Azure Update Management Center (Preview) - Policies not working

Question

Hey fellow cloud people,

I am currently experimenting with the new and shiny Update Management Center. As someone having to fiddle around with Update Management in Azure Automation Accounts, I appreciate this new service. Except for assigning VMs to update schedules.

What did I do:

Created a "Maintenance Configuration" with a schedule and update classification (all) for updates

After that, I want to assign machines within a specific scope automatically depending on a tag. We use "UpdateWave" as a tag name. Because I want machines with this tag be onboarded automatically, I need to do that via a policy. Azure calls that procedure "Dynamic scoping" (https://docs.microsoft.com/en-us/azure/update-center/scheduled-patching?tabs=schedule-updates-single-overview%2Cschedule-updates-scale-overview#dynamic-scoping).

I created a policy assignment for "[Preview]: Configure periodic checking for missing system updates on azure virtual machines" which configures machines to automatically check for updates.

When I check the compliance, I see my test machines compliant with that policy after a while.

First Problem: But when I look at the Update Management Center, periodic assessment is not enabled.

Does anybody have an idea, what's wrong here? In the mean time, hours went by and its still the same.

Second problem:

After the assessment, I want machines of course assigned to a schedule. This must be done via a policy as well. For that, I assigned the "[Preview] Schedule recurring updates using Update Management Center" policy to the subscription and deployment of the assignment worked. This assignment should basically assign all VMs in the scoped subscription to that schedule (I removed all filtering tags for testing purposes).

When I look at the compliance, I do not get to see any VM. It seems like there are no matching VMs. But the scoped subscription "eu2-iaaststu-sub" indeed has my 2 VMs of OS Windows. I created a remediation task twice (with "Re-evaluate resource compliance before remediating" enabled) and it completed. But it always has 0 affected resources. I don't get it!

I am owner of the target subscription.

I would really love to use the service. It makes it so much easier to onboard machines. IF IT WOULD WORK!

Anybody an idea, what the reasons for both errors are?? Or any other tipps?

Update 11/07/2022: Microsoft fixed most parts of the policy definitions. The policies now support the operating systems, that support Update Management. Automatic remediation is still not working by now.

[Preview]: Configure periodic checking for missing system updates on azure virtual machines: https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html?desc=compareJson&left=https%3A%2F%2Fwww.azadvertizer.net%2Fazpolicyadvertizerjson%2F59efceea-0c96-497e-a4a1-4eb2290dac15_2.0.0-preview.json&right=https%3A%2F%2Fwww.azadvertizer.net%2Fazpolicyadvertizerjson%2F59efceea-0c96-497e-a4a1-4eb2290dac15_3.0.0-preview.json

[Preview]: Schedule recurring updates using Update Management Center: https://www.azadvertizer.net/azpolicyadvertizer/ba0df93e-e4ac-479a-aac2-134bbae39a1a.html?desc=compareJson&left=https%3A%2F%2Fwww.azadvertizer.net%2Fazpolicyadvertizerjson%2Fba0df93e-e4ac-479a-aac2-134bbae39a1a_1.0.0-preview.json&right=https%3A%2F%2Fwww.azadvertizer.net%2Fazpolicyadvertizerjson%2Fba0df93e-e4ac-479a-aac2-134bbae39a1a_2.0.0-preview.json

Hi, Apologies for the delayed response here. I have shared the feedback with product team regarding gap between policy and other issues with with registering preview UM features, status check of UM settings through portal. I will update back as I hear from the product team. — KrishnaG, Oct 17 '22 at 09:52

score 0 · Accepted Answer · answered Sep 06 '22 at 07:25

Okay so after quite some time I know the issue. Microsoft seems to have some issues with the policies by now or at least they do not reflect what is written in the documentation (by 09/06/2022).

In the documentation of Update Management Center (https://docs.microsoft.com/en-us/azure/update-center/support-matrix?tabs=azurevm%2Cazurevm-os#supported-operating-systems) the following Windows OS are supported:

If you take a look at the policy definitions ("[Preview]: Configure periodic checking for missing system updates on azure virtual machines"), it becomes obvious, that these OS are not part of the selection by now:

What I did was adding several other Windows OS in that list for the selection and saved the policy definition as a copy with more VM SKUs and assigned it to the scope. After that, the policy worked as expected and all the VMs were picked up by the policy and work (mostly) as intended.

I would expect this issue to be resolved until Update Management Center goes GA.

Thanks for the sharing. Pre/Post script is missing from the new solution, any idea if it will be added in future ? If not, how do you plan to update deallocated machines ? Regards, — Anthony A, Mar 02 '23 at 16:55

jrbrewin · Answer 2 · 2022-09-21T08:11:36.053

Regarding problem 1

I've gotten a bit further with this, but still not 100%. There isn't much assistance online, as I am sure you have found.

First you will need to register the preview Update Management features, per subscription.
```
Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview  - ProviderNamespace Microsoft.Compute
Register-AzProviderFeature -FeatureName InGuestAutoAssessmentVMPreview -ProviderNamespace Microsoft.Compute
Register-AzProviderFeature -FeatureName InGuestScheduledPatchVMPreview  -ProviderNamespace Microsoft.Compute
```
Then for each of the preview policies you'll need to update the publishers, offers, and SKUs from https://docs.microsoft.com/en-us/azure/update-center/support-matrix?tabs=azurevm%2Cazurevm-os#supported-operating-systems. The policies are
```
[Preview]: Configure periodic checking for missing system updates on azure virtual machines
[Preview]: Machines should be configured to periodically check for missing system updates
[Preview]: Schedule recurring updates using Update Management Center
```
When a new VM is created, and policy assessment run against the new resources you should eventually see that the Patch Orchestration and Periodic Assessment fields in the new Update Management portal are updated to reflect your policy. Although it seems more consistent with Windows VMs than Linux.

Regarding problem 2

The [Preview]: Schedule recurring updates using Update Management Center policy should change the PatchMode to Azure Orchestrated (AutomaticByPlatform), but the whole policy does not work against newly created resources; It does not assign newly created VMs to a Maintenance Configuration, and does not update the patchMode to AutomaticByPlatform as it states in the policy description.
As you have seen, you should be able to manually add VMs to the Maintenance Configuration, but to do this you need to have the patchMode of the VM set to AutomaticByPlatform first - hence why you need to use policy to set this
Lastly, manually remediating the [Preview]: Schedule recurring updates using Update Management Center policy does seem to work, although it is inconsistent, and the compliance information for resources still states out of compliance afterwards.

So, it's still worth using the three policies outlined above, since they do something. For us we're at the point where we'll probably just automate running a script to find VMs without a maintenance configuration assignment, and manually assign it.

Lastly

be wary of checking the state of Update Management settings through the Azure portal. Maybe it's a caching issue, but often it does not show correct results. It is quicker to just check the results via powershell (excuse my beginner level powershell ability).

you can pull the patchMode of a VM with

(get-azvm)[0].OSProfile.LinuxConfiguration.patchsettings.AssessmentMode or

(get-azvm)[0].OSProfile.WindowsConfiguration.patchsettings.AssessmentMode

or

$allVMs = get-azvm
foreach ($aVM in $allVMs) {
    if($aVM.OSProfile.LinuxConfiguration.patchsettings.AssessmentMode) 
{$patchsettings = $aVM.OSProfile.LinuxConfiguration.patchsettings.AssessmentMode}
    if($aVM.OSProfile.WindowsConfiguration.patchsettings.AssessmentMode) 
{$patchsettings = $aVM.OSProfile.WindowsConfiguration.patchsettings.AssessmentMode}
    write-host $aVM.name.PadRight(31,' ') " / " $patchsettings.PadRight(28,' ') " / " $aVM.StorageProfile.ImageReference.Publisher.PadRight(22,' ') " / " $aVM.StorageProfile.ImageReference.Offer.PadRight(28,' ') " / " $aVM.StorageProfile.ImageReference.SKU

}

score -1 · Answer 3 · answered Sep 28 '22 at 05:19

-1

I'm also seeing some odd issues with this preview of UMS:

ARC Servers still receiving updates even after being removed from maintenance configuration schedules. Have had to delete the maintenance configuration to stop them from receiving updates.
Updates not being triggered when an offset is included in the schedule.

Has anyone else seen similar behavior?

answered Sep 28 '22 at 05:19

David

1

This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/531238) – smithian Oct 03 '22 at 18:52

Azure Update Management Center (Preview) - Policies not working

3 Answers3