This set of runbooks demonstrates how you could install / manage Windows Updates on an Azure VM, as demonstrated in the Azure Automation announcement.
It is intended for demonstration purposes only and is not meant for production use.
This solution works by enumerating all VMs in your Azure subscription, and for each one:
- Check if the VM contains the
PSWindowsUpdate PowerShell Module, which lets you manage Windows Update from PowerShell
- If not: Download the zipped up module from the Azure Blob Store to the worker running the runbook, copy it from the worker to the Azure VM, and unzip the module into the PSPath on the Azure VM
- Get the list of available updates from Windows Update by calling a cmdlet of the PSWindowsUpdate module on the Azure VM (the runbook only shows listing the updates, but the module includes cmdlets for installing updates, etc,
In addition to what’s in this download, you will need a management cert with access to your Azure subscription. You will also need to place the PSWindowsUpdate.zip file as a blob in an Azure storage account in your Azure
In Azure Automation:
- Import all the .ps1 scripts as runbooks
- Import your Azure management cert as an Automation certificate asset
- Create an connection asset for Azure, with your Azure subscription id and the name of the Automation asset containing your management cert
- Create a PSCredential asset, containing a username and password with access to your Azure VMs.
Note: This credential must have access to all of your Azure VMs.
- Update Update-AzureVM so these variables are set correctly:
- $AzureConnectionName - the name of the connection asset to access your Azure subscription
- $CredentialAssetNameWithAccessToAllVMs - the name of the PSCredential asset with access to your VMs
- $WUModuleStorageAccountName - the Azure storage account containing the PSWindowsUpdate.zip blob
- $WUModuleContainerName - the Azure storage account container containing the PSWindowsUpdate.zip blob
- Publish the runbooks in the following order (child runbooks must be published before any runbook that calls them is published):