您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 自动化管理 Windows 更新Manage Windows updates by using Azure Automation

可以使用更新管理解决方案来管理虚拟机的更新和修补程序。You can use the Update Management solution to manage updates and patches for your virtual machines. 本教程介绍了如何快速评估可用更新的状态、计划所需更新的安装、查看部署结果,以及创建警报来验证更新是否已成功应用。In this tutorial, you learn how to quickly assess the status of available updates, schedule installation of required updates, review deployment results, and create an alert to verify that updates apply successfully.

有关定价信息,请参阅更新管理自动化定价For pricing information, see Automation pricing for Update Management.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 载入用于更新管理的 VMOnboard a VM for Update Management
  • 查看更新评估View an update assessment
  • 配置警报Configure alerting
  • 计划更新部署Schedule an update deployment
  • 查看部署结果View the results of a deployment

先决条件Prerequisites

要完成本教程,需要:To complete this tutorial, you need:

登录 AzureSign in to Azure

通过 https://portal.azure.com 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.com.

启用更新管理Enable Update Management

就本教程来说,首先请在 VM 上启用更新管理:First, enable Update Management on your VM for this tutorial:

  1. 在 Azure 门户的左菜单中,选择“虚拟机”。In the Azure portal, in the left menu, select Virtual machines. 从列表中选择 VM。Select a VM from the list.
  2. 在 VM 页的“操作”下选择“更新管理”。On the VM page, under OPERATIONS, select Update management. “启用更新管理”窗格随即打开。The Enable Update Management pane opens.

执行验证,确定是否为该 VM 启用了更新管理。Validation is performed to determine whether Update Management is enabled for this VM. 此验证包括针对 Azure Log Analytics 工作区和链接的自动化帐户进行检查,并检查更新管理解决方案是否在工作区中。This validation includes checks for an Azure Log Analytics workspace and linked Automation account, and whether the Update Management solution is in the workspace.

Log Analytics 工作区用于收集由功能和服务(如更新管理)生成的数据。A Log Analytics workspace is used to collect data that's generated by features and services like Update Management. 工作区提供了一个位置来查看和分析来自多个数据源的数据。The workspace provides a single location to review and analyze data from multiple sources.

验证过程还会检查 VM 是否预配了 Microsoft Monitoring Agent (MMA) 和自动化混合 Runbook 辅助角色。The validation process also checks to see whether the VM is provisioned with the Microsoft Monitoring Agent (MMA) and Automation Hybrid Runbook Worker. 此代理用于与 Azure 自动化通信并获取关于更新状态的信息。This agent is used to communicate with Azure Automation and to obtain information about the update status. 代理要求打开端口 443 以便与 Azure 自动化服务进行通信以及下载更新。The agent requires port 443 to be open to communicate with the Azure Automation service and to download updates.

如果在载入过程中发现缺少下列任何先决条件,则会自动添加这些条件:If any of the following prerequisites were found to be missing during onboarding, they're automatically added:

在“更新管理”下,设置要使用的位置、Log Analytics 工作区和自动化帐户。Under Update Management, set the location, Log Analytics workspace, and Automation account to use. 然后选择“启用”。Then, select Enable. 如果这些选项不可用,则意味着已经为 VM 启用了其他自动化解决方案。If these options aren't available, it means that another automation solution is enabled for the VM. 在这种情况下,必须使用同一工作区和自动化帐户。In that case, the same workspace and Automation account must be used.

“启用更新管理解决方案”窗口

启用解决方案最多可能需要几分钟时间。Enabling the solution can take up to a few minutes. 在此期间,请勿关闭浏览器窗口。During this time, don't close the browser window. 启用该解决方案后,VM 中缺少的更新信息会流向 Azure Monitor 日志。After the solution is enabled, information about missing updates on the VM flows to Azure Monitor logs. 这些数据需花费 30 分钟到 6 小时的时间才能用于分析。It can take between 30 minutes and 6 hours for the data to be available for analysis.

查看更新评估View update assessment

启用“更新管理”后,“更新管理”窗格随即打开。After Update Management is enabled, the Update management pane opens. 如果缺少更新,则会在“缺失更新”选项卡上显示缺失更新的列表。If any updates are missing, a list of missing updates is shown on the Missing updates tab.

在“信息链接”下选择更新链接即可在新窗口中打开更新的支持文章。Under INFORMATION LINK, select the update link to open the support article for the update in a new window. 可以在此窗口中了解有关更新的重要信息。You can learn important information about the update in this window.

查看更新状态

单击更新的其他位置会打开所选更新的“日志搜索”窗格。Click anywhere else on the update to open the Log Search pane for the selected update. 日志搜索的查询是为该特定更新预定义的。The query for the log search is predefined for that specific update. 可以修改此查询或创建自己的查询,以便查看环境中已部署更新或缺失更新的详细信息。You can modify this query or create your own query to view detailed information about the updates that are deployed or missing in your environment.

查看更新状态

配置警报Configure alerts

在此步骤中,了解如何设置警报以获知更新部署的状态。In this step, you learn to set up an alert to let you know the status of an update deployment.

警报条件Alert conditions

在自动化帐户的“监视”下,转到“警报”,然后单击“+ 新建警报规则”。In your Automation Account, under Monitoring go to Alerts, and then click + New alert rule.

自动化帐户已被选为资源。Your Automation Account is already selected as the resource. 如果要更改它,可以单击“选择”,然后在“选择资源”页上,在“按资源类型筛选”下拉列表中选择“自动化帐户”。If you want to change it you can click Select and on the Select a resource page, select Automation Accounts in the Filter by resource type dropdown. 选择你的自动化帐户,然后选择“完成”。Select your Automation Account, and then select Done.

单击“添加条件”以选择适合更新部署的信号。Click Add condition to select the signal that is appropriate for your update deployment. 下表显示了更新部署的两个可用信号的详细信息:The following table shows the details of the two available signals for update deployments:

信号名称Signal Name 维度Dimensions 说明Description
汇总更新部署运行Total Update Deployment Runs - 更新部署名称- Update Deployment Name
- 状态- Status
此信号用于提醒更新部署的总体状态。This signal is used to alert on the overall status of an update deployment.
汇总更新部署计算机运行Total Update Deployment Machine Runs - 更新部署名称- Update Deployment Name
- 状态- Status
- 目标计算机- Target Computer
- 更新部署运行 ID- Update Deployment Run Id
此信号用于提醒针对特定计算机的更新部署的状态This signal is used to alert on the status of an update deployment targeted at specific machines

对于维度值,请从列表中选择一个有效的值。For the dimension values, select a valid value from the list. 如果要查找的值不在列表中,请单击维度旁边的“+”符号,然后输入自定义名称。If the value you are looking for is not in the list, click the + sign next to the dimension and type in the custom name. 随后即可选择要查找的值。You can then select the value you want to look for. 如果想要从维度中选择所有值,请单击“选择 *”按钮。If you want to select all values from a dimension, click the Select * button. 如果未选择维度的值,评估期间将忽略该维度。If you do not choose a value for a dimension, that dimension will be ignored during evaluation.

配置信号逻辑

在“警报逻辑”下,输入 1 作为“阈值”。Under Alert logic, for Threshold, enter 1. 完成后,选择“完成”。When you're finished, select Done.

警报详细信息Alert details

在“2. 定义警报详细信息“下,下,输入警报的名称和说明。Under 2. Define alert details, enter a name and description for the alert. 对于成功的运行,请将“严重性”设置为“参考(严重性 2)”;对于失败的运行,请将其设置为“参考(严重性 1)”。Set Severity to Informational(Sev 2) for a successful run, or Informational(Sev 1) for a failed run.

配置信号逻辑

在“操作组”下,选择“新建”。Under Action groups, select Create New. 操作组是可以在多个警报中使用的一组操作。An action group is a group of actions that you can use across multiple alerts. 这些操作可能包括但不限于电子邮件通知、Runbook、Webhook 以及其他操作。The actions can include but are not limited to email notifications, runbooks, webhooks, and many more. 若要了解有关操作组的详细信息,请参阅创建和管理操作组To learn more about action groups, see Create and manage action groups.

在“操作组名称”框中输入警报的名称和一个短名称。In the Action group name box, enter a name for the alert and a short name. 使用此组发送通知时,短名称用来代替完整的操作组名称。The short name is used in place of a full action group name when notifications are sent by using this group.

在“操作”下输入操作的名称,例如“电子邮件通知”。Under Actions, enter a name for the action, like Email Notifications. 在“操作类型”下,选择“电子邮件/短信/推送/语音”。Under ACTION TYPE, select Email/SMS/Push/Voice. 在“详细信息”下,选择“编辑详细信息”。Under DETAILS, select Edit details.

在“电子邮件/短信/推送/语音”窗格中,输入一个名称。In the Email/SMS/Push/Voice pane, enter a name. 选中“电子邮件”复选框,然后输入有效的电子邮件地址。Select the Email check box, and then enter a valid email address.

配置电子邮件操作组

在“电子邮件/短信/推送/语音”窗格中,选择“确定”。In the Email/SMS/Push/Voice pane, select OK. 在“添加操作组”窗格中,选择“确定”。In the Add action group pane, select OK.

若要自定义警报电子邮件的主题,请在“创建规则”下的“自定义操作”下选择“电子邮件主题”。To customize the subject of the alert email, under Create rule, under Customize Actions, select Email subject. 完成后,请选择“创建警报规则”。When you're finished, select Create alert rule. 此警报会指出更新部署成功的时间以及哪些计算机是该更新部署运行的一部分。The alert tells you when an update deployment succeeds, and which machines were part of that update deployment run.

计划更新部署Schedule an update deployment

接下来,请计划一个遵循发布时间和服务窗口的部署,以便安装更新。Next, schedule a deployment that follows your release schedule and service window to install updates. 可选择在部署中包括哪种更新类型。You can choose which update types to include in the deployment. 例如,可包括关键或安全更新,排除更新汇总。For example, you can include critical or security updates and exclude update rollups.

若要为 VM 计划新的更新部署,请转到“更新管理”,然后选择“计划更新部署”。To schedule a new update deployment for the VM, go to Update management, and then select Schedule update deployment.

在“新建更新部署”下,指定以下信息:Under New update deployment, specify the following information:

  • 名称:输入用于更新部署的唯一名称。Name: Enter a unique name for the update deployment.

  • 操作系统:选择更新部署的目标 OS。Operating system: Select the OS to target for the update deployment.

  • 要更新的组(预览):定义基于一组订阅、资源组、位置和标记的查询,生成要在部署中包含的 Azure VM 动态组。Groups to update (preview): Define a query based on a combination of subscription, resource groups, locations, and tags to build a dynamic group of Azure VMs to include in your deployment. 有关详细信息,请参阅动态组To learn more, see Dynamic Groups

  • 要更新的计算机:选择已保存的搜索、已导入的组或者从下拉列表中选择“计算机”并选择单个计算机。Machines to update: Select a Saved search, Imported group, or pick Machine from the drop-down and select individual machines. 如果选择“计算机”,则计算机的就绪状态将在“更新代理商准备情况”列中显示。If you choose Machines, the readiness of the machine is shown in the UPDATE AGENT READINESS column. 要了解在 Azure Monitor 日志中创建计算机组的不同方法,请参阅 Azure Monitor 日志中的计算机组To learn about the different methods of creating computer groups in Azure Monitor logs, see Computer groups in Azure Monitor logs

  • 更新分类:选择更新部署包含在部署中的软件类型。Update classification: Select the types of software that the update deployment included in the deployment. 对于本教程,请保留所有选定的类型。For this tutorial, leave all types selected.

    分类类型:The classification types are:

    操作系统OS TypeType
    WindowsWindows 关键更新Critical updates
    安全更新Security updates
    更新汇总Update rollups
    功能包Feature packs
    服务包Service packs
    定义更新Definition updates
    工具Tools
    更新Updates
    LinuxLinux 关键和安全更新Critical and security updates
    其他更新Other updates

    有关分类类型的说明,请参阅更新分类For a description of the classification types, see update classifications.

  • 要包含/排除的更新 - 这会打开“包含/排除”页。Updates to include/exclude - This opens the Include/Exclude page. 要包含或排除的更新位于单独的选项卡上。Updates to be included or excluded are on separate tabs. 有关如何处理包含的详细信息,请参阅包含行为For more information on how inclusion is handled, see inclusion behavior

  • 计划设置:打开“计划设置”窗格。Schedule settings: The Schedule Settings pane opens. 默认开始时间为晚于当前时间 30 分钟。The default start time is 30 minutes after the current time. 可以将开始时间设置为 10 分钟之后的任何将来时间。You can set the start time to any time from 10 minutes in the future.

    还可以指定部署是否只发生一次,或者设置一个定期计划。You can also specify whether the deployment occurs once, or set up a recurring schedule. 在“重复”下选择“一次”。Under Recurrence, select Once. 保留默认值“1 天”,然后选择“确定”。Leave the default as 1 day and select OK. 这样会设置定期计划。This sets up a recurring schedule.

  • 前脚本 + 后脚本:选择要在部署前和部署后运行的脚本。Pre-scripts + Post-scripts: Select the scripts to run before and after your deployment. 若要了解详细信息,请参阅管理前脚本和后脚本To learn more, see Manage Pre and Post scripts.

  • 维护时段(分钟):保留默认值。Maintenance window (minutes): Leave the default value. 可以设置要进行更新部署的时间段。You can set the window of time that you want the update deployment to occur within. 此设置有助于确保在定义的服务时段内执行更改。This setting helps ensure that changes are performed within your defined service windows.

  • 重启选项:此设置确定应如何处理重启。Reboot options: This setting determines how reboots should be handled. 可用选项包括:Available options are:

    • 需要时重新启动(默认)Reboot if required (Default)
    • 始终重新启动Always reboot
    • 从不重新启动Never reboot
    • 仅重启 - 不安装更新Only reboot - will not install updates

配置完计划以后,选择“创建”。When you're finished configuring the schedule, select Create.

更新“计划设置”窗格

此时会回到状态仪表板。You're returned to the status dashboard. 选择“计划性更新部署”即可显示所创建的部署计划。Select Scheduled Update deployments to show the deployment schedule you created.

备注

更新管理支持部署第一方更新和预下载的修补程序。Update Management supports deploying first party updates and pre-downloading patches. 这需要在修补的系统上进行更改,请参阅第一方和预下载支持以了解如何在系统上配置这些设置。This requires changes on the systems being patched, see first party and pre-download support to learn how to configure these settings on your systems.

查看更新部署结果View results of an update deployment

在计划的部署开始后,可以在“更新管理”下的“更新部署”选项卡上查看该部署的状态。After the scheduled deployment starts, you can see the status for that deployment on the Update deployments tab under Update management. 部署当前正在运行时,其状态为“正在进行”。The status is In progress when the deployment is currently running. 部署完成以后,如果成功,则状态更改为“成功”。When the deployment finishes, if it's successful, the status changes to Succeeded. 当部署中有一个或多个更新失败时,状态为“部分失败”。When there are failures with one or more updates in the deployment, the status is Partially failed.

选择已完成的更新部署,查看该更新部署的仪表板。Select the completed update deployment to see the dashboard for that update deployment.

特定部署的更新部署状态仪表板

“更新结果”下的摘要提供了 VM 上更新和部署结果的总数。Under Update results, a summary provides the total number of updates and deployment results on the VM. 右侧的表显示了每个更新的细目以及安装结果。The table on the right shows a detailed breakdown of each update and the installation results.

以下列表显示可用值:The following list shows the available values:

  • 未尝试:由于定义的维护时段时长不足,因而未安装更新。Not attempted: The update wasn't installed because there was insufficient time available based on the maintenance window duration defined.
  • 成功:更新成功。Succeeded: The update succeeded.
  • 失败:更新失败。Failed: The update failed.

若要查看部署创建的所有日志条目,请选择“所有日志”。Select All logs to see all log entries that the deployment created.

选择“输出”,查看负责管理目标 VM 更新部署的 Runbook 的作业流。Select Output to see the job stream of the runbook responsible for managing the update deployment on the target VM.

若要查看有关部署中错误的详细信息,请选择“错误”。Select Errors to see detailed information about any errors from the deployment.

在更新部署成功后,会发送类似于以下示例的电子邮件来通知部署成功:When your update deployment is successful, an email that's similar to the following example is sent to show success of the deployment:

配置电子邮件操作组

后续步骤Next steps

本教程介绍了如何:In this tutorial, you learned how to:

  • 载入用于更新管理的 VMOnboard a VM for Update Management
  • 查看更新评估View an update assessment
  • 配置警报Configure alerting
  • 计划更新部署Schedule an update deployment
  • 查看部署结果View the results of a deployment

继续阅读更新管理解决方案的概述。Continue to the overview for the Update Management solution.