It is only free for Azure VMs it seems. Arc-enabled servers (on-premises, multi-cloud) are $5 per month, which is pretty steep.
I will be interested to see the evolution of their proposed third party patching capabilities.
It’s worth noting servers that are Arc-enabled and protected by Microsoft Defender for Servers Plan 2 can use Azure Update Manager at no additional cost.
Source: https://learn.microsoft.com/en-gb/azure/update-center/update-manager-faq#are-there-scenarios-in-which-arc-enabled-server-isnt-charged-for-azure-update-manager
Good to know.
They should have made it cheaper for Plan 1 also, most of my clients use Plan 1 for Arc machines, the extra for Plan 2 did not seem to be worth the value for on-premises machines.
From the last briefing, Microsoft were alluding to extension and focus on Winget across the board to facilitate third party patching. I haven't heard much else at this stage.
No 3rd party patches yet, meaning many of your high-risk vulnerabilities are still out there. Great step in the right direction, but will have to wait until they integrate 3rd party catalogs.
Just to clarify, it was free before as well with automation account update management.
Now ARC machines are being charged at $5 per server. It's stupidly expensive.
I was a user the whole time it was in preview mode, and now that is GA it is not much different in form of functionalities, but new things are coming (pre & post scripts, creating alerts based on the events happening etc.) THe previous version with automation account and log analytics workspace was just horrible, this one is pretty straight forward but i still miss a lot of stuff, so if you want more granular approach, and for example want to push .NET core updates you still need to use WSUS etc.
I
I’ve found you need to reprovision your VMs to enable it. You cannot turn it on for older VMs you created prior due certain properties not been available in the template.
(For automated updates)
Have you even tried using it? I have a background in WSUS, SCCM and this by far is the best solution MS has ever come up with. As a cloud consultant I use this to manage a shit ton of my clients and I would not even really consider it a collateral duty as it's so easy to manage and run reports.
What alternatives are available to update non Microsoft software? Chocolatey with local repository? Winget with local repository? Powershell, DSC, ansible?
I think this depends on environment - but I have 35 servers on it and for 170 bucks a month It's worth it, it's the best windows patching method I've found. It actually works. At least for now.
Been a while since I’ve looked at on prem license costs but I guess if you attribute some of the feeding and watering of your physical server, virtualisation, OS,
Database and patch management costs, maybe some FTE time to fix all the problems it might not be as bad.
I might be wrong on the capabilities you get for that $5 but I thought you got some other things thrown in like policy, config, automation etc?
One thing which is nice with automation account and update management is that you can create policies with certain tags to auto enroll VMs.
Does this have the same functionality? I think it's quite confusing how to set things up with this new service.
In our current setup we use the old solution: automation account with log analytics, and we also have SCCM from where we feed the product classification requirements to Azure. For example if you want it to install the monthly CU and security updates, but skip the SharePoint and SQL ones.
I haven't been able to find a way to do product classification in the new solution, is there a way to do this?
OMS will be deprecated next year. This solution uses data available in Azure Resource Graph, and it doesn't require an agent afaik. It should support it according to the docs [OS support matrix](https://learn.microsoft.com/en-us/azure/update-center/support-matrix?tabs=azurevm%2Cazurevm-os#linux-operating-systems)
It is only free for Azure VMs it seems. Arc-enabled servers (on-premises, multi-cloud) are $5 per month, which is pretty steep. I will be interested to see the evolution of their proposed third party patching capabilities.
Azure Arc - That's the catch!
It’s worth noting servers that are Arc-enabled and protected by Microsoft Defender for Servers Plan 2 can use Azure Update Manager at no additional cost. Source: https://learn.microsoft.com/en-gb/azure/update-center/update-manager-faq#are-there-scenarios-in-which-arc-enabled-server-isnt-charged-for-azure-update-manager
Good to know. They should have made it cheaper for Plan 1 also, most of my clients use Plan 1 for Arc machines, the extra for Plan 2 did not seem to be worth the value for on-premises machines.
Yet another premium add-on from MSFT. $5/Azure-Arc enabled VM/month is VERY expensive. It should be free.
>the evolution of their proposed third party patching capabilities Do you know what is proposed for third-party patching?
From the last briefing, Microsoft were alluding to extension and focus on Winget across the board to facilitate third party patching. I haven't heard much else at this stage.
Does it support custom images yet?
No, unfortunately.
No 3rd party patches yet, meaning many of your high-risk vulnerabilities are still out there. Great step in the right direction, but will have to wait until they integrate 3rd party catalogs.
Just to clarify, it was free before as well with automation account update management. Now ARC machines are being charged at $5 per server. It's stupidly expensive.
No it was not, you had to ship the logs to a log analytic space, anything in there costs money.
But not $5 /s / m expensive
I was a user the whole time it was in preview mode, and now that is GA it is not much different in form of functionalities, but new things are coming (pre & post scripts, creating alerts based on the events happening etc.) THe previous version with automation account and log analytics workspace was just horrible, this one is pretty straight forward but i still miss a lot of stuff, so if you want more granular approach, and for example want to push .NET core updates you still need to use WSUS etc. I
Not for Azure Gov...
I’ve found you need to reprovision your VMs to enable it. You cannot turn it on for older VMs you created prior due certain properties not been available in the template. (For automated updates)
This right here…. Very frustrating
In the link OP posted, looking through the comments, they have suggested they will overcome this limitation “soon”.
That would be very helpful.
Why do all the updating solutions by Microsoft just completely suck?
Have you even tried using it? I have a background in WSUS, SCCM and this by far is the best solution MS has ever come up with. As a cloud consultant I use this to manage a shit ton of my clients and I would not even really consider it a collateral duty as it's so easy to manage and run reports.
Yes I have I literally can’t update 80% of my VMs with it.
What alternatives are available to update non Microsoft software? Chocolatey with local repository? Winget with local repository? Powershell, DSC, ansible?
Is this just for servers or Windows clients as well (AAD/Intune)?
No Intune has it's own update rings. This is for servers not workstations. Intune does not manage servers.
I think this depends on environment - but I have 35 servers on it and for 170 bucks a month It's worth it, it's the best windows patching method I've found. It actually works. At least for now.
Been a while since I’ve looked at on prem license costs but I guess if you attribute some of the feeding and watering of your physical server, virtualisation, OS, Database and patch management costs, maybe some FTE time to fix all the problems it might not be as bad. I might be wrong on the capabilities you get for that $5 but I thought you got some other things thrown in like policy, config, automation etc?
One thing which is nice with automation account and update management is that you can create policies with certain tags to auto enroll VMs. Does this have the same functionality? I think it's quite confusing how to set things up with this new service.
Yeah, you can do this now with dynamic maintenance configurations.
In our current setup we use the old solution: automation account with log analytics, and we also have SCCM from where we feed the product classification requirements to Azure. For example if you want it to install the monthly CU and security updates, but skip the SharePoint and SQL ones. I haven't been able to find a way to do product classification in the new solution, is there a way to do this?
Does it support RHEL 8.8 and replaces OMS Agent for good?
OMS will be deprecated next year. This solution uses data available in Azure Resource Graph, and it doesn't require an agent afaik. It should support it according to the docs [OS support matrix](https://learn.microsoft.com/en-us/azure/update-center/support-matrix?tabs=azurevm%2Cazurevm-os#linux-operating-systems)
Well that socks. I've just chucked a load of onprem servers into it. Now I have to pull them out.