您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

更新管理概述Update Management overview

可以使用 Azure 自动化中的更新管理,为 Azure、本地环境或其他云环境中的 Windows 和 Linux 计算机管理操作系统更新。You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux machines in Azure, in on-premises environments, and in other cloud environments. 可以快速评估所有代理计算机上可用更新的状态,并管理为服务器安装所需更新的过程。You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers.

可以通过以下方式为 VM 启用更新管理功能:You can enable Update Management for VMs in the following ways:

  • 对于一个或多个 Azure 计算机,通过 Azure 自动化帐户启用。From your Azure Automation account for one or more Azure machines.
  • 对于非 Azure 计算机,手动启用。Manually for non-Azure machines.
  • 对于单个 Azure VM,通过 Azure 门户中的“虚拟机”页启用。For a single Azure VM from the Virtual machine page in the Azure portal. 此方案适用于 LinuxWindows VM。This scenario is available for Linux and Windows VMs.
  • 对于多个 Azure VM,从 Azure 门户的“虚拟机”页中选择它们进行启用。For multiple Azure VMs by selecting them from the Virtual machines page in the Azure portal.

备注

更新管理需要将 Log Analytics 工作区链接到自动化帐户。Update Management requires linking a Log Analytics workspace to your Automation account. 有关受支持区域的明确列表,请参阅 Azure 工作区映射For a definitive list of supported regions, see Azure Workspace mappings. 区域映射不会影响在单独的区域中管理自动化帐户内 VM 的功能。The region mappings don't affect the ability to manage VMs in a separate region from your Automation account.

Azure 资源管理器模板可帮助将更新管理部署到新的或现有的自动化帐户以及订阅中的 Log Analytics 工作区。An Azure Resource Manager template is available to help you deploy Update Management to a new or existing Automation account and Log Analytics workspace in your subscription.

备注

不能使用配置了更新管理功能的计算机从 Azure 自动化运行自定义脚本。You can't use a machine configured with Update Management to run custom scripts from Azure Automation. 此计算机只能运行 Microsoft 签名的更新脚本。This machine can only run the Microsoft-signed update script.

关于更新管理About Update Management

由更新管理托管的计算机使用以下配置执行评估和更新部署:Machines that are managed by Update Management use the following configurations to perform assessment and to update deployments:

  • 适用于 Windows 或 Linux 的 Log Analytics 代理Log Analytics agent for Windows or Linux
  • 用于 Linux 的 PowerShell 所需状态配置 (DSC)PowerShell Desired State Configuration (DSC) for Linux
  • 自动化混合 Runbook 辅助角色Automation Hybrid Runbook Worker
  • 适用于 Windows 计算机的 Microsoft 更新或 Windows Server Update Services (WSUS)Microsoft Update or Windows Server Update Services (WSUS) for Windows machines

下图说明了更新管理如何对工作区中所有连接的 Windows Server 和 Linux 计算机进行评估和向其应用安全更新:The following diagram illustrates how Update Management assesses and applies security updates to all connected Windows Server and Linux machines in a workspace:

更新管理工作流

更新管理可用于在同一租户的多个订阅中本机部署计算机。Update Management can be used to natively deploy machines in multiple subscriptions in the same tenant.

发布包后,Linux 计算机需要 2-3 小时才会显示修补程序以供评估。After a package is released, it takes 2 to 3 hours for the patch to show up for Linux machines for assessment. 对于 Windows 计算机,发布后,需要 12-15 小时才会显示修补程序以供评估。For Windows machines, it takes 12 to 15 hours for the patch to show up for assessment after it's been released.

在计算机完成更新符合性扫描以后,代理会将信息批量转发到 Azure Monitor 日志。After a machine completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor logs. 在 Windows 计算机上,符合性扫描默认情况下每 12 小时运行一次。On a Windows machine, the compliance scan is run every 12 hours by default.

除了按扫描计划扫描,更新符合性扫描还会在 Log Analytics 代理重启的 15 分钟内、更新安装前和更新安装后启动。In addition to the scan schedule, the scan for update compliance is started within 15 minutes of the Log Analytics agent being restarted, before update installation, and after update installation.

对于 Linux 计算机,符合性扫描默认情况下每小时执行一次。For a Linux machine, the compliance scan is performed every hour by default. 如果 Log Analytics 代理重启,则会在 15 分钟内启动符合性扫描。If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes.

更新管理根据所配置的与之进行同步的源来报告计算机的更新情况。Update Management reports how up to date the machine is based on what source you're configured to sync with. 如果将 Windows 计算机配置为向 WSUS 报告,则结果可能不同于 Microsoft 更新所显示的内容,具体取决于 WSUS 上次通过 Microsoft 更新进行同步的时间。If the Windows machine is configured to report to WSUS, depending on when WSUS last synced with Microsoft Update, the results might differ from what Microsoft Update shows. 对于配置为向本地存储库(而非公共存储库)报告的 Linux 计算机来说,行为也是如此。This behavior is the same for Linux machines that are configured to report to a local repo instead of to a public repo.

备注

若要正确地向服务进行报告,更新管理要求启用某些 URL 和端口。To properly report to the service, Update Management requires certain URLs and ports to be enabled. 若要了解有关这些要求的详细信息,请参阅网络配置To learn more about these requirements, see Network configuration.

可以创建计划的部署,在需要更新的计算机上部署和安装软件更新。You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. 归类为“可选”的更新不包括在 Windows 计算机的部署范围内。Updates classified as optional aren't included in the deployment scope for Windows machines. 只有必需的更新会包括在部署范围内。Only required updates are included in the deployment scope.

计划的部署定义哪些目标计算机接收适用的更新。The scheduled deployment defines which target machines receive the applicable updates. 它通过显式指定某些计算机,或通过选择基于特定计算机集(或 [Azure 查询] logs.md)上的日志搜索的计算机组来执行此操作,该计算机组基于指定的条件动态选择 Azure vm。It does so either by explicitly specifying certain machines or by selecting a computer group that's based on log searches of a specific set of machines (or on an [Azure query]update-mgmt-view-logs.md) that dynamically selects Azure VMs based on specified criteria). 这些组与范围配置不同,后者用于控制接收配置以启用更新管理的目标计算机。These groups differ from scope configuration, which is used to control the targeting of machines that receive the configuration to enable Update Management. 这会阻止它们执行和报告更新符合性,并安装已批准的所需更新。This prevents them from performing and reporting update compliance, and install approved required updates.

定义部署时,还可以指定要批准的计划,并设置可以安装更新的一个时段。While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. 此时段称为维护时段。This period is called the maintenance window. 假设需要重启,并选择了相应的重启选项,则会预留 20 分钟的维护时段进行重启。A 20-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. 如果修补时间比预期时间长且维护时段少于 20 分钟,则不会进行重启。If patching takes longer than expected and there's less than 20 minutes in the maintenance window, a reboot won't occur.

通过 Azure 自动化中的 runbook 安装更新。Updates are installed by runbooks in Azure Automation. 无法查看这些 runbook,它们不需要任何配置。You can't view these runbooks, and they don't require any configuration. 创建更新部署时,会创建一个在指定的时间为所包含的计算机启动主更新 runbook 的计划。When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included machines. 此主 Runbook 会在每个代理上启动一个子 Runbook 来安装必需的更新。The master runbook starts a child runbook on each agent to install the required updates.

目标计算机会按更新部署中指定的日期和时间,以并行方式执行部署。At the date and time specified in the update deployment, the target machines execute the deployment in parallel. 在安装之前,会运行扫描来验证更新是否仍然是必需的。Before installation, a scan is run to verify that the updates are still required. 对于 WSUS 客户端计算机,如果更新未在 WSUS 中获得批准,则更新部署会失败。For WSUS client machines, if the updates aren't approved in WSUS, update deployment fails.

不支持在多个 Log Analytics 工作区(也称为多宿主)中对计算机注册更新管理。Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.

客户端Clients

支持的客户端类型Supported client types

下表列出了支持的操作系统,以便进行更新评估和修补。The following table lists the supported operating systems for update assessments and patching. 修补需要混合 Runbook 辅助角色。Patching requires a Hybrid Runbook Worker. 有关混合 Runbook 辅助角色要求的信息,请参阅部署 Windows 混合 Runbook 辅助角色部署 Linux 混合 Runbook 辅助角色For information on Hybrid Runbook Worker requirements, see Deploy a Windows Hybrid Runbook Worker and a Deploy a Linux Hybrid Runbook Worker.

备注

仅自动化帐户和 Log Analytics 工作区映射表中列出的特定区域支持 Linux 计算机的更新评估。Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace mappings table.

操作系统Operating system 注释Notes
Windows Server 2019 (Datacenter/Datacenter Core/Standard)Windows Server 2019 (Datacenter/Datacenter Core/Standard)

Windows Server 2016 (Datacenter/Datacenter Core/Standard)Windows Server 2016 (Datacenter/Datacenter Core/Standard)

Windows Server 2012 R2(Datacenter/Standard)Windows Server 2012 R2(Datacenter/Standard)

Windows Server 2012Windows Server 2012
Windows Server 2008 R2(RTM 和 SP1 Standard)Windows Server 2008 R2 (RTM and SP1 Standard) 更新管理支持对此操作系统进行评估和修补。Update Management supports assessments and patching for this operating system. Windows Server 2008 R2 支持混合 Runbook 辅助角色The Hybrid Runbook Worker is supported for Windows Server 2008 R2.
CentOS 6 (x86/x64) 和 7 (x64)CentOS 6 (x86/x64) and 7 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository. 基于分类的修补需要借助 yum 来返回 CentOS 的 RTM 版本中没有的安全数据。Classification-based patching requires yum to return security data that CentOS doesn't have in its RTM releases. 有关 CentOS 上基于分类的修补的详细信息,请参阅 Linux 上的更新分类For more information on classification-based patching on CentOS, see Update classifications on Linux.
Red Hat Enterprise 6 (x86/x64) 和 7 (x64)Red Hat Enterprise 6 (x86/x64) and 7 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository.
SUSE Linux Enterprise Server 11 (x86/x64) 和 12 (x64)SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository.
Ubuntu 14.04 LTS、16.04 LTS 和 18.04 (x86/x64)Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 (x86/x64) Linux 代理需要具有访问更新存储库的权限。Linux agents require access to an update repository.

备注

Azure 虚拟机规模集可通过更新管理进行管理。Azure virtual machine scale sets can be managed through Update Management. 更新管理适用于实例本身,而非基础映像。Update Management works on the instances themselves and not on the base image. 需要以增量方式计划更新,以便不会同时更新所有 VM 实例。You'll need to schedule the updates in an incremental way, so that not all the VM instances are updated at once. 可以按照添加要启用更改跟踪和库存的非 Azure 计算机下的步骤,为虚拟机规模集添加节点。You can add nodes for virtual machine scale sets by following the steps under Add a non-Azure machine to Change Tracking and Inventory.

不支持的客户端类型Unsupported client types

下表列出了不受支持的操作系统:The following table lists unsupported operating systems:

操作系统Operating system 注释Notes
Windows 客户端Windows client 不支持客户端操作系统(例如 Windows 7 和 Windows 10)。Client operating systems (such as Windows 7 and Windows 10) aren't supported.
对于 Azure Windows 虚拟桌面 (WVD),管理更新For Azure Windows Virtual Desktop (WVD), the recommended method
若要管理更新,请Configuration Manager适用于 Windows 10 客户端计算机的修补程序管理。to manage updates is Microsoft Endpoint Configuration Manager for Windows 10 client machine patch management.
Windows Server 2016 Nano ServerWindows Server 2016 Nano Server 不支持。Not supported.
Azure Kubernetes 服务节点Azure Kubernetes Service Nodes 不支持。Not supported. 使用对 Azure Kubernetes 服务 (AKS) 中的 Linux 节点应用安全和内核更新中所述的修补过程Use the patching process described in Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)

客户端要求Client requirements

以下信息介绍了特定于操作系统的客户端要求。The following information describes operating system-specific client requirements. 有关其他指南,请参阅网络规划For additional guidance, see Network planning. 若要了解 TLS 1.2 的客户端要求,请参阅Azure 自动化的 TLS 1.2 强制执行To understand client requirements for TLS 1.2, see TLS 1.2 enforcement for Azure Automation.

WindowsWindows

Windows 代理必须配置为与 WSUS 服务器通信或需要有权访问 Microsoft 更新。Windows agents must be configured to communicate with a WSUS server, or they require access to Microsoft Update. 有关如何安装适用于 Windows 的 Log Analytics 代理的信息,请参阅将 Windows 计算机连接到 Azure MonitorFor information about how to install the Log Analytics agent for Windows, see Connect Windows computers to Azure Monitor.

可以将更新管理与 Microsoft Endpoint Configuration Manager 配合使用。You can use Update Management with Microsoft Endpoint Configuration Manager. 若要了解有关集成方案的详细信息,请参阅将更新管理与 Microsoft Endpoint Configuration ManagerTo learn more about integration scenarios, see Integrate Update Management with Windows Endpoint Configuration Manager. 对于由 Configuration Manager 环境中的站点托管的 Windows 服务器,需要适用于 Windows 的 Log Analytics 代理The Log Analytics agent for Windows is required for Windows servers managed by sites in your Configuration Manager environment.

默认情况下,从 Azure 市场部署的 Windows VM 设置为从 Windows 更新服务接收自动更新。By default, Windows VMs that are deployed from the Azure Marketplace are set to receive automatic updates from Windows Update Service. 将 Windows VM 添加到工作区时,此行为不会更改。This behavior doesn't change when you add Windows VMs to your workspace. 如果不主动使用更新管理来管理更新,则会应用默认行为(即自动应用更新)。If you don't actively manage updates by using Update Management, the default behavior (to automatically apply updates) applies.

备注

可以修改组策略,以便仅由用户而非系统来执行计算机重启。You can modify Group Policy so that machine reboots can be performed only by the user, not by the system. 如果在用户不进行手动交互的情况下,更新管理无权重启计算机,则托管计算机可能会停滞。Managed machines can get stuck if Update Management doesn't have rights to reboot the machine without manual interaction from the user. 有关详细信息,请参阅配置自动更新的组策略设置For more information, see Configure Group Policy settings for Automatic Updates.

LinuxLinux

对于 Linux,计算机需要有权访问专用或公共的更新存储库。For Linux, the machine requires access to an update repository, either private or public. 需要 TLS 1.1 或 TLS 1.2 才能与更新管理进行交互。TLS 1.1 or TLS 1.2 is required to interact with Update Management. 更新管理不支持配置为向多个 Log Analytics 工作区报告的适用于 Linux 的 Log Analytics 代理。Update Management doesn't support a Log Analytics agent for Linux that's configured to report to more than one Log Analytics workspace. 计算机还必须安装 Python 2.x。The machine must also have Python 2.x installed.

备注

仅特定区域支持 Linux 计算机的更新评估。Update assessment of Linux machines is only supported in certain regions. 请参阅自动化帐户和 Log Analytics 工作区映射表See the Automation account and Log Analytics workspace mappings table.

有关如何安装适用于 Linux 的 Log Analytics 代理以及如何下载最新版本的信息,请参阅适用于 Linux 的 Log Analytics 代理For information about how to install the Log Analytics agent for Linux and to download the latest version, see Log Analytics agent for Linux.

基于 Azure 市场中提供的按需 Red Hat Enterprise Linux (RHEL) 映像创建的 VM 注册为访问 Azure 中部署的 Red Hat 更新基础结构 (RHUI)VMs created from the on-demand Red Hat Enterprise Linux (RHEL) images that are available in the Azure Marketplace are registered to access the Red Hat Update Infrastructure (RHUI) that's deployed in Azure. 对于任何其他 Linux 发行版,必须使用发行版支持的方法从发行版联机文件存储库对其进行更新。Any other Linux distribution must be updated from the distribution's online file repository by using methods supported by the distribution.

权限Permissions

若要创建和管理更新部署,需要特定的权限。To create and manage update deployments, you need specific permissions. 若要了解这些权限,请参阅基于角色的访问 - 更新管理To learn about these permissions, see Role-based access – Update Management.

更新管理组件Update Management components

更新管理使用本部分中所述的资源。Update Management uses the resources described in this section. 启用更新管理时,这些资源会自动添加到自动化帐户。These resources are automatically added to your Automation account when you enable Update Management.

混合 Runbook 辅助角色组Hybrid Runbook Worker groups

启用更新管理后,任何直接连接到 Log Analytics 工作区的 Windows 计算机都会自动配置为混合 Runbook 辅助角色,为支持更新管理的 Runbook 提供支持。After you enable Update Management, any Windows machine that's directly connected to your Log Analytics workspace is automatically configured as a Hybrid Runbook Worker to support the runbooks that support Update Management.

更新管理托管的每个 Windows 计算机都会作为自动化帐户的一个“系统混合辅助角色组”列在“混合辅助角色组”窗格中。Each Windows machine that's managed by Update Management is listed in the Hybrid worker groups pane as a System hybrid worker group for the Automation account. 这些组使用 Hostname FQDN_GUID 命名约定。The groups use the Hostname FQDN_GUID naming convention. 不能在帐户中通过 Runbook 将这些组作为目标进行操作。You can't target these groups with runbooks in your account. 如果尝试,则尝试会失败。If you try, the attempt fails. 这些组仅用于为更新管理提供支持。These groups are intended to support only Update Management.

如果为更新管理和混合 Runbook 辅助角色组成员身份使用同一帐户,则可以将 Windows 计算机添加到自动化帐户中的混合 Runbook 辅助角色组来为自动化 Runbook 提供支持。You can add the Windows machine to a Hybrid Runbook Worker group in your Automation account to support Automation runbooks if you use the same account for Update Management and the Hybrid Runbook Worker group membership. 此功能是在 7.2.12024.0 版本的混合 Runbook 辅助角色中添加的。This functionality was added in version 7.2.12024.0 of the Hybrid Runbook Worker.

管理包Management packs

如果 Operations Manager 管理组已连接到 Log Analytics 工作区,则会在 Operations Manager 中安装以下管理包。If your Operations Manager management group is connected to a Log Analytics workspace, the following management packs are installed in Operations Manager. 对于直接连接的 Windows 计算机上的更新管理,也会安装这些管理包。These management packs are also installed for Update Management on directly connected Windows machines. 你不需要对这些管理包进行配置或管理。You don't need to configure or manage these management packs.

  • Microsoft System Center Advisor Update Assessment Intelligence Pack (Microsoft.IntelligencePacks.UpdateAssessment)Microsoft System Center Advisor Update Assessment Intelligence Pack (Microsoft.IntelligencePacks.UpdateAssessment)
  • Microsoft.IntelligencePack.UpdateAssessment.Configuration (Microsoft.IntelligencePack.UpdateAssessment.Configuration)Microsoft.IntelligencePack.UpdateAssessment.Configuration (Microsoft.IntelligencePack.UpdateAssessment.Configuration)
  • 更新部署 MPUpdate Deployment MP

备注

如果已将 Operations Manager 1807 或 2019 管理组连接到 Log Analytics 工作区并且在管理组中将代理配置为收集日志数据,则需要重写参数 IsAutoRegistrationEnabled 并在 Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init 规则中将其设置为 True。If you have an Operations Manager 1807 or 2019 management group connected to a Log Analytics workspace with agents configured in the management group to collect log data, you need to override the parameter IsAutoRegistrationEnabled and set it to True in the Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init rule.

有关管理包更新内容的详细信息,请参阅将 Operations Manager 连接到 Azure Monitor 日志For more information about updates to management packs, see Connect Operations Manager to Azure Monitor logs.

备注

若要更新管理通过 Log Analytics 代理完全管理计算机,必须更新为适用于 Windows 的 Log Analytics 代理或适用于 Linux 的 Log Analytics 代理。For Update Management to fully manage machines with the Log Analytics agent, you must update to the Log Analytics agent for Windows or the Log Analytics agent for Linux. 若要了解如何更新代理,请参阅如何升级 Operations Manager 代理To learn how to update the agent, see How to upgrade an Operations Manager agent. 在使用 Operations Manager 的环境中,必须运行 System Center Operations Manager 2012 R2 UR 14 或更高版本。In environments that use Operations Manager, you must be running System Center Operations Manager 2012 R2 UR 14 or later.

数据收集Data collection

受支持的源Supported sources

下表介绍了更新管理支持的连接的源:The following table describes the connected sources that Update Management supports:

连接的源Connected source 支持Supported 描述Description
Windows 代理Windows agents “是”Yes 更新管理从 Windows 代理收集有关系统更新的信息,然后开始安装必需的更新。Update Management collects information about system updates from Windows agents and then starts installation of required updates.
Linux 代理Linux agents “是”Yes 更新管理从 Linux 代理收集有关系统更新的信息,然后开始在受支持的发行版上安装必需的更新。Update Management collects information about system updates from Linux agents and then starts installation of required updates on supported distributions.
Operations Manager 管理组Operations Manager management group Yes “更新管理”从已连接的管理组中的代理收集有关系统更新的信息。Update Management collects information about system updates from agents in a connected management group.

从 Operations Manager 代理到 Azure Monitor 日志的直接连接不是必需的。A direct connection from the Operations Manager agent to Azure Monitor logs isn't required. 数据将从管理组转发到 Log Analytics 工作区。Data is forwarded from the management group to the Log Analytics workspace.

收集频率Collection frequency

更新管理使用以下规则扫描托管计算机中的数据。Update Management scans managed machines for data using the following rules. 可能需要 30 分钟到 6 小时,仪表板才会显示托管计算机提供的已更新数据。It can take between 30 minutes and 6 hours for the dashboard to display updated data from managed machines.

  • 每个 Windows 计算机 - 更新管理每天对每个计算机扫描两次。Each Windows machine - Update Management does a scan twice per day for each machine. 每隔 15 分钟就会对 Windows API 查询上次更新时间,以确定状态是否已更改。Every 15 minutes, it queries the Windows API for the last update time to determine whether the status has changed. 如果状态已更改,更新管理会启动符合性扫描。If the status has changed, Update Management starts a compliance scan.

  • 每个 Linux 计算机 - 更新管理每小时执行一次扫描。Each Linux machine - Update Management does a scan every hour.

使用更新管理的计算机的每月平均 Azure Monitor 日志数据使用情况大约为 25 MB。The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. 此值仅为近似值,且随时可能基于环境而更改。This value is only an approximation and is subject to change, depending on your environment. 建议监视环境,以跟踪实际使用情况。We recommend that you monitor your environment to keep track of your exact usage. 有关分析数据使用情况的详细信息,请参阅管理使用情况和成本For more information to analyze data usage, see Manage usage and cost.

网络规划Network planning

更新管理特别需要以下地址。The following addresses are required specifically for Update Management. 与以下地址的通信通过端口 443 进行。Communication to these addresses occurs over port 443.

Azure PublicAzure Public Azure GovernmentAzure Government
*.ods.opinsights.azure.com *.ods.opinsights.azure.us
*.oms.opinsights.azure.com *.oms.opinsights.azure.us
*.blob.core.windows.net *.blob.core.usgovcloudapi.net
*.azure-automation.net *.azure-automation.us

在创建网络组安全规则或配置 Azure 防火墙以允许流量流向自动化服务和 Log Analytics 工作区时,请使用服务标记 GuestAndHybridManagementAzureMonitorWhen you create network group security rules or configure Azure Firewall to allow traffic to the Automation service and the Log Analytics workspace, use the service tag GuestAndHybridManagement and AzureMonitor. 这简化了网络安全规则的日常管理。This simplifies the ongoing management of your network security rules. 若要安全且私下地从 Azure Vm 连接到自动化服务,请参阅使用 Azure 专用链接To connect to the Automation service from your Azure VMs securely and privately, review Use Azure Private Link. 若要获取当前服务标记和范围信息以纳入本地防火墙配置的一部分,请参阅可下载的 JSON 文件To obtain the current service tag and range information to include as part of your on-premises firewall configurations, see downloadable JSON files.

对于 Windows 计算机,还必须允许流量发送到 Windows 更新所需的任何终结点。For Windows machines, you must also allow traffic to any endpoints required by Windows Update. 可以在与 HTTP/Proxy 相关的问题中找到所需终结点的更新列表。You can find an updated list of required endpoints in Issues related to HTTP/Proxy. 如果拥有本地 Windows 更新服务器,则还必须允许流量发送到 WSUS 密钥中指定的服务器。If you have a local Windows Update server, you must also allow traffic to the server specified in your WSUS key.

对于 Red Hat Linux 计算机,请参阅适用于 RHUI 内容分发服务器的 IP 了解所需的终结点。For Red Hat Linux machines, see IPs for the RHUI content delivery servers for required endpoints. 对于其他 Linux 发行版,请参阅提供程序文档。For other Linux distributions, see your provider documentation.

有关混合 Runbook 辅助角色所需端口的详细信息,请参阅混合 Runbook 辅助角色的更新管理地址For more information about ports required for the Hybrid Runbook Worker, see Update Management addresses for Hybrid Runbook Worker.

如果 IT 安全策略不允许网络上的计算机连接到 internet,则可以设置Log Analytics 网关,然后将计算机配置为通过网关连接到 Azure 自动化并 Azure Monitor。If your IT security policies do not allow machines on the network to connect to the internet, you can set up a Log Analytics gateway and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.

更新分类Update classifications

下表定义了更新管理支持的 Windows 更新分类。The following table defines the classifications that Update Management supports for Windows updates.

分类Classification 说明Description
关键更新Critical updates 解决关键、非安全相关错误的特定问题的更新。An update for a specific problem that addresses a critical, non-security-related bug.
安全更新Security updates 产品特定、安全相关问题的更新。An update for a product-specific, security-related issue.
更新汇总Update rollups 一起打包以便于部署的一组累积修补程序。A cumulative set of hotfixes that are packaged together for easy deployment.
功能包Feature packs 在产品版本以外发布的新产品功能。New product features that are distributed outside a product release.
服务包Service packs 应用于应用程序的一组累积修补程序。A cumulative set of hotfixes that are applied to an application.
定义更新Definition updates 对病毒或其他定义文件的更新。An update to virus or other definition files.
工具Tools 可帮助完成一个或多个任务的实用工具或功能。A utility or feature that helps complete one or more tasks.
更新Updates 对当前已安装的应用程序或文件的更新。An update to an application or file that currently is installed.

下表定义了受支持的 Linux 更新分类。The next table defines the supported classifications for Linux updates.

分类Classification 说明Description
关键和安全更新Critical and security updates 特定问题或产品特定、安全相关问题的更新。Updates for a specific problem or a product-specific, security-related issue.
其他更新Other updates 本质上不是关键更新或不是安全更新的所有其他更新。All other updates that aren't critical in nature or that aren't security updates.

备注

仅当在支持的 Azure 公有云区域中使用时,才可以使用适用于 Linux 计算机的更新分类。Update classification for Linux machines are only available when used in the supported Azure public cloud regions. 使用以下国家/地区云区域中的更新管理时:When using Update Management in the following national cloud regions:

  • Azure 美国政府Azure US Government
  • 中国世纪互联21Vianet in China

没有 Linux 更新分类,它们在 "其他更新" 类别下进行报告。there are no classification of Linux updates and they are reported under the Other updates category. 更新管理使用受支持的分发版发布的数据,具体来说,它是其发布的椭圆(开放漏洞和评估语言)文件。Update Management uses data published by the supported distributions, specifically their released OVAL (Open Vulnerability and Assessment Language) files. 由于 internet 访问受限于这些国家云,因此更新管理无法访问和使用这些文件。Because internet access is restricted from these national clouds, Update Management cannot access and consume these files.

对于 Linux,由于云中的数据扩充,更新管理可以区分云中的关键更新和安全更新,同时显示评估数据。For Linux, Update Management can distinguish between critical updates and security updates in the cloud while displaying assessment data due to data enrichment in the cloud. 为了进行修补,更新管理依赖于计算机上提供的分类数据。For patching, Update Management relies on classification data available on the machine. 与其他发行版不同,CentOS 在 RTM 版本中未提供此信息。Unlike other distributions, CentOS does not have this information available in the RTM version. 如果已将 CentOS 计算机配置为返回以下命令的安全数据,则更新管理可以基于分类进行修补。If you have CentOS machines configured to return security data for the following command, Update Management can patch based on classifications.

sudo yum -q --security check-update

当前没有受支持的方法可用来在 CentOS 上提供原生分类数据。There's currently no supported method to enable native classification-data availability on CentOS. 目前,只能尽力为可能自己实现了此功能的客户提供支持。At this time, only best-effort support is provided to customers who might have enabled this feature on their own.

若要对 Red Hat Enterprise 版本 6 上的更新进行分类,需要安装 yum 安全插件。To classify updates on Red Hat Enterprise version 6, you need to install the yum-security plugin. 在 Red Hat Enterprise Linux 7 上,yum 本身已包含该插件,无需安装任何内容。On Red Hat Enterprise Linux 7, the plugin is already a part of yum itself and there's no need to install anything. 有关详细信息,请参阅以下 Red Hat 知识文章For more information, see the following Red Hat knowledge article.

将更新管理与 Configuration Manager 集成Integrate Update Management with Configuration Manager

已经投资购买了 Microsoft Endpoint Configuration Manager 来管理电脑、服务器和移动设备的客户还依赖 Configuration Manager 的优势和成熟度来帮助管理软件更新。Customers who have invested in Microsoft Endpoint Configuration Manager for managing PCs, servers, and mobile devices also rely on the strength and maturity of Configuration Manager to help manage software updates. 若要了解如何将更新管理与 Configuration Manager 集成,请参阅将更新管理与 Windows Endpoint Configuration Manager 集成To learn how to integrate Update Management with Configuration Manager, see Integrate Update Management with Windows Endpoint Configuration Manager.

Windows 上的第三方更新Third-party updates on Windows

更新管理依赖于本地配置的更新存储库来更新受支持的 Windows 系统(WSUS 或 Windows 更新)。Update Management relies on the locally configured update repository to update supported Windows systems, either WSUS or Windows Update. 借助 System Center Updates Publisher 等工具,可通过 WSUS 导入和发布自定义更新。Tools such as System Center Updates Publisher allow you to import and publish custom updates with WSUS. 在这种情况下,允许更新管理借助第三方软件来更新使用 Configuration Manager 作为其更新存储库的计算机。This scenario allows Update Management to update machines that use Configuration Manager as their update repository with third-party software. 若要了解如何配置 Updates Publisher,请参阅安装 Updates PublisherTo learn how to configure Updates Publisher, see Install Updates Publisher.

启用更新管理Enable Update Management

Azure 资源管理器模板可帮助将更新管理部署到新的或现有的自动化帐户以及订阅中的 Azure Monitor Log Analytics 工作区。An Azure Resource Manager template is available to help you deploy Update Management to a new or existing Automation account and Azure Monitor Log Analytics workspace in your subscription. 它不会配置应管理的计算机范围,而是在使用模板后在单独的步骤中执行此操作。It does not configure the scope of machines that should be managed, this is performed as a separate step after using the template.

可以通过以下方式启用更新管理并选择要管理的计算机:Here are the ways that you can enable Update Management and select machines to be managed:

后续步骤Next steps