How to deploy Update Management to Azure resources the programmatic way

2
votes

I'm currently trying to setup Azure's Update Management Solution to a resource group I have setup. I've read through a lot of documentation on this matter including Microsoft's: https://docs.microsoft.com/en-us/azure/automation/automation-update-management

It's pretty straightforward to setup using the GUI however I have been unsuccessful in finding a way to deploy this programatically. I wanted to reach out to the stack community and see if anyone has been able to deploy an environment that uses update management with a code base, or if anyone has found/built a powershell module which can be used to enable update manager on select VMs

2
azurepowershellupdatespatch

2 Answers

3
votes

this piece of arm template should work:

{
    "apiVersion": "2017-05-15-preview",
    "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
    "name": "automationName/softwareUpdateName",
    "location": "[resourceGroup().location]",
    "properties": {
        "updateConfiguration": {
            "operatingSystem": "Windows",
            "duration": "PT2H0M",
            "windows": {
                "excludedKbNumbers": [
                    "168934",
                    "168973"
                ],
                "includedUpdateClassifications": "Critical",
                "rebootSetting": "IfRequired"
            },
            "azureVirtualMachines": [
                "/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-01",
                "/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-02",
                "/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-03"
            ],
            "nonAzureComputerNames": [
                "box1.contoso.com",
                "box2.contoso.com"
            ]
        },
        "scheduleInfo": {
            "frequency": "Hour",
            "startTime": "2017-10-19T12:22:57+00:00",
            "timeZone": "America/Los_Angeles",
            "interval": 1,
            "expiryTime": "2018-11-09T11:22:57+00:00",
            "advancedSchedule": {
                "weekDays": [
                    "Monday",
                    "Thursday"
                ]
            }
        }
    }
}

you can use the rest api to find out how to construct properties the way you need.

you could use the same properties json with invoke-webrequest as a payload, for example, or curl.

1
votes

Interacting with "Azure Updates" in powershell is done through the "AzureRMAutomation" cmdlets. For example Scheduling Software updates uses the "New-AzureRmAutomationSoftwareUpdateConfiguration" cmdlet.

https://docs.microsoft.com/en-us/powershell/module/azurerm.automation/new-azurermautomationsoftwareupdateconfiguration?view=azurermps-6.13.0

You should be able to find anything else you want to do in that directory.

I stumbled across this site, which isn't as useful as the above information...

https://sharepointyankee.com/2018/02/26/importing-powershell-modules-into-azure-automation/

This process allows you to download powershell modules from the modules gallery. After doing a simple search for "update". I found 2 modules "xWindowsUpdate" and "PSWindowsUpdate". These don't directly interact with azure update manager, but functionally accomplishes the same result.