Common cybersecurity practices provide, among the many tricks, the timely application of software updates. In fact,, this activity is also of fundamental importance to eliminate the vulnerabilities that allow the implementation of specific cyber attacks on company systems. To facilitate the application of patches, related to the operating system, to the machines of your infrastructure, Microsoft recently announced the availability of a new solution called "Update management center". This article reports the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance with regard to these aspects related to security.
What allows you to do this solution?
Update management center is the new solution that helps to centrally manage and govern the updates of all the machines present in your infrastructure. In fact,, by means of this solution it is possible:
- Check update compliance for your entire fleet of machines.
- Instantly distribute critical updates to protect your systems or plan installation within a defined maintenance window.
- Take advantage of the different patching options, like Automatic VM guest patching in Azure, hot patching, and maintenance schedules defined by the customer.
To date, Update management center is able to manage and govern updates on:
- Windows and Linux operating systems.
- Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc.
The following diagram illustrates how Update management center performs the evaluation and application of updates on all Azure systems and Arc-enabled servers, both Windows and Linux.
Figure 1 - Update management center overview
Update Management Center is based on a new Azure extension designed to provide all the features necessary to interact with the operating system as regards the evaluation and application of updates. This extension is automatically installed at the start of any operation of Update Management Center. The distribution of the extension is supported on Azure virtual machines or on Arc-enabled servers and is installed and managed using:
- The Windows agent or the Linux agent for Azure virtual machines.
- The Azure Arc agent for non-Azure physical computers or servers (bot Linux, and Windows).
The installation and configuration of the extension is managed by the solution and no manual intervention is required, as long as the Azure VM Agents or Agents for Azure Arc are functional. The extension ofUpdate management center runs code locally on the computer to interact with the operating system and allows you to:
- Retrieve evaluation information about the status of system updates, specified by the Windows Update agent or by the Linux package manager*.
- Start the download and installation of approved updates from the Windows Update client or from the Linux package manager.
- Get all the information on the results of installing updates, which are reported inUpdate management center from the extension and are available for analysis via the Azure Resource Graph. The visualization of the evaluation data can be consulted for the last seven days and the results regarding the installation of updates are available for the last thirty days.
* The machines deliver notifications on updates based on the origin with which they are configured for synchronization. Windows Update Agent (WUA) on Windows machines it can be configured to reference Windows Server Update Services (WSUS) or to Microsoft Update. Linux machines can be configured to reference a local or public YUM or APT package repository.
Benefits of the solution
Update management center works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics.
The main strengths of the new solution are summarized in the following paragraphs.
Centralized visibility of updates
Thanks to this solution it is possible to consult centrally, direct from the Azure Portal, the state of compliance with respect to the updates requested and distributed on the various systems.
Native integration and zero onboarding
Being a solution created as a native feature of the Azure platform, there is no dependency on Log Analytics and Azure Automation. Furthermore, the solution supports full integration with Azure Policy.
Integration with Azure roles and identities
The solution allows for granular access control at the resource level. Everything is based on Azure Resource Manager and therefore allows the use of RBAC and ARM-based roles in Azure.
High flexibility in managing updates
The ability to automatically check for missing or on-demand updates, as well as the ability to act by installing updates immediately or to schedule them for a later date are elements that guarantee high flexibility. Furthermore, it is allowed to keep the systems updated by adopting new techniques, such as automatic VM guest patching in Azure and hotpatching.
Integration with other solutions
In this context it is worth considering that Microsoft offers, in addition to this solution, also other features to manage updates for Azure virtual machines. These features should be considered as an integral part of your overall update management strategy. Among the various features we find:
- Automatic OS image upgrade
- Automatic VM guest patching
- Automatic extension upgrade
- Hotpatch
- Maintenance control
- Scheduled events
To learn more about all these solutions, you can consult the Microsoft's official documentation.
Conclusions
This new feature, fully integrated into the Azure platform and able to exploit the potential of Azure Arc, it allows you to keep all the systems of your infrastructure up-to-date in a simple way, direct and with very little administrative effort. Furthermore, guarantees total visibility on update compliance for both Windows and Linux systems, fundamental element to increase the security posture of your infrastructure.
