With many organizations transitioning their workstations from Active Directory to Entra ID, and having all co-management workloads in Intune, they are left with a bloated Configuration Manager environment that provides patching and OSD. As most hardware manufacturers provide their own basic server imaging capabilities that is sufficient for organizations with <500 servers, they’re left with one problem: How do we patch servers without SCCM/WSUS? If you want to stick with Microsoft Solutions, the answer is Azure Arc.
Azure Arc extends management from Azure to on-premises infrastructure. By installing the Azure Arc agent on an on-prem server, it enables all the functionality that comes with your cloud servers. Azure Automation is an extremely powerful tool, and we will use it to automate patching for our on-premises servers.
Step 1: Agent Install
The first step in this process is to install the Arc agent on the on-prem servers. We do this via a deployable PowerShell script. In the Azure Portal, search for Azure Arc. Go there, and in the navigation pane, click Machines, then the Add/Create dropdown menu, and Add a machine.
Once the servers are onboarded, you’ll be able to see the agent status in this window.
In the “Add servers with Azure Arc” wizard, we are presented with 3 options, and we’re going to click on the Generate script button in the “Add a single server” tile. On the next screen, configure the Subscription, Resource Group, Region, OS, method the server will use to connect to the Internet, and tags for scoping resources, then click the Download and run script button. Copy the script to your server and run it locally.
Step 2: Log Analytics and Automation Account
To store and process update data, we will need to associate the Azure Arc machines with a Log Analytics Workspace. If you already have one for Intune or Sentinel, this can be configured to use the same workspace. It is important to mention, however, that servers can only be added to one workspace. If your organization is conscious about resource allocation, you may want to spin up a separate LA workspace for this purpose. Check with your Azure Global Admin to confirm, but it should be in the same region that’s being configured in the server onboarding script.
After the LA Workspace has been determined, go back to the Home portal.azure.com page, and look for Automation Accounts in the search bar. Go there and click Create to make a new Automation Account. Give it an appropriate name, and ensure that you choose the same region that was used in the previous steps. The remaining pages in the wizard are based on organizational requirements and do not require configuration for this purpose.
Once the account is created, click on it and scroll down to the Related Resources section where you will find a Linked workspace button. Go in there and select the Log Analytics workspace we’re going to use for our Arc-enabled servers.
Next, we need to make sure the Log Analytics VM extension is installed on our servers. This will allow the servers to show up in the Update Management tab of the Automation account. Go back to Azure Arc and select the server that was onboarded earlier. In the navigation pane, click Extensions and make sure the DependencyAgentWindows and the MicrosoftMonitoringAgent are installed successfully.
Step 3: Enable Update Management
Go back to the Automation Account and select Update Management from the Navigation pane. By now, the server should show up here, and we can enable it for Update Management by choosing the Enable on selected machines radio button and choosing the server.
To configure our patching schedule, we’ll want to click on Schedule Update Deployment. From here, we’ll configure the deployment schedule to match our server’s patching requirements, including recurrence and maintenance window duration.
Using this process, we can start patching our servers with the same fluidity that we’ve become accustomed to with patching workstations via Intune.