How does the update solution for OMS actually deploy patches? | Quisitive
Solutions
Integration & Consulting
Help you move, operate, innnovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Azure
Microsoft Teams
Microsoft 365
Power Platform
Dynamics 365
Power BI
Microsoft Copilot
Power Apps
Azure OpenAI
Sharepoint
Microsoft Fabric
Microsoft Sentinel
Azure Synapse
Windows
SQL Server
ERP Technologies
System Center
Microsoft Viva
Azure Virtual Desktop
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Products
EmPerform
Provide people managers with flexible employee performance management software.
PowerGov
Engage citizens with a community development app for city maintenance and management.
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
AMS
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Spyglass
Take a proactive, continuous approach to optimizing your security environment and strategy.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Data & AI Program
Operational support for running, monitoring and managing services for the Azure Data Platform.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
Security Program
Take a proactive, continuous approach to optimizing your security environment and strategy.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Quisitive Flex
Routine support services and environment management for critical Microsoft systems
AI Managed Services
Support for your AI technologies & ongoing strategic coaching to take your AI initiatives to the next level.
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
Newsletters
Events
News
Learning Channels
About
Investors
Leadership
Microsoft
Our Approach
Our Partners
Our Story
Awards & Recognition
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Azure OpenAI
Microsoft Copilot
Microsoft Fabric
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Products
Back
Products
EmPerform
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
AMS
Spyglass
Managed Services
Back
Managed Services
AI Managed Services
Azure Management Services
Data & AI Program
Digital Workplace Program
Power Platform Program
Security Program
Dynamics Program
App Dev Program
Quisitive Flex
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
Blogs
Events
Case Studies
News
Library
Learning Channels
Newsletters
Investors
Back
Investors
Financial Reports & Results
Investor News
Earning calls
Contact
Contact us
About
Back
About
Our Story
Investors
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy
How does the update solution for OMS actually deploy patches?
November 23, 2016
Cameron Fuller
The Update solution in OMS really showcases the power of what you can do with Microsoft OMS. I look forward to seeing how this solution will evolve over time. If you are looking for a simple to use patch management solution which lets you schedule when you want your patches to run you should definitely check this out!

For a little while now Microsoft has had an Update management solution which provides one stop visualization for Windows and Linux patch status. They recently added a very exciting feature of this solution which actually performs the patch management on your systems! For details on this solution including what it visualizes and how as well as how to use this to deploy patches see the article at: https://azure.microsoft.com/en-us/documentation/articles/oms-solution-update-management/

This blog post will deconstruct how OMS is actually performing the patch of these systems based upon information which is available in OMS and the attached Azure subscription.

At Ignite it was mentioned that you now must have an Azure subscription attached to your OMS workspace. That now makes a lot more sense as solutions such as the Update solution require an Azure subscription to function (this blog will explain why).

What does the update solution look like?

The top level view for the update management solution shows the high level status of patching for all Windows and Linux systems that OMS is getting data from.

Drilling in provides more details on the patch status:

The scheduling part of the Update solution is available on the right column:

How does the update solution deploy patches?

The update solution works exactly as it did prior to the addition of the ability to push patches – until you schedule the deployment of a patch in your environment. When you schedule a patch for deployment, the following steps occur (see the figure below):

  1. The first step that occurs is to create an automation account in the subscription which is associated with the workspace.
  2. In that workspace two runbooks are created:
    1. Patch-MicrosoftOMSComputer
    2. Patch-MicrosoftOMSComputers
  3. Patch-MicrosoftOMSComputers configures EVERY computer in your OMS workspace as an Azure Hybrid Runbook Worker.
  4. Patch-MicrosoftOMSComputer is run once for each computer that you target your Updates to.
  5. When the patching is complete the systems report back their updated patch status after the Update solution re-gathers their update information.

Let’s dig into these in more detail:

Creates an automation account:

An automation account is created which will be used for patching from this point forward in this workspace.

Create the two runbooks:

Two runbooks are created which appear to configure the Azure Hybrid Runbook Worker and perform the patching. What is really interesting is that each of these are “hidden runbooks” so you cannot see their content or make any changes to them (@Microsoft – having this type of functionality would be extremely helpful for organizations who would like to write their own automations as a business).

You can’t even resume, stop, suspend or of course you cannot view the source.

Patch-MicrosoftOMSComputers:

The two runbooks run one after the other, starting with “Patch- MicrosoftOMSComputers”.

This runbook provides very little diagnostic information as shown below:

Based upon what I have seen in my environments it looks like this script is the one which configures all servers in OMS as Azure Hybrid Runbook Workers (@Microsoft – second hint, this either needs to be documented extremely well or should only target the systems which you are choosing to patch). You can determine which systems are Hybrid Worker Groups by opening the Automation Account and then opening the Hybrid Worker Groups.

Details on this show all of the systems which are now Hybrid Runbook Workers in this workspace.

Patch-MicrosoftOMSComputer:

The Patch-MicrosoftOMSComputer runbook runs next – once for each system which is scheduled to be patched. This runbook provides detailed logging showing its status while patching the system. A full set of the stream information from a single round of patching is shown below.

Runbook Jobs, Parameters and Modules:

The job information is available just like with any other jobs in in Azure Automation – so it’s easy to see what succeeds or fails.

Their status appears in real time on the jobs pane so you can tell when they are running or completed.

The input parameters are consistent between the two runbooks. The five parameters are:

  • WorkspaceID
  • Duration
  • ScheduleName
  • ComputerIDList
  • AdditionalOptions

Several Azure based modules are pre-loaded into the Azure Automation account as shown below.

Back to the Update solution:

After the patching is complete and the system has updated its patching the Update solution updates with the new patching information.

What do we see in OMS for logging?

The logging information for patching in OMS is very extensive. The example below shows how you can find updates based on their UpdateRunName, KBID, computer or title.

Additional details are available when you open up the table record as shown below.

What does the OS see?

From the Client/Server Operating System perspective patching occurs just like it does with any other tools (IE: items appear in the update history, the system reboots when required, etc).

Patch management status on the go!

Using OMS (even without patching via OMS) you can quickly see the state of your systems patching. The examples below show the patching status of systems from the Android version of the OMS mobile application.

Q&A:

Here’s a few items that I worked through while testing out this functionality:

  • Does the Update solution replace Configuration Manager? At this point in time the answer is no. Configuration Manager provides a much more robust method for deploying patches. It additionally contains functionality such as Operation System Deployment (OSD), hardware and software inventory and more. Each of these functions is not something which OMS performs.
  • Does this fit in with “Cattle vs. Pets”? If you are familiar with the Cattle vs. Pets analogy, the OMS patching appears to be focused on the large number of systems which do not require babysitting while patching (IE the Cattle).
  • Can I run the hidden runbook for patching? No
  • Can I run re-run previous runbook jobs? No
  • Can I add my own runbooks into this Automation Account? Yes
  • Can I use this Azure Automation account to run other automations? You can add and run your own runbooks in this Azure Automation account.
Related posts
|
Read more
CFSA Case Study Feature Image - dc.gov logo
Infrastructure | 7 Dec
Quisitive helps CFSA Launch Kinship Navigator Platform
Read more
Infrastructure | 12 Aug
Greene Tweed Develops and Deploys Smart Factory with Quisitive
Read more
Infrastructure | 7 Mar
Discover 5 Reasons to Migrate SQL Servers to Azure
Read more