Microsoft recently announced the general availability of Azure Update Manager, known previously as Update Management Center - a SaaS solution to manage and govern software updates to Windows and Linux machines across Azure, on-premises, and multi-cloud environments.
According to the company, the solution is an evolution of Azure Automation Update management that includes new features and functionality for the assessment and deployment of software updates on a single machine or multiple machines. The solution brings features like:
- The ability to enable incremental rollout of updates to Azure VMs in off-peak hours using automatic VM guest patching and reduce reboots by enabling hot patching.
- Allow operators to view and deploy pending updates to instantly secure machines and manage extended security updates (ESUs) for Azure Arc-enabled Windows Server 2012/2012 R2 machines. Furthermore, allowing them to define recurring time windows during which machines receive updates and may undergo reboots using scheduled patching and enforce machines grouped based on standard Azure constructs (Subscription, Location, Resource Group, Tags, etc.) to have common patch schedules using dynamic scoping.
- Proving to automatically assess machines for pending updates every 24 hours and flag machines out of compliance.
- Allowing to enforce enabling periodic assessments on multiple machines using Azure Policy.
- Create custom reports.
Screenshot of Azure Update Manager (Source: Microsoft Tech Community blog post)
Azure Update Manager supports the management of Azure VMs and non-Azure machines through a new Azure extension that the company designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. The extension is automatically installed when operators initiate any Update Manager operations, such as Check for updates, Install one-time update, and Periodic Assessments on a machine. In addition, the deployment of the extension to Azure VMs or Azure Arc-enabled servers is possible via the Azure VM Windows agent or the Azure VM Linux agent for Azure VMs - and the Azure Arc-enabled servers’ agent for non-Azure Linux and Windows machines or physical servers.
The company states that Update Manager brings, besides new features, more benefits than its predecessor, Update Manager, such as no dependency on Log Analytics and Azure Automation and Azure Resource Manager-based operations. However, John Joyner, a Microsoft Azure MVP, points out in a LinkedIn post:
Azure Update Manager is free for machines hosted on Azure or Azure Stack HCI. For Arc-enabled servers, it's chargeable up to $5/server/month". Since Azure Automation Update Management was free to all servers, including Azure Arc, this represents a significant cost increase for customers with large server populations outside Azure.
In addition, a respondent on a Reddit thread commented:
Microsoft announced last year that the Log Analytics agent will be deprecated and that Automation Update Management customers would be migrated to Azure Update Manager once the preview ended.
Feels like a giant bait and switch as Update management is free for Arc/onprem, and there was no reason to believe what would be replacing it wouldn't also be free, let alone such a high price for a minimal service.
While in the same thread, another respondent pointed out:
Enabling "Microsoft updates" (instead of just "Windows updates") will delete SQL Server AlwaysOn Availability Group configurations.
MS Support acknowledged that this is a bug in Update Manager, and a hotfix is yet to be implemented.
Do NOT use it on your SQL IaaS VM clusters, it'll blow them away.
Lastly, more details on the Azure Update Manager are available on the documentation landing page and FAQs.