Enable Update Management, Change Tracking, and Inventory solutions on multiple VMs
Azure Automation provides solutions to manage operating system security updates, track changes, and inventory what is installed on your computers. There are multiple ways to onboard machines, you can onboard the solution from a virtual machine, from your Automation account, when browsing virtual machines, or by runbook. This article covers onboarding these solutions when browsing virtual machines in Azure.
Sign in to Azure
Sign in to Azure at https://portal.azure.com
In the Azure portal, navigate to Virtual machines.
Using the checkboxes, select the virtual machines you wish to onboard with Change Tracking and Inventory or Update Management. Onboarding is available for up to three different resource groups at a time. Azure VMs can exist in any region no matter the location of your Automation Account.
Use the filter controls to modify the list of virtual machines and then click the top checkbox to select all virtual machines in the list.
From the command bar, click Services and select either Change tracking, Inventory, or Update Management.
Change tracking and Inventory use the same solution, when one is enabled the other is enabled as well.
The following image is for Update Management. Change tracking and Inventory have the same layout and behavior.
The list of virtual machines is filtered to show only the virtual machines that are in the same subscription and location. If your virtual machines are in more than three resource groups, the first three resource groups are selected.
The number of resource groups you can use for onboarding is limited by the Resource Manager deployment limits. Resource Manager deployments, not to be confused with Update deployments, are limited to 5 resource groups per deployment. To ensure the integrity of onboarding, 2 of those resource groups are reserved to configure the Log Analytics workspace, Automation account, and related resources. This leaves you with 3 resource groups to select for deployment. This limit only applies to simultaneous onboarding, not the number of resource groups that can be managed by an Automation solution.
You can also use a runbook for onboarding, for more information, see Onboard update and change tracking solutions to Azure Automation.
Use the filter controls to select virtual machines from different subscriptions, locations, and resource groups.
Review the choices for the Log Analytics workspace and Automation account. An existing workspace and Automation Account are selected by default. If you want to use a different Log Analytics workspace and Automation Account, click CUSTOM to select them from the Custom Configuration page. When you choose a Log Analytics workspace, a check is made to determine if it is linked with an Automation Account. If a linked Automation Account is found, you will see the following screen. When done, click OK.
If the workspace selected is not linked to an Automation Account, you'll see the following screen. Select an Automation Account and click OK when complete.
When enabling solutions, only certain regions are supported for linking a Log Analytics workspace and an Automation Account.
For a list of the supported mapping pairs, see Region mapping for Automation Account and Log Analytics workspace.
Deselect the checkbox next to any virtual machine that you don't want to enable. Virtual machines that can't be enabled are already deselected.
Click Enable to enable the solution. The solution takes up to 15 minutes to enable.
The following solutions are dependent on a Log Analytics workspace:
If you decide you no longer wish to integrate your Automation account with a Log Analytics workspace, you can unlink your account directly from the Azure portal. Before you proceed, you first need to remove the solutions mentioned earlier, otherwise this process will be prevented from proceeding. Review the article for the particular solution you have imported to understand the steps required to remove it.
After you remove these solutions, you can perform the following steps to unlink your Automation account.
Some solutions including earlier versions of the Azure SQL monitoring solution may have created automation assets and may also need to be removed prior to unlinking the workspace.
From the Azure portal, open your Automation account, and on the Automation account page select Linked workspace under the section Related Resources on the left.
On the Unlink workspace page, click Unlink workspace.
You will receive a prompt verifying you wish to proceed.
While Azure Automation attempts to unlink the account your Log Analytics workspace, you can track the progress under Notifications from the menu.
If you used the Update Management solution, optionally you may want to remove the following items that are no longer needed after you remove the solution.
Update schedules - Each will have names that match the update deployments you created)
Hybrid worker groups created for the solution - Each will be named similarly to machine1.contoso.com_9ceb8108-26c9-4051-b6b3-227600d715c8).
If you used the Start/Stop VMs during off-hours solution, optionally you may want to remove the following items that are no longer needed after you remove the solution.
- Start and stop VM runbook schedules
- Start and stop VM runbooks
Alternatively you can also unlink your workspace from your Automation Account from your Log Analytics workspace. On your workspace, select Automation Account under Related Resources. On the Automation Account page, select Unlink account.
When onboarding multiple machines, there may be machines that show as Cannot enable. There are different reasons why some machines may not be enabled. The following sections show possible reasons for the Cannot enable state on a VM when attempting to onboard.
VM reports to a different workspace: '<workspaceName>'. Change configuration to use it for enabling
Cause: This error shows that the VM that you are trying to onboard reports to another workspace.
Solution: Click Use as configuration to change the targeted Automation Account and Log Analytics workspace.
VM reports to a workspace that is not available in this subscription
Cause: The workspace that the virtual machine reports to:
- Is in a different subscription, or
- No longer exists, or
- Is in a resource group you don't have access permissions to
Solution: Find the automation account associated with the workspace that the VM reports to and onboard the virtual machine by changing the scope configuration.
VM operating system version or distribution is not supported
Cause: The solution is not supported for all Linux distributions or all versions of Windows.
Solution: Refer to the list of supported clients for the solution.
Classic VMs cannot be enabled
Cause: Virtual machines that use the classic deployment model are not supported.
Solution: Migrate the virtual machine to the Resource Manager deployment model. To learn how to do this, see Migrate classic deployment model resources.
VM is stopped. (deallocated)
Cause: The virtual machine in not in a Running state.
Solution: In order to onboard a VM to a solution the VM must be running. Click the Start VM inline link to start the VM without navigating away from the page.
Clean up resources
To remove a VM from Update Management:
- In your Log Analytics workspace, remove the VM from the saved search for the Scope Configuration
MicrosoftDefaultScopeConfig-Updates. Saved searches can be found under General in your workspace.
- Remove the Microsoft Monitoring agent or the Log Analytics agent for Linux.
Now that the solution is enabled for your virtual machines, visit the Update Management overview article to learn how to create an Update Deployment for your machines.
Addition tutorials on the solutions and how to use them: