Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

Azure Update Management Windows Update Desired State Configuration

Guest wernerrall

By Guest wernerrall
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest wernerrall

Guest wernerrall

Posted
Posted

Introduction

 

Even though the Azure Update Center is already in preview many of our customers are still using Azure Update Management (the solution that uses Automation Account and Log Analytics workspace) to patch their servers. During one of these engagements, we realized that some of the Operating System Settings for Windows Update was not configured the way business required and this leads to erratic reboots and servers not patching on their expected schedules.

 

We needed a way to ensure our machines have the appropriate settings.

 

 

 

Requirements

 

 

 

  • Machines do not have to be Domain Joined
  • Machines that were previously domain joined need to have their registries changed
  • Machines must not reboot outside of the Patch Schedule

 

 

 

Some of our answers can be found in the official documentation here, but for the reboots we need to dig a little deeper. Below are the registry settings we can configure for restart behavior.

 

If you would like to see more here is a great web site that looks at group policy settings and can help you find what is and is not configurable.

 

This PowerShell Script can be run to see which current Windows Update Registry settings are applied on your machines.

 

 

 

largevv2px999.png.1eb4688eed9855853dbaf340c41a4b08.png

 

 

 

For our Specific Solution we will choose Option 2 from the above article.

 

In my GitHub Repository you can find the Desired State Configuration File that will remove all other settings and apply the above settings

 

 

 

largevv2px999.thumb.png.83cd14d35314c29ba0041b938dba15f0.png

 

Save this file as "WindowsUpdate.ps1"

 

 

 

Solution

 

 

 

Now for our last few steps we will use Azure Automation State Configuration (DSC) to import the Configuration and Compile it.

 

 

 

largevv2px999.png.86125b85bf4c2733997609869dea60fa.png

 

 

 

Click on Configurations and add

 

 

 

largevv2px999.png.b44aba286badd5525881fd5718676642.png

 

Choose the WindowsUpdate.ps1 file that you saved

 

 

 

largevv2px999.png.68b5eb5653c1414ba2ee4dee9a275289.png

 

 

 

Compile the Configuration

 

 

 

largevv2px999.png.053642e5635866ce6a20228bf09b854c.png

 

 

 

Once the compilation is complete, we can add machines (called Nodes)

 

Go to nodes and click Add

 

 

 

largevv2px999.png.a04be79daa1bede7b621d5f2cf300053.png

 

Choose Connect for your Node

 

mediumvv2px400.png.95c71634a63b4f8a3a003c456859102d.png

 

and then choose your configuration name as "WindowsUpdate.localhost"

 

largevv2px999.png.47e145e4d308a716f080ba8cadd81249.png

 

 

 

Now you are ready to go. Once the machine comes back and applies this configuration it will adhere to the update schedules set in Automation Account Update Management.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...