How To use Azure Update management for Automating patch management of all Virtual machines under a subscription including future machines

Question

I have an Azure policy which install Microsoft monitoring agent on all the VMs
I have Automation Account which is linked to the Log analytics workspace.
The Automation Account has a scheduler which has a dynamic query to fetch all the VMs with Tag "PatchManagement" Enabled = $true.
The scheduler makes use of the Microsoft Runbook "Patch-MicrosoftOMSComputers" to apply the patched on the Dynamic VMs fetched by the above query.

The Issue is

The update management is not Enabled on the Automation Account and the VM's
Is there a way we can automate enabling of the Update management on all the VM's created in a subscription and link into the automation account update management using the query of the scheduler.

I followed the link "enter link description here", to implement this solution.

Have you gone through this [link](https://learn.microsoft.com/en-us/azure/automation/update-management/enable-from-vm) to add VM to update management through Portal — SaiSakethGuduru, Oct 29 '21 at 13:03
@SaiSakethGuduru-MT, she wants to automate the process not do it manually — MoonHorse, Oct 29 '21 at 14:39

score 1 · Answer 1 · answered Oct 29 '21 at 16:33

1

The oms agent installation needs a log analytics workspace id parameter which configures the right automation account and log analytics workspace for the VM. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows#install-agent-using-command-line

answered Oct 29 '21 at 16:33

MoonHorse

1,966
2
24
46

--> I'm able to check the "Microsoft Monitoring Agent has successfully connect" on the VM. – Anjali Loganathan Nov 18 '21 at 09:26
1

--> I'm able to check the "Microsoft Monitoring Agent has successfully connected" on the VM. On the Automation Account --> Update Management --> "Enable" button needs to be clicked manually, would like to know if it can be enabled using script. https://postimg.cc/f32G20sQ – Anjali Loganathan Nov 18 '21 at 09:37
https://postimg.cc/svxwm0Xx – Anjali Loganathan Nov 18 '21 at 09:42
@AnjaliLoganathan, is this something which should be one time for all VMs on automation account/update management section? Or this should be done for each VM? – MoonHorse Nov 18 '21 at 19:10

score 0 · Answer 2 · answered Nov 22 '21 at 15:15

The link below enables the update management on the automation account.

I was missing the below section of code in my terraform

# Enable Update Management solution

resource "azurerm_log_analytics_solution" "update_solution" {
  depends_on = [
    azurerm_log_analytics_linked_service.autoacc_linked_log_workspace
  ]
  solution_name         = "Updates"
  location              = azurerm_resource_group.rg.location
  resource_group_name   = azurerm_resource_group.rg.name
  workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
  workspace_name        = 
  azurerm_log_analytics_workspace.log_analytics_workspace.name

  plan {

    publisher = "Microsoft"

    product   = "OMSGallery/Updates"

  }

}

Reference link

How To use Azure Update management for Automating patch management of all Virtual machines under a subscription including future machines

2 Answers2