Merge pull request #280798 from SnehaSudhirG/14July-OverviewUpdate

Revised Overview article

Author: denrea

articles/update-manager/assessment-options.md

@@ -18,7 +18,7 @@ Update Manager provides you with the flexibility to assess the status of availab
 
 ## Periodic assessment
 
- Periodic assessment is an update setting on a machine that allows you to enable automatic periodic checking of updates by Update Manager. We recommend that you enable this property on your machines as it allows Update Manager to fetch latest updates for your machines every 24 hours and enables you to view the latest compliance status of your machines. You can enable this setting using update settings flow as detailed [here](manage-update-settings.md#configure-settings-on-a-single-vm) or enable it at scale by using [Policy](periodic-assessment-at-scale.md). Learn more on [Azure VM extensions](overview.md#vm-extensions).
+ Periodic assessment is an update setting on a machine that allows you to enable automatic periodic checking of updates by Update Manager. We recommend that you enable this property on your machines as it allows Update Manager to fetch latest updates for your machines every 24 hours and enables you to view the latest compliance status of your machines. You can enable this setting using update settings flow as detailed [here](manage-update-settings.md#configure-settings-on-a-single-vm) or enable it at scale by using [Policy](periodic-assessment-at-scale.md). Learn more on [Azure VM extensions](prerequisites.md#vm-extensions).
 
 :::image type="content" source="media/updates-maintenance/periodic-assessment-inline.png" alt-text="Screenshot showing periodic assessment option." lightbox="media/updates-maintenance/periodic-assessment-expanded.png":::
 

articles/update-manager/configure-wu-agent.md

@@ -68,7 +68,7 @@ The Windows update client on Windows servers can get their patches from either o
 
 ### Edit the registry
 
-If scheduled patching is configured on your machine using the Azure Update Manager, the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md#first-party-updates-on-windows).
+If scheduled patching is configured on your machine using the Azure Update Manager, the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md).
 
 ### Patching using group policy on Azure Update Manager
 

articles/update-manager/overview.md

@@ -0,0 +1,53 @@
+---
+title: Prerequisites for Azure Update Manager
+description: This article explains the prerequisites for Azure Update Manager, VM extensions and network planning.
+ms.service: azure-update-manager
+ms.custom: linux-related-content
+author: SnehaSudhirG
+ms.author: sudhirsneha
+ms.date: 07/14/2024
+ms.topic: overview
+---
+
+# Prerequisites for Azure Update Manager
+
+This article summarizes the prerequisites, the extensions for Azure VM extensions and Azure Arc-enabled servers and details on how to prepare your network to support Update Manager.
+
+## Prerequisites
+
+Azure Update Manager is an out of the box, zero onboarding service. Before you start using this service, consider the following list: 
+
+### Arc-enabled servers
+Arc-enabled servers must be connected to Azure Arc to use Azure Update Manager. For more information, see [how to enable Arc on non-Azure machines](https://aka.ms/onboard-to-arc-aum-migration).
+
+### Support matrix
+Refer [support matrix](support-matrix.md) to find out about updates and the update sources, VM images and Azure regions that are supported for Azure Update Manager.
+
+### Roles and permissions
+
+To manage machines from Azure Update Manager, see [roles and permissions](roles-permissions.md).
+
+### VM extensions
+
+Azure VM extensions and Azure Arc-enabled VM extensions are required to run on the Azure and Arc-enabled machine respectively for Azure Update Manager to work. But separate installation is not required as the extensions are automatically pushed on the VM the first time you trigger any Update Manager operation on the VM. For more information, see the [VM extensions](workflow-update-manager.md#update-manager-vm-extensions) that are pushed on the machines
+
+### Network planning
+
+To prepare your network to support Update Manager, you might need to configure some infrastructure components. For more information, see the [network requirements for Arc-enabled servers](../azure-arc/servers/network-requirements.md).
+
+For Windows machines, you must allow traffic to any endpoints required by the Windows Update agent. You can find an updated list of required endpoints in [issues related to HTTP Proxy](https://learn.microsoft.com/troubleshoot/windows-client/installing-updates-features-roles/windows-update-issues-troubleshooting?toc=%2Fwindows%2Fdeployment%2Ftoc.json&bc=%2Fwindows%2Fdeployment%2Fbreadcrumb%2Ftoc.json#issues-related-to-httpproxy). If you have a local [WSUS](https://learn.microsoft.com/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment) deployment, you must allow traffic to the server specified in your [WSUS key](https://learn.microsoft.com/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
+
+For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../virtual-machines/workloads/redhat/redhat-rhui.md#the-ips-for-the-rhui-content-delivery-servers)for required endpoints. For other Linux distributions, see your provider documentation.
+
+### Configure Windows Update client
+
+Azure Update Manager relies on the [Windows Update client](https://learn.microsoft.com/windows/deployment/update/windows-update-overview) to download and install Windows updates. There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. For more information, see [configure Windows Update client](configure-wu-agent.md).
+
+## Next steps
+
+- [View updates for a single machine](view-updates.md).
+- [Deploy updates now (on-demand) for a single machine](deploy-updates.md).
+- [Enable periodic assessment at scale using policy](https://aka.ms/aum-policy-support).
+- [Schedule recurring updates](scheduled-patching.md)
+- [Manage update settings via the portal](manage-update-settings.md).
+- [Manage multiple machines by using Update Manager](manage-multiple-machines.md).

articles/update-manager/prerequisites.md

@@ -0,0 +1,73 @@
+---
+title: Roles and permissions to manage Azure VM or Arc-enabled server in Azure Update Manager
+description: This article explains th roles and permission required to manage Azure VM or Arc-enabled servers in Azure Update Manager.
+ms.service: azure-update-manager
+author: SnehaSudhirG
+ms.author: sudhirsneha
+ms.date: 07/19/2024
+ms.topic: overview
+---
+ 
+# Roles and permissions in Azure Update Manager
+
+To manage an Azure VM or an Azure Arc-enabled server using Azure Update Manager, you must have the appropriate roles assigned. You can either use predefined roles or create custom roles with the specific permissions you need. For more information, see the [permissions](#permissions).
+
+## Roles
+
+The built-in roles provide blanket permissions on a virtual machine, which includes all Azure Update Manager permissions as well.
+
+| **Resource** | **Role** |
+|---|---|
+| **Azure VM** | Azure Virtual Machine Contributor or Azure [Owner](../role-based-access-control/built-in-roles.md)|
+| **Azure Arc-enabled server** | [Azure Connected Machine Resource Administrator](../azure-arc/servers/security-overview.md)|
+
+## Permissions
+
+You need the following permissions to manage update operations. The following table shows the permissions that are needed when you use Update Manager. You can create a custom role and assign only the desired permissions to that role so that only permissions for specific actions are provided as per need.
+
+### Read permissions for Update Manager to view Update Manager data
+
+| **Actions** | **Permission** | **Scope** |
+|---|---|---|
+| **Read Azure VM properties** | Microsoft.Compute/virtualMachines/read | |
+| **Read assessment data for Azure VMs** | Microsoft.Compute/virtualMachines/patchAssessmentResults/read<br>Microsoft.Compute/virtualMachines/patchAssessmentResults/softwarePatches/read | |
+| **Read patch installation data for Azure VMs** | Microsoft.Compute/virtualMachines/patchInstallationResults/read<br>Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read | |
+| **Read Azure Arc-enabled server properties** | Microsoft.HybridCompute/machines/read | |
+| **Read assessment data for Azure Arc-enabled server** | Microsoft.HybridCompute/machines/patchAssessmentResults/read<br>Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | |
+| **Read patch installation data for Azure Arc-enabled server** | Microsoft.HybridCompute/machines/patchInstallationResults/read<br>Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | |
+| **Get the status of an asynchronous operation** **for Azure** **Virtual machine** | Microsoft.Compute/locations/operations/read | Machine subscription |
+| **Read the status of an update center operation on Arc machines** | Microsoft.HybridCompute/locations/updateCenterOperationResults/read | Machine subscription |
+
+### Permissions to perform on-demand actions in Azure Update Manager
+
+Note that following permissions would be required in addition to read permissions documented above  on individual machines on which on-demand operations are performed.
+
+| **Actions** | **Permission** | **Scope** |
+|---|---|---|
+| **Trigger** **assessment on Azure VMs** | Microsoft.Compute/virtualMachines/assessPatches/action | |
+| **Install update on Azure VMs** | Microsoft.Compute/virtualMachines/installPatches/action | |
+| **Get the status of an asynchronous operation for Azure Virtual machine** | Microsoft.Compute/locations/operations/read | Machine subscription |
+| **Trigger assessment on Azure Arc-enabled server** | Microsoft.HybridCompute/machines/assessPatches/action | |
+| **Install update on Azure Arc-enabled server** | Microsoft.HybridCompute/machines/installPatches/action | |
+| **Read the status of an update center operation on** **Arc** **machines** | Microsoft.HybridCompute/locations/updateCenterOperationResults/read | Machine subscription |
+| **Update patch** **mode /** **assessment mode** **for** **Azure Virtual** **Machines** | Microsoft.Compute/virtualMachines/write | Machine |
+| **Update assessment mode for** **Arc Machines** | Microsoft.HybridCompute/machines/write | Machine |
+
+## Scheduled patching (Maintenance configuration) related permissions
+
+Note that below permissions would be required in addition to permissions on individual machines, which are being managed by the schedules.
+
+| **Actions** | **Permission** | **Scope** |
+|---|---|---|
+| **Register the subscription for the** **Microsoft.Maintenance resource provider** | Microsoft.Maintenance/register/action | Subscription |
+| **Create/modify maintenance configuration** | Microsoft.Maintenance/maintenanceConfigurations/write | Subscription/resource group |
+| **Create/modify configuration assignments** | Microsoft.Maintenance/configurationAssignments/write | Subscription/Resource group / machine |
+| **Read permission for Maintenance updates resource** | Microsoft.Maintenance/updates/read | Machine |
+| **Read permission for Maintenance apply updates resource** | Microsoft.Maintenance/applyUpdates/read | Machine |
+| **Get list of update  deployment** | Microsoft.Resources/deployments/read | Maintenance configuration and virtual machine subscription |
+| **Create or update an update deployment** | Microsoft.Resources/deployments/write | Maintenance configuration and virtual machine subscription |
+| **Get a list of update deployment operation statuses** | Microsoft.Resources/deployments/operation statuses | Maintenance configuration and virtual machine subscription |
+
+## Next steps
+- [Prerequisites of Update Manager](prerequisites.md).
+- [How Update Manager works](workflow-update-manager.md).

articles/update-manager/roles-permissions.md

@@ -23,11 +23,11 @@ Update Manager uses a maintenance control schedule instead of creating its own s
 
 ## Prerequisites for scheduled patching
 
-1. See [Prerequisites for Update Manager](./overview.md#prerequisites).
+1. See [Prerequisites for Update Manager](prerequisites.md).
 1. Patch orchestration of the Azure machines should be set to **Customer Managed Schedules**. For more information, see [Enable schedule patching on existing VMs](prerequsite-for-schedule-patching.md#enable-schedule-patching-on-azure-vms). For Azure Arc-enabled machines, it isn't a requirement.
 
 	> [!NOTE]
-	> If you set the patch mode to **Azure orchestrated** (`AutomaticByPlatform`) but do not enable the **BypassPlatformSafetyChecksOnUserSchedule** flag and do not attach a maintenance configuration to an Azure machine, it's treated as an [automatic guest patching](../virtual-machines/automatic-vm-guest-patching.md)-enabled machine. The Azure platform automatically installs updates according to its own schedule. [Learn more](./overview.md#prerequisites).
+	> If you set the patch mode to **Azure orchestrated** (`AutomaticByPlatform`) but do not enable the **BypassPlatformSafetyChecksOnUserSchedule** flag and do not attach a maintenance configuration to an Azure machine, it's treated as an [automatic guest patching](../virtual-machines/automatic-vm-guest-patching.md)-enabled machine. The Azure platform automatically installs updates according to its own schedule. [Learn more](prerequisites.md).
 
 ## Schedule patching in an availability set