1 00:00:01,540 --> 00:00:03,520 [Autogenerated] Alright well let's keep on trucking here 2 00:00:03,520 --> 00:00:06,350 next we've got update management to cover. 3 00:00:06,350 --> 00:00:09,910 And I want to frame this discussion by going to log 4 00:00:09,910 --> 00:00:13,030 analytics workspace because when we're talking about update 5 00:00:13,030 --> 00:00:15,000 management and as your automation, 6 00:00:15,000 --> 00:00:18,410 your step one is going to be to make sure you have a log analytics 7 00:00:18,410 --> 00:00:22,360 workspace in scope and onboard and you create your workspace, 8 00:00:22,360 --> 00:00:23,690 it runs at a free tier. 9 00:00:23,690 --> 00:00:28,120 The free tier limits you to about a week's worth of data retention and you 10 00:00:28,120 --> 00:00:31,510 are also kept on your data ingestion volume per month. 11 00:00:31,510 --> 00:00:35,940 So you'll want to use one of the paid tiers pay as you go to make sure 12 00:00:35,940 --> 00:00:38,930 that your log analytics workspace can scale properly. 13 00:00:38,930 --> 00:00:43,160 There's a two year data retention on the paid tier and to make 14 00:00:43,160 --> 00:00:45,800 sure that your virtual machines are all set up, 15 00:00:45,800 --> 00:00:46,680 we can onboard them. 16 00:00:46,680 --> 00:00:49,300 Actually, I'll leave that for the next module. 17 00:00:49,300 --> 00:00:51,450 I'll do a demo on that at that time. 18 00:00:51,450 --> 00:00:55,530 But anyway, once you've got your log analytics workspace online, 19 00:00:55,530 --> 00:00:58,860 you're ready to proceed to look at update management and update 20 00:00:58,860 --> 00:01:01,850 management is a feature of the Azure automation account. 21 00:01:01,850 --> 00:01:04,630 So after you create your log analytics workspace, 22 00:01:04,630 --> 00:01:07,100 you'll want to create an Azure automation account. 23 00:01:07,100 --> 00:01:10,930 And the main things I want to show you there is how you're going to 24 00:01:10,930 --> 00:01:15,960 authenticate to Azure from your run books and the recommended way to go is to 25 00:01:15,960 --> 00:01:19,770 use a system assigned or user assigned managed identity. 26 00:01:19,770 --> 00:01:24,740 The V one way to do automation account is with what's called a run as 27 00:01:24,740 --> 00:01:29,160 account system assigned or user assigned managed identities I think are a 28 00:01:29,160 --> 00:01:31,990 much cleaner way to go because as this says, 29 00:01:31,990 --> 00:01:36,110 it doesn't require that you manage any credentials when you have a run as 30 00:01:36,110 --> 00:01:40,040 account that run as account uses a digital certificate that's going to 31 00:01:40,040 --> 00:01:43,470 expire and need to be renewed every so often. 32 00:01:43,470 --> 00:01:47,500 Whereas if you have a managed identity that's going to have 33 00:01:47,500 --> 00:01:51,330 an Azure managed password that's auto rotated and you never 34 00:01:51,330 --> 00:01:52,710 have to worry about that. 35 00:01:52,710 --> 00:01:56,120 So I'm going to create a system assigned managed identity and 36 00:01:56,120 --> 00:01:58,510 then we can choose what kind of access. 37 00:01:58,510 --> 00:02:01,030 If we're going to do private endpoint where we're 38 00:02:01,030 --> 00:02:04,460 integrating the automation account into a virtual network 39 00:02:04,460 --> 00:02:06,000 or if we're coming over the internet, 40 00:02:06,000 --> 00:02:09,130 I'm going to be coming over the internet in this case like next we've 41 00:02:09,130 --> 00:02:12,400 got our taxonomic tags and then that's the creation. 42 00:02:12,400 --> 00:02:15,490 Now I haven't actually specified a name or a resource 43 00:02:15,490 --> 00:02:18,000 group so that's why it failed validation. 44 00:02:18,000 --> 00:02:20,520 I'm actually going to bail out of here because I have an 45 00:02:20,520 --> 00:02:22,740 automation account already created. 46 00:02:22,740 --> 00:02:25,810 If we come into that automation account we can see 47 00:02:25,810 --> 00:02:27,660 under configuration management, 48 00:02:27,660 --> 00:02:31,710 the different parts and pieces of the service and you'll find that 49 00:02:31,710 --> 00:02:35,340 the first time you click into these you're going to be required to 50 00:02:35,340 --> 00:02:37,770 point to your log analytics workspace. 51 00:02:37,770 --> 00:02:40,840 I've already done that for these services so that I 52 00:02:40,840 --> 00:02:42,520 have something for you to look at. 53 00:02:42,520 --> 00:02:45,960 But just know that that's going to be a one time occurrence. 54 00:02:45,960 --> 00:02:49,540 The first time you're in your automation account and you want to begin 55 00:02:49,540 --> 00:02:52,330 to light up some of these configuration management, 56 00:02:52,330 --> 00:02:56,060 update management and process automation features were 57 00:02:56,060 --> 00:02:58,670 concerned specifically with update management. 58 00:02:58,670 --> 00:03:01,340 So here's what the interface looks like after you've 59 00:03:01,340 --> 00:03:03,990 connected to your log analytics workspace. 60 00:03:03,990 --> 00:03:07,510 We can see up here in our news that four machines do not have 61 00:03:07,510 --> 00:03:10,940 the update management feature enabled and we can click manage 62 00:03:10,940 --> 00:03:12,820 machines to get a list here. 63 00:03:12,820 --> 00:03:17,400 Now it says here that the machines will report to our log analytics workspace or 64 00:03:17,400 --> 00:03:21,080 actually it looks like that they're currently reporting to the workspace but 65 00:03:21,080 --> 00:03:24,410 they don't have update management enabled on them. 66 00:03:24,410 --> 00:03:29,230 So I could just do a global enable on or I could do selected machines 67 00:03:29,230 --> 00:03:34,560 notice that it's picked up arc one and arc too and I have VM two and VM 68 00:03:34,560 --> 00:03:37,600 three as Azure native virtual machines. 69 00:03:37,600 --> 00:03:41,690 So we're picking up your hybrid machines here all in one go. 70 00:03:41,690 --> 00:03:45,390 I want to make sure to do this now because it says these machines 71 00:03:45,390 --> 00:03:48,050 are reporting to the log analytics workspace, 72 00:03:48,050 --> 00:03:52,540 we can reasonably and accurately assume that those machines must have 73 00:03:52,540 --> 00:03:55,610 the log analytics agent already installed on them. 74 00:03:55,610 --> 00:03:56,540 That's important. 75 00:03:56,540 --> 00:04:00,230 Now, as far as onboarding machines manually, 76 00:04:00,230 --> 00:04:02,020 as you can see on the toolbar, 77 00:04:02,020 --> 00:04:07,070 we can add as your virtual machines by doing an enable update management. 78 00:04:07,070 --> 00:04:10,470 Notice that if you do have a machine that is a candidate 79 00:04:10,470 --> 00:04:12,670 for update management and it's stopped, 80 00:04:12,670 --> 00:04:15,290 we're not going to be able to enable as you can see here 81 00:04:15,290 --> 00:04:18,700 it's kind of faint But Mike Lee one Machine cannot be 82 00:04:18,700 --> 00:04:21,040 enabled because the VM has stopped. 83 00:04:21,040 --> 00:04:26,640 If I go to add non Azure machine, it's simply kicks us over into the docks. 84 00:04:26,640 --> 00:04:30,640 Actually this is the article on the log analytics agent and 85 00:04:30,640 --> 00:04:34,340 basically in order to have the machines show up is being able to 86 00:04:34,340 --> 00:04:36,220 be on boarded to update management. 87 00:04:36,220 --> 00:04:39,100 We simply need to install the log analytics agent 88 00:04:39,100 --> 00:04:41,150 which we'll do in the next module. 89 00:04:41,150 --> 00:04:45,150 The portal interface says wait at least 15 minutes for your newly on 90 00:04:45,150 --> 00:04:49,390 boarded Azure and non Azure machines to begin to report the update 91 00:04:49,390 --> 00:04:51,960 management and we can see that's the case down here. 92 00:04:51,960 --> 00:04:54,340 So what we've got on the machines pages, 93 00:04:54,340 --> 00:04:58,370 a roll up of all enrolled machines, their compliance status, 94 00:04:58,370 --> 00:05:04,320 critical security, other missing updates where the update approval source is. 95 00:05:04,320 --> 00:05:09,350 We can just filter on specific missing updates as you can see here and there's a 96 00:05:09,350 --> 00:05:12,650 baby link to each of those as you can see over on the side. 97 00:05:12,650 --> 00:05:17,480 We can adjust the view classification as such and then as far as scheduled 98 00:05:17,480 --> 00:05:20,570 deployments in history we can filter on this view as well. 99 00:05:20,570 --> 00:05:23,470 Of course we've got log search and I'll show you that I'll 100 00:05:23,470 --> 00:05:26,720 actually finish this demo with a little bit of cake ul to show 101 00:05:26,720 --> 00:05:28,650 you a better way to report on that. 102 00:05:28,650 --> 00:05:32,920 So the idea is you report on your compliance status and then you 103 00:05:32,920 --> 00:05:35,790 do your updates scheduling right over here. 104 00:05:35,790 --> 00:05:39,390 Let me show you how to schedule an update deployment up here on the toolbar. 105 00:05:39,390 --> 00:05:44,300 We can click and let's say this update is just going to be for our Azure VMS. 106 00:05:44,300 --> 00:05:49,280 We'll do Windows and we can create dynamic groups that we can then reuse. 107 00:05:49,280 --> 00:05:54,500 I'm going to filter this on my subscription and my 800 resource 108 00:05:54,500 --> 00:05:57,180 groups click add and then if we click preview, 109 00:05:57,180 --> 00:05:59,490 it'll show us what machines are in scope. 110 00:05:59,490 --> 00:06:03,490 This is very similar to what you would do in Windows server update services. 111 00:06:03,490 --> 00:06:07,520 And notice that you can define groups for Azure and non Azure systems. 112 00:06:07,520 --> 00:06:11,640 We can then adjust the machines within those groups that we want to update 113 00:06:11,640 --> 00:06:15,100 as well as what update classifications we're doing here. 114 00:06:15,100 --> 00:06:19,850 We can do update include exclude filtering and then notice the asterisk, 115 00:06:19,850 --> 00:06:23,270 we have to specify our schedule but I can specify that 116 00:06:23,270 --> 00:06:25,640 this is going to take place on the 13th, 117 00:06:25,640 --> 00:06:29,900 say at 1 45 AM central time and we can have this be 118 00:06:29,900 --> 00:06:32,450 a recurring or once only event. 119 00:06:32,450 --> 00:06:35,270 We can inject pre and post scripts. 120 00:06:35,270 --> 00:06:38,750 These are from the Azure automation run book library. 121 00:06:38,750 --> 00:06:42,240 Our maintenance window here is going to be a time interval 122 00:06:42,240 --> 00:06:45,140 between 30 minutes and less than six hours. 123 00:06:45,140 --> 00:06:46,480 And you would adjust this. 124 00:06:46,480 --> 00:06:51,230 This is the time period in which Microsoft needs to complete those updates 125 00:06:51,230 --> 00:06:54,380 and you would align this with your IT service management. 126 00:06:54,380 --> 00:06:58,000 Platform maintenance window and then we can control reboots. 127 00:06:58,000 --> 00:06:58,440 All right. 128 00:06:58,440 --> 00:07:01,340 So it's not quite as robust as what you would have 129 00:07:01,340 --> 00:07:03,310 with Windows server update services. 130 00:07:03,310 --> 00:07:04,360 But wow, 131 00:07:04,360 --> 00:07:07,170 the fact that you don't have to worry about w sauce high 132 00:07:07,170 --> 00:07:10,250 availability and patch and back up those machines, 133 00:07:10,250 --> 00:07:14,140 The fact that it's all automated here in the cloud is pretty compelling. 134 00:07:14,140 --> 00:07:15,100 It seems to me, 135 00:07:15,100 --> 00:07:19,370 and also we have the added benefit that we can manage Azure arc enabled 136 00:07:19,370 --> 00:07:26,000 servers and we also can patch both Windows server and Linux. That's a really good deal.