MicrosoftDocs
diff --git a/‎articles/automation/TOC.yml
Lines changed: 4 additions & 0 deletions b/‎articles/automation/TOC.yml
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/automation/automation-faq.md
Lines changed: 56 additions & 0 deletions b/‎articles/automation/automation-faq.md
Lines changed: 56 additions & 0 deletions
diff --git a/‎articles/automation/automation-update-management-deploy-template.md
Lines changed: 260 additions & 0 deletions b/‎articles/automation/automation-update-management-deploy-template.md
Lines changed: 260 additions & 0 deletions
@@ -4,6 +4,8 @@
   items:
   - name: What is Automation?
     href: automation-intro.md
+  - name: FAQ
+    href: automation-faq.md
 - name: Automation Account
   items:
     - name: Create an Automation account
@@ -136,6 +138,8 @@
     displayName: dynamic groups, pre scripts, post scripts, reboot control, first party, pre download, inclusion
   - name: Onboarding
     items:
+    - name: Using a Resource Manager template
+      href: automation-update-management-deploy-template.md   
     - name: Onboard multiple VMs from the portal
       href: automation-onboard-solutions-from-browse.md
     - name: Onboard from an Azure VM
 
@@ -0,0 +1,56 @@
+---
+title: Azure Automation FAQ | Microsoft Docs
+description: Answers to frequently asked questions about Azure Automation.
+services: automation
+ms.subservice: 
+ms.topic: conceptual
+author: mgoedtel
+ms.author: magoedte
+ms.date: 02/25/2020
+
+---
+
+# Azure Automation Frequently Asked Questions
+
+This Microsoft FAQ is a list of commonly asked questions about Azure Automation. If you have any additional questions about its capabilities, go to the discussion forum and post your questions. When a question is frequently asked, we add it to this article so that it can be found quickly and easily.
+
+## Update Management solution
+
+### Can I prevent unexpected OS-level upgrades?
+
+On some Linux variants, such as Red Hat Enterprise Linux, OS-level upgrades might occur through packages. This might lead to Update Management runs where the OS version number changes. Because Update Management uses the same methods to update packages that an administrator would use locally on the Linux machine, this behavior is intentional.
+
+To avoid updating the OS version through Update Management deployments, use the **Exclusion** feature.
+
+In Red Hat Enterprise Linux, the package name to exclude is redhat-release-server.x86_64.
+
+### Why aren't critical/security updates applied?
+
+When you deploy updates to a Linux machine, you can select update classifications. This option filters the updates that are applied to the machine that meet the specified criteria. This filter is applied locally on the machine when the update is deployed.
+
+Because Update Management performs update enrichment in the cloud, some updates can be flagged in Update Management as having a security impact, even though the local machine doesn't have that information. As a result, if you apply critical updates to a Linux machine, there might be updates that aren't marked as having a security impact on that machine and therefore the updates aren't applied. However, Update Management might still report that machine as non-compliant because it has additional information about the relevant update.
+
+Deploying updates by update classification doesn't work on RTM versions of CentOS. To properly deploy updates for CentOS, select all classifications to make sure updates are applied. For SUSE, selecting *only* **Other updates** as the classification can cause some security updates to also be installed if security updates related to zypper (package manager) or its dependencies are required first. This behavior is a limitation of zypper. In some cases, you might be required to rerun the update deployment. To verify, check the update log.
+
+### Can I deploy updates across Azure tenants?
+
+If you have machines in another Azure tenant reporting to Update Management that you need to patch, you'll have to use the following workaround to get them scheduled. You can use the [New-AzureRmAutomationSchedule](/powershell/module/azurerm.automation/new-azurermautomationschedule) cmdlet with the `-ForUpdate` switch to create a schedule, and use the [New-AzureRmAutomationSoftwareUpdateConfiguration](/powershell/module/azurerm.automation/new-azurermautomationsoftwareupdateconfiguration
+) cmdlet and pass the machines in the other tenant to the `-NonAzureComputer` parameter. The following example shows how to do this:
+
+```azurepowershell-interactive
+$nonAzurecomputers = @("server-01", "server-02")
+
+$startTime = ([DateTime]::Now).AddMinutes(10)
+
+$sched = New-AzureRmAutomationSchedule -ResourceGroupName mygroup -AutomationAccountName myaccount -Name myupdateconfig -Description test-OneTime -OneTime -StartTime $startTime -ForUpdate
+
+New-AzureRmAutomationSoftwareUpdateConfiguration  -ResourceGroupName $rg -AutomationAccountName <automationAccountName> -Schedule $sched -Windows -NonAzureComputer $nonAzurecomputers -Duration (New-TimeSpan -Hours 2) -IncludedUpdateClassification Security,UpdateRollup -ExcludedKbNumber KB01,KB02 -IncludedKbNumber KB100
+```
+
+## Next steps
+
+If your question isn't answered here, you can refer to the following forum for additional questions and answers.
+
+- [Azure Automation](https://social.msdn.microsoft.com/Forums/home?forum=azureautomation&filter=alltypes&sort=lastpostdesc)
+
+For general feedback about the Update Management solution, please visit the [feedback forum](https://feedback.azure.com/forums/905242-update-management).
@@ -0,0 +1,260 @@
+---
+title: Use Azure Resource Manager templates to onboard Update Management | Microsoft Docs
+description: You can use an Azure Resource Manager template to onboard the Azure Automation Update Management solution.
+ms.service:  automation
+ms.subservice: update-management
+ms.topic: conceptual
+author: mgoedtel
+ms.author: magoedte
+ms.date: 02/27/2020
+
+---
+
+# Onboard Update Management solution using Azure Resource Manager template
+
+You can use [Azure Resource Manager templates](../azure-resource-manager/templates/template-syntax.md) to enable the Azure Automation Update Management solution in your resource group. This article provides a sample template that automates the following:
+
+* Creation of a Azure Monitor Log Analytics workspace.
+* Creation of an Azure Automation account.
+* Links the Automation account to the Log Analytics workspace if not already linked.
+* Onboard the Azure Automation Update Management solution
+
+The template does not automate the onboarding of one or more Azure or non-Azure VMs.
+
+If you already have a Log Analytics workspace and Automation account deployed in a supported region in your subscription, they are not linked, and the workspace doesn't already have the Update Management solution deployed, using this template successfully creates the link and deploys the Update Management solution. 
+
+## API versions
+
+The following table lists the API version for the resources used in this example.
+
+| Resource | Resource type | API version |
+|:---|:---|:---|
+| Workspace | workspaces | 2017-03-15-preview |
+| Automation account | automation | 2015-10-31 | 
+| Solution | solutions | 2015-11-01-preview |
+
+## Before using the template
+
+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell Az module. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install the Azure PowerShell module](/powershell/azure/install-az-ps). If you are running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure. With Azure PowerShell, deployment uses [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment).
+
+If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.1.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest). With Azure CLI, this deployment uses [az group deployment create](https://docs.microsoft.com/cli/azure/group/deployment?view=azure-cli-latest#az-group-deployment-create). 
+
+The JSON template is configured to prompt you for:
+
+* The name of the workspace
+* The region to create the workspace in
+* The name of the Automation account
+* The region to create the account in
+
+The JSON template specifies a default value for the other parameters that would likely be used as a standard configuration in your environment. You can store the template in an Azure storage account for shared access in your organization. For further information about working with templates, see [Deploy resources with Resource Manager templates and Azure CLI](../azure-resource-manager/templates/deploy-cli.md).
+
+The following parameters in the template are set with a default value for the Log Analytics workspace:
+
+* sku - defaults to the new Per-GB pricing tier released in the April 2018 pricing model
+* data retention - defaults to thirty days
+
+>[!WARNING]
+>If creating or configuring a Log Analytics workspace in a subscription that has opted into the new April 2018 pricing model, the only valid Log Analytics pricing tier is **PerGB2018**.
+>
+
+>[!NOTE]
+>Before using this template, review [additional details](../azure-monitor/platform/template-workspace-configuration.md#create-a-log-analytics-workspace) to fully understand workspace configuration options such as access control mode, pricing tier, retention, and capacity reservation level. If you are new to Azure Monitor logs and have not deployed a workspace already, you should review the [workspace design](../azure-monitor/platform/design-logs-deployment.md) guidance to learn about access control, and an understanding of the design implementation strategies we recommend for your organization.
+
+## Deploy template
+
+1. Copy and paste the following JSON syntax into your file:
+
+    ```json
+    {
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+	"contentVersion": "1.0.0.0",
+	"parameters": {
+		"workspaceName": {
+			"type": "string",
+			"metadata": {
+				"description": "Workspace name"
+			}
+		},
+		"pricingTier": {
+			"type": "string",
+			"allowedValues": [
+				"pergb2018",
+				"Free",
+				"Standalone",
+				"PerNode",
+				"Standard",
+				"Premium"
+			],
+			"defaultValue": "pergb2018",
+			"metadata": {
+				"description": "Pricing tier: perGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
+			}
+		},
+		"dataRetention": {
+			"type": "int",
+			"defaultValue": 30,
+			"minValue": 7,
+			"maxValue": 730,
+			"metadata": {
+				"description": "Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days."
+			}
+		},
+		"immediatePurgeDataOn30Days": {
+			"type": "bool",
+			"defaultValue": "[bool('false')]",
+			"metadata": {
+				"description": "If set to true when changing retention to 30 days, older data will be immediately deleted. Use this with extreme caution. This only applies when retention is being set to 30 days."
+			}
+		},
+		"location": {
+			"type": "string",
+			"allowedValues": [
+				"australiacentral",
+				"australiaeast",
+				"australiasoutheast",
+				"brazilsouth",
+				"canadacentral",
+				"centralindia",
+				"centralus",
+				"eastasia",
+				"eastus",
+				"eastus2",
+				"francecentral",
+				"japaneast",
+				"koreacentral",
+				"northcentralus",
+				"northeurope",
+				"southafricanorth",
+				"southcentralus",
+				"southeastasia",
+				"uksouth",
+				"ukwest",
+				"westcentralus",
+				"westeurope",
+				"westus",
+				"westus2"
+			],
+			"metadata": {
+				"description": "Specifies the location in which to create the workspace."
+			}
+		},
+        "automationAccountName": {
+            "type": "string",
+            "metadata": {
+                "description": "Automation account name"
+            }
+        },
+		"automationAccountLocation": {
+		    "type": "string",
+			"metadata": {
+			    "description": "Specify the location in which to create the Automation account."
+			}
+		}
+    },
+    "variables": {
+        "Updates": {
+            "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]",
+            "galleryName": "Updates"
+        }
+    },
+    "resources": [
+        {
+        "type": "Microsoft.OperationalInsights/workspaces",
+            "name": "[parameters('workspaceName')]",
+            "apiVersion": "2017-03-15-preview",
+            "location": "[parameters('location')]",
+            "properties": {
+                "sku": { 
+                    "name": "CapacityReservation",
+                    "capacityReservationLevel": 100
+                },
+                "retentionInDays": "[parameters('dataRetention')]",
+                "features": {
+                    "searchVersion": 1,
+                    "legacy": 0,
+                    "enableLogAccessUsingOnlyResourcePermissions": true
+                }
+            },
+            "resources": [
+                {
+                    "apiVersion": "2015-11-01-preview",
+                    "location": "[resourceGroup().location]",
+                    "name": "[variables('Updates').name]",
+                    "type": "Microsoft.OperationsManagement/solutions",
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').name)]",
+                    "dependsOn": [
+                        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+                    ],
+                    "properties": {
+                        "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+                    },
+                    "plan": {
+                        "name": "[variables('Updates').name]",
+                        "publisher": "Microsoft",
+                        "promotionCode": "",
+                        "product": "[concat('OMSGallery/', variables('Updates').galleryName)]"
+                    }
+                }
+            ]
+        },
+        {
+            "type": "Microsoft.Automation/automationAccounts",
+            "apiVersion": "2015-01-01-preview",
+            "name": "[parameters('automationAccountName')]",
+            "location": "[parameters('automationAccountLocation')]",
+            "dependsOn": [],
+            "tags": {},
+            "properties": {
+                "sku": {
+                    "name": "Basic"
+                }
+            },
+		},
+        {
+            "apiVersion": "2015-11-01-preview",
+            "type": "Microsoft.OperationalInsights/workspaces/linkedServices",
+            "name": "[concat(parameters('workspaceName'), '/' , 'Automation')]",
+            "location": "[resourceGroup().location]",
+            "dependsOn": [
+                "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
+                "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]"
+            ],
+            "properties": {
+                "resourceId": "[resourceId('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]"
+            }
+        }
+      ]
+    }
+    ```
+
+2. Edit the template to meet your requirements.
+
+3. Save this file as deployUMSolutiontemplate.json to a local folder.
+
+4. You are ready to deploy this template. You can use either PowerShell or the Azure CLI. When you're prompted for a workspace and Automation account name, provide a name that is globally unique across all Azure subscriptions.
+
+    **PowerShell**
+
+    ```powershell
+    New-AzResourceGroupDeployment -Name <deployment-name> -ResourceGroupName <resource-group-name> -TemplateFile deployUMSolutiontemplate.json
+    ```
+
+    **Azure CLI**
+
+    ```cli
+    az group deployment create --resource-group <my-resource-group> --name <my-deployment-name> --template-file deployUMSolutiontemplate.json
+    ```
+
+    The deployment can take a few minutes to complete. When it finishes, you see a message similar to the following that includes the result:
+
+    ![Example result when deployment is complete](media/automation-update-management-deploy-template/template-output.png)
+
+## Next steps
+
+Now that you have the Update Management solution deployed, you can enable VMs for management, review update assessments, and deploy updates to bring them into compliance.
+
+- From your [Azure Automation account](automation-onboard-solutions-from-automation-account.md) for one or more Azure machines and manually for non-Azure machines.
+
+- For a single Azure VM from the virtual machine page in the Azure portal. This scenario is available for [Linux](../virtual-machines/linux/tutorial-config-management.md#enable-update-management) and [Windows](../virtual-machines/windows/tutorial-config-management.md#enable-update-management) VMs.
+
+- For [multiple Azure VMs](manage-update-multi.md) by selecting them from the **Virtual machines** page in the Azure portal.