You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update Management solution relies on this agent and may encounter issues once the agent is retired as it does not work with Azure Monitoring Agent (AMA). Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. All the capabilities of Azure Automation Update management solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.
15
+
> On 31 August 2024, both Azure Automation Update Management and the Log Analytics agent it uses will be retired. Therefor, if you are using the Azure Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. Follow the [guidance](guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.
16
16
17
-
Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on other cloud platforms from a single dashboard. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.
17
+
For more information, see the [FAQs on retirement](update-manager-faq.md). You can sign up for monthly live sessions on migration including Q&A sessions.
18
18
19
-
You can use Update Manager in Azure to:
20
-
21
-
- Oversee update compliance for your entire fleet of machines in Azure, on-premises, and in other cloud environments.
22
-
- Instantly deploy critical updates to help secure your machines.
23
-
- Use flexible patching options such as [automatic virtual machine (VM) guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hotpatching](../automanage/automanage-hotpatch.md), and customer-defined maintenance schedules.
19
+
Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your machines in Azure and on-premises/on other cloud platforms (connected by [Azure Arc](https://learn.microsoft.com/azure/azure-arc/)) from a single pane of management. You can also use Update Manager to make real-time updates or schedule them within a defined maintenance window.
24
20
25
-
We also offer other capabilities to help you manage updates for your Azure VMs that you should consider as part of your overall update management strategy. To learn more about the options that are available, see the Azure VM [update options](../virtual-machines/updates-maintenance-overview.md).
21
+
You can use Update Manager in Azure to:
26
22
27
-
Before you enable your machines for Update Manager, make sure that you understand the information in the following sections.
23
+
- Instantly check for updates or [deploy security or critical updates](https://aka.ms/on-demand-patching) to help secure your machines.
24
+
- Enable [periodic assessment](https://aka.ms/umc-periodic-assessment-policy) to check for updates every 24 hours.
25
+
- Use flexible patching options such as:
26
+
-[Customer-defined maintenance schedules](https://aka.ms/umc-scheduled-patching) for both Azure and Arc-connected machines.
27
+
-[Automatic virtual machine (VM) guest patching](../virtual-machines/automatic-vm-guest-patching.md) and [hot patching](https://learn.microsoft.com/azure/automanage/automanage-hotpatch) for Azure VMs.
28
+
- Build custom reporting dashboards for reporting update status and [configure alerts](https://aka.ms/aum-alerts) on certain conditions.
29
+
- Oversee update compliance for your entire fleet of machines in Azure and on-premises/in other cloud environments (connected by [Azure Arc](../azure-arc/includes/azure-arc.md)) through a single pane. The different types of machines that can be managed are:
Update Manager has been redesigned and doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [Azure Automation Update Management feature](../automation/update-management/overview.md). Update Manager offers many new features and provides enhanced functionality over the original version available with Azure Automation. Some of those benefits are listed here:
37
+
Update Manager offers many new features and provides enhanced and native functionalities. Following are some of the benefits:
32
38
33
39
- Provides native experience with zero on-boarding.
34
-
- Built as native functionality on Azure compute and the Azure Arc for Servers platform for ease of use.
35
-
- No dependency on Log Analytics and Azure Automation.
36
-
- Azure Policy support.
37
-
- Global availability in all Azure compute and Azure Arc regions.
38
-
- Works with Azure roles and identity.
39
-
- Granular access control at the per-resource level instead of access control at the level of the Azure Automation account and Log Analytics workspace.
40
-
- Update Manager now has Azure Resource Manager-based operations. It allows role-based access control and roles based on Azure Resource Manager in Azure.
41
-
- Offers enhanced flexibility.
42
-
- Ability to take immediate action either by installing updates immediately or scheduling them for a later date.
43
-
- Check updates automatically or on demand.
44
-
- Helps secure machines with new ways of patching, such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hot patching](../automanage/automanage-hotpatch.md), or custom maintenance schedules.
45
-
- Sync patch cycles in relation to "patch Tuesday," the unofficial term for Microsoft's scheduled security fix release on every second Tuesday of each month.
46
-
47
-
The following diagram illustrates how Update Manager assesses and applies updates to all Azure machines and Azure Arc-enabled servers for both Windows and Linux.
48
-
49
-
50
-
51
-
To support management of your Azure VM or non-Azure machine, Update Manager relies on a new [Azure extension](../virtual-machines/extensions/overview.md) designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. This extension is automatically installed when you initiate any Update Manager operations, such as **Check for updates**, **Install one-time update**, and **Periodic Assessment** on your machine. The extension supports deployment to Azure VMs or Azure Arc-enabled servers by using the extension framework. The Update Manager extension is installed and managed by using:
52
-
53
-
-[Azure VM Windows agent](../virtual-machines/extensions/agent-windows.md) or the [Azure VM Linux agent](../virtual-machines/extensions/agent-linux.md) for Azure VMs.
54
-
-[Azure Arc-enabled servers agent](../azure-arc/servers/agent-overview.md) for non-Azure Linux and Windows machines or physical servers.
55
-
56
-
Update Manager manages the extension agent installation and configuration. Manual intervention isn't required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The Update Manager extension runs code locally on the machine to interact with the operating system, and it includes:
57
-
58
-
- Retrieving the assessment information about status of system updates for it specified by the Windows Update client or Linux package manager.
59
-
- Initiating the download and installation of approved updates with the Windows Update client or Linux package manager.
60
-
61
-
All assessment information and update installation results are reported to Update Manager from the extension and is available for analysis with [Azure Resource Graph](../governance/resource-graph/overview.md). You can view up to the last seven days of assessment data, and up to the last 30 days of update installation results.
62
-
63
-
The machines assigned to Update Manager report how up to date they are based on what source they're configured to synchronize with. You can configure [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) on Windows machines to report to [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or Microsoft Update, which is by default. You can configure Linux machines to report to a local or public YUM or APT package repository. If the Windows Update Agent is configured to report to WSUS, depending on when WSUS last synchronized with Microsoft Update, the results in Update Manager might differ from what Microsoft Update shows. This behavior is the same for Linux machines that are configured to report to a local repository instead of a public package repository.
64
-
65
-
> [!NOTE]
66
-
> WSUS isn't available in Azure China operated by 21 Vianet.
67
-
68
-
You can manage your Azure VMs or Azure Arc-enabled servers directly or at scale with Update Manager.
69
-
70
-
## Prerequisites
71
-
72
-
Along with the following prerequisites, see [Support matrix](support-matrix.md) for Update Manager.
73
-
74
-
### Role
75
-
76
-
Resource | Role
77
-
--- | ---
78
-
|Azure VM | [Azure Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) or Azure [Owner](../role-based-access-control/built-in-roles.md#owner)
79
-
Azure Arc-enabled server | [Azure Connected Machine Resource Administrator](../azure-arc/servers/security-identity-authorization.md#identity-and-access-control)
80
-
81
-
### Permissions
82
-
83
-
You need the following permissions to create and manage update deployments. The table shows the permissions that are needed when you use Update Manager.
84
-
85
-
Actions |Permission |Scope |
86
-
--- | --- | --- |
87
-
|Read Azure VM properties | Microsoft.Compute/virtualMachines/read ||
88
-
|Update assessment on Azure VMs |Microsoft.Compute/virtualMachines/assessPatches/action ||
89
-
|Read assessment data for Azure VMs | Microsoft.Compute/virtualMachines/patchAssessmentResults/latest </br> Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches ||
90
-
|Install update on Azure VMs |Microsoft.Compute/virtualMachines/installPatches/action ||
91
-
|Read patch installation data for Azure VMs | Microsoft.Compute/virtualMachines/patchInstallationResults </br> Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches ||
92
-
|Read Azure Arc-enabled server properties | Microsoft.HybridCompute/machines/read||
93
-
|Update assessment on Azure Arc-enabled server |Microsoft.HybridCompute/machines/assessPatches/action ||
94
-
|Read assessment data for Azure Arc-enabled server | Microsoft.HybridCompute/machines/patchAssessmentResults </br> Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches ||
95
-
|Install update on Azure Arc-enabled server |Microsoft.HybridCompute/machines/installPatches/action ||
96
-
|Read patch installation data for Azure Arc-enabled server | Microsoft.HybridCompute/machines/patchInstallationResults </br> Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches||
97
-
|Register the subscription for the Microsoft.Maintenance resource provider| Microsoft.Maintenance/register/action | Subscription|
98
-
|Create/modify maintenance configuration |Microsoft.Maintenance/maintenanceConfigurations/write |Subscription/resource group |
|Read permission for Maintenance updates resource |Microsoft.Maintenance/updates/read |Machine |
101
-
|Read permission for Maintenance apply updates resource |Microsoft.Maintenance/applyUpdates/read |Machine |
102
-
103
-
104
-
### VM images
105
-
106
-
For more information, see the [list of supported operating systems and VM images](support-matrix.md#supported-operating-systems).
107
-
108
-
Azure Update Manager supports [specialized images](../virtual-machines/linux/imaging.md#specialized-images) including the VMs created by Azure Migrate, Azure Backup, and Azure Site Recovery.
109
-
110
-
## VM extensions
111
-
112
-
Azure VM extensions and Azure Arc-enabled VM extensions are available.
To view the available extensions for a VM in the Azure portal:
129
-
130
-
1. Go to the [Azure portal](https://portal.azure.com) and select a VM.
131
-
1. On the VM home page, under **Settings**, select **Extensions + applications**.
132
-
1. On the **Extensions** tab, you can view the available extensions.
133
-
---
134
-
135
-
### Network planning
136
-
137
-
To prepare your network to support Update Manager, you might need to configure some infrastructure components.
138
-
139
-
For Windows machines, you must allow traffic to any endpoints required by the Windows Update agent. You can find an updated list of required endpoints in [Issues related to HTTP/Proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy). If you have a local [WSUS](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment) deployment, you must also allow traffic to the server specified in your [WSUS key](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
140
-
141
-
For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../virtual-machines/workloads/redhat/redhat-rhui.md#the-ips-for-the-rhui-content-delivery-servers) for required endpoints. For other Linux distributions, see your provider documentation.
40
+
- Built as native functionality on Azure virtual machines and Azure Arc for Servers platforms for ease of use.
41
+
- No dependency on Log Analytics and Azure Automation.
- Availability in most [Azure virtual machines and Azure Arc regions](https://aka.ms/aum-supported-regions).
44
+
- Works with Azure roles and identity.
45
+
- Granular access control at the per-resource level instead of access control at the level of the Azure Automation account and Log Analytics workspace.
46
+
- Update Manager has Azure Resource Manager-based operations. It allows [role-based access control](../role-based-access-control/overview.md) and roles based on Azure Resource Manager in Azure.
47
+
- Offers enhanced flexibility
48
+
- Take immediate action either by [installing updates immediately](https://aka.ms/on-demand-patching) or [scheduling them for a later date](https://aka.ms/umc-scheduled-patching).
49
+
-[Check updates automatically](https://aka.ms/aum-policy-support) or [on demand](https://aka.ms/on-demand-assessment).
50
+
- Secure machines with new ways of patching such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md) in Azure, [hot patching](https://learn.microsoft.com/azure/automanage/automanage-hotpatch) or [custom maintenance schedules](https://aka.ms/umc-scheduled-patching).
51
+
- Sync patch cycles in relation to **patch Tuesday** the unofficial term for Microsoft's scheduled security fix release on every second Tuesday of each month.
52
+
- Reporting and alerting
53
+
- Build custom reporting dashboards through [Azure Workbooks](manage-workbooks.md) to monitor the update compliance of your infrastructure.
54
+
-[Configure alerts](https://aka.ms/aum-alerts) on updates/compliance to be notified or to automate action whenever something requires your attention.
55
+
142
56
143
57
## Next steps
144
58
145
-
-[View updates for a single machine](view-updates.md)
146
-
-[Deploy updates now (on-demand) for a single machine](deploy-updates.md)
59
+
-[View updates for a single machine](view-updates.md).
60
+
-[Deploy updates now (on-demand) for a single machine](deploy-updates.md).
61
+
-[Enable periodic assessment at scale using policy](https://aka.ms/aum-policy-support).
0 commit comments