershell-Script. You only have to insert your secret.
 

Step 3: Run script on your VMs

There are multiple ways to run your script on your onprem VMs. A central scripting server, software deployment tools and so on. To get a complete view of all your VMs, I would install the agent on as many servers as possible (Windows and Linux).


Step 4: Check your servers in Azure Arc

After you run the script on your VMs, it takes just a really short time, until they appear in the Azure Arc server console:


Step 5: Asses servers in UMC

Head over to the UMC console by typing Update Management Center in the Azure Portal searchbar. Click on machines, select your machines and click on Check for updates.

Coffee time! This will take some minutes to complete. If you just onboarded the servers, it could be that you see some error messages. Just wait a little bit longer and start the update assessment again.

If you see error messages during the assessment: I noticed, if you just installed the agent it could take some hours until the assessment goes through. In my case, on the next morning everything was fine.


Step 6: Schedule your first maintenance configuration or do a One-time update

Now you’re ready to start patching! After the assessment went through, you should see your missing updates:

Patch deployments are now called “maintenance configuration”. Click on Deploy Updates in the UMC console. You’ll see tons of options for your deployment, that you can explore/configure on your own. In my case, I decided to patch my 3 servers every Wednesday on 8 pm:

It seems that the maximum patch window duration is (for now) 3h55min. Hit next and choose the VMs you want to patch:

At this moment, unfortunately, there seems to be no option for groups. Let’s hope that will be coming soon. On the next screen you can decide which patches you want to include or exclude. Don’t forget to include all update categories (if you want to do a complete update deployment).

Now go ahead, set your tags and create the maintenance configuration. After creation is done, you’ll see a new resource showing up in your Azure Arc resource group!


Step 7: Patching time

Like a perfect swiss clock, at 8pm my patch deployment starts.


Step 8: Additional features

Periodic assessment by Azure Policy

In Azure Policy, you’ll see some specific UMC policies. With remediation, you could automize your patching (maybe not your prod, but for dev environments this could be very nice).

Defender for cloud

You’ll see your Azure Arc enabled server and your missing patches in DFC too.


Conclusion (and notes from the field)

UMC seems to work pretty fine and I’m sure, there will be a lot of new features soon. The steps above showed a demo environment. As I started working with UMC in costumer environments, I noticed, that some configs have to be in place:

I’ll continue to work on this and provide more details about that as soon as possible.

Happy Patching folks!

JSON View in the Azure Portal

Have your ever noticed that small button called “JSON View” at the top right of the Overview of Azure Resources?

This button becomes quite handy, especially when you are coding, for example with Azure Bicep. Sometimes it can be hard to find the needed parameters.

A hint for this is, deploy your Azure resource through the marketplace and come back here to look at the JSON. It describes all the parameters you have chosen and you can copy them over to your bicep code.

Happy Coding Folks!

Delete Azure Load Balancer in front of VM Scale Set

If you ever have tried to delete an Azure Load Balancer that is configured with an Azure VM Scale Set as the backend pool, you will get an error in the Portal. You could delete all resources and start from fresh, of course. If you need to keep the scale set, here’s the solution:

  1. Run the following command in the Azure Cloudshell:
    az vmss update –resource-group <<RESOURCE_GROUP_NAME>> –name <<VMSS_NAME>> –remove virtualMachineProfile.networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].loadBalancerBackendAddressPools 0

  2. Upgrade the VM Scale Set instances:
    az vmss update-instances –instance-ids “*” -n <<VMSS_NAME>> -g <<RESOURCE_GROUP_NAME>>

  3. Delete the load balancer:
    az network lb delete -g <<RESOURCE_GROUP_NAME>> -n <<LB_NAME>>

 

 

Change the Service Administrator of an Azure Subscription

Problem

Every Azure subscription has an Account Owner and a Service Administrator. If you are an Azure Admin and can’t see costs or details of a subscription, you should check if you are the Account Owner, or at least the Service Administrator.

You chan check the Account and Service Administrator in the Azure Portal, Subscriptions, Select your Subscription, Properties:

Read More

Change the Account Owner of an Azure Subscription

Problem

Every Azure subscription has an Account Owner and a Service Administrator. If you are an Azure Admin and can’t see costs or details of a subscription, you should check if you are the Account Owner, or at least the Service Administrator.

You chan check the Account and Service Administrator in the Azure Portal, Subscriptions, Select your Subscription, Properties:

Read More