1. Azure Solution Alignment Workshop
2/21/2018 8:12 AM
Azure Solution Alignment Workshop
Module 8b – Maintenance
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. How to Present this Section
Your primary goals are to:
Outline the Cloud Platform Integration Framework
Outline how provisioning, monitoring, automation, management, BC/DR and operations are required elements for all cloud-enabled workloads
Introduce Azure monitoring scenarios and technologies
DELETE THIS SLIDE BEFORE DELIVERY

3. Technical Background 2/21/2018 8:12 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Cloud Platform Integration Framework
2/21/2018
Cloud Platform Integration Framework
Functional Areas
Architecture
Deployment (Provisioning and Deprovisioning)
Business Continuity and Disaster Recovery
Monitoring
Maintenance
Operations
These functions (or “pillars”) of CPIF will be explained in more detail. By integrating these functions directly into workloads, ‘platforms’ can be developed which allow for further configuration by tenants to enable extended software services.
Builds on the capabilities provided by hybrid cloud platform and management solution (Microsoft Azure, System Center and Windows Server)
CPIF seeks to extend the operational and management functions to support managed cloud workloads

5. Cloud Workload Maintenance
“Maintenance” covers both on-premises and public cloud requirements for patching and updating virtual machines and workloads
Covers the following areas:
Operating System Updates
Application Updates
Orchestration of updating workloads and services

6. Microsoft Azure Considerations
SMSG Readiness
2/21/2018
Microsoft Azure Considerations
IaaS VMs do need to be patched!
IaaS VMs are not automatically updated but can be updated using traditional means (WU, WSUS, SCCM)
The IaaS VM gallery includes base images with the current and previous month patch baselines
PaaS VMs are not updated automatically but can be updated automatically by rolling re-deployment of a service’s roles
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Maintenance Platforms and Technologies
Windows Update/Microsoft Update
Windows Software Update Services (WSUS)
System Center Configuration Manager
Custom Solutions (PowerShell, Azure Automation/SMA, etc.)
3rd party solutions

8. 2/21/2018 8:12 AM
Models
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Monthly MSRC Patch Review
Patch Management in Azure
Microsoft Azure:
Applies regularly scheduled updates to the platform
Releases critical patches immediately
Rigorously reviews & tests all changes
Customers must:
Apply similar patch management strategies for their Virtual Machines
Build applications with an availability model
Monthly MSRC Patch Review
Patching Rollout
Scanning
Audit Validation
Monitor 100,000+ vulnerability reports
Sourced from customers & worldwide network of security researchers
Prioritize critical updates
Monthly OS releases with patches
Scanning & reporting of all Azure VMs
Track & remediate any findings
Reconciliation report
Resolution summary
Slide title: Patch management
Slide objectives: Describe how Microsoft Azure works with MSRC to identify when patch releases are required, and applies patches immediately or during a scheduled release to the Microsoft Azure environment based on the severity of the vulnerability.
Slide script:
Security patches help protect systems from known vulnerabilities. Integrated deployment systems manage the distribution and installation of security updates for the Azure service. Customers can apply similar update management processes for virtual machines (VMs) deployed on Azure.
AZURE:
Microsoft Azure works with MSRC to identify when patch releases are required, and applies patches immediately or during a scheduled release to the Microsoft Azure environment based on the severity. Microsoft Azure is notified by the Microsoft Security Response Center (MSRC) and Microsoft Online Security Services & Compliance (OSSC) teams upon identification of updates applicable to Azure environment.  This includes the notification of the latest patches released. Microsoft Azure works with MSRC and evaluates patch releases to determine applicability and impact to the Microsoft Azure environment and customers. The applicable security patches are released through the periodic OS release cycle in accordance with change and release management procedures. Emergency out-of-band security patches (e.g., Software Security Incident Response Process (SSIRP) patches) are expedited for more immediate release.
The patches are automatically applied to the customers’ Guest VMs unless the customer has configured the VM for manual upgrades. In this case, the customer is responsible for patching.
Microsoft Azure follows a change process to modify the underlying OS within the platform. All changes are reviewed and tested, at a minimum, for their quality, performance, impact on other systems, recovery objectives and security features before they are moved into production using the Microsoft Azure Release process. Microsoft Azure has established test windows for reviewing and testing of new features, changes to existing features and patches.
CUSTOMERS:
Customers apply patches to their Virtual Machines using Systems Center or whatever other processes they use on-premises.

10. Windows Update (WU) 2/21/2018 8:12 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Windows Update
The Windows Update Agent runs on each client computer and checks for availability of updates.
Updates can be downloaded from the Microsoft Update Web site, based on alerts provided by the Windows Update Agent.
Updates can be configured to download and install automatically.

12. Windows Update and Azure VMs
Each VM must be configured to download and/or install updates
Administrators must configure manually or automatically which updates to apply
Time consuming to manage with no centralized reporting or control
Minimal cost as the Azure VMs are downloading updates from the Internet (no egress costs)

13. Windows Server Update Service (WSUS)
2/21/2018 8:12 AM
Windows Server Update Service (WSUS)
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Windows Server Update Service
A simple, zero-cost solution for distributing Microsoft Update content in a corporation
A built-in Windows Server Role
Solution only distributes Microsoft Updates
Distributing 3rd party patches require purchasing advanced management tools such as Configuration Manager
Provides a foundation for Update Management across Microsoft products:
Consistent scan results
Unified client scan mechanism (WUA) irrespective of which server actually manages the updates

15. “Simple” architecture
Single, well-connected site
WSUS Updates from Microsoft Update
Clients update from WSUS
Remote SQL configuration reduces server load
Front-end handles update sync load
Back-end handles reporting load

16. SMSG Readiness
2/21/2018
WSUS and Azure
Many of the on-premises WSUS architectures can be deployed in Azure
Hybrid scenarios of upstream and downstream servers can also include Azure deployed WSUS servers
Egress data charges (don’t have Azure WSUS VM be the upstream server)
Decide whether to download updates from the Internet or from an on-premises upstream server
Decide whether WSUS and Azure VMs should be separate infrastructure from WSUS and on-premises VMs
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. System Center Configuration Manager
2/21/2018 8:12 AM
System Center Configuration Manager
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Configuration Manager 2012 Site Role Review
Central Administration Site
Primary Site
Primary Site
Configuration Manager 2012 hierarchy
A CAS is needed for a hierarchy
Flat hierarchy with only one level of Primary sites
Client agent settings are managed through custom settings applied to Collections
Secondary Site
Secondary Site
Distribution Point

19. What is Software Update Management ?
Managing the deployment of Microsoft Updates includes:
Reporting on update compliance, deploying of update and controlling and configuring the End user impact.
MICROSOFT UPDATE

20. Software Update Configuration
Windows Server Update Service(WSUS) integrates with the System Center Software Update Point.
During installation wizard of the System Center Software Update point installation point we can configure:
The integration with Windows Server Update Service (WSUS)
Synchronization schedule
Which update we want to manage:
Classification levels of updates
Updates from specific Products
Language of updates
Configuring software updates: onfiguration_2d00_manager_2d00_2012.aspx

21. Software Update Workflow
Administrator Console
Setup & Synch
MICROSOFT UPDATE 2
Installs SUP role and configures WSUS through Admin SDK
PRIMARY SITE 3
Synch catalog of selected products and classifications
Catalog metadata synched into ConfigMgr database 4 1
Add SUP role and select products and classifications
SUP (WSUS)
Scan & Report
Explain the software update workflow.
Explanation about software Updates:
To get the full explanation of these slide about software update management you can view the recording of this TechEd session:
Client gets SUM policy and is assigned a SUP/WSUS server 5 6
Windows Update Agent scans against WSUS catalog
Compliance state messages sent to MP and DB 8 9
Admin sees compliance for all updates in console and in reports 7
Scan results are written to WMI on the client
MANAGEMENT POINT 10
Add 3rd party updates through SCUP Tool

22. Automatic Deployment Rules (ADR)
Administrator Console
Hierarchy
MICROSOFT UPDATE 2
Binaries are downloaded from Microsoft Update
PRIMARY SITE 3
Updates are placed in deployment package and sent to Distribution Point 1
ADR or Admin deploys applicable updates
MANAGEMENT POINT
SUP (WSUS)
DISTRIBUTION
POINT
Explain the Automatic Deployment rules:
Good description about the different steps needed for configuring the Automatic Deployment Rules: rules.aspx
To get the full explanation of these slide about software update management you can view the recording of this TechEd session:
Client
Client gets deployment policy 4 5
Client gets update binaries from distribution point and caches them locally 7
Enforcement state messages sent to MP and DB 6
Updates are installed on a schedule or by the end user 8
Admin views deployment status in-console or from reports

23. Supported Configuration Manager Features in Azure
2/21/2018 8:12 AM
Supported Configuration Manager Features in Azure
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Azure Virtual Machine Management
Use an existing on-premises SCCM to manage Azure Windows or Linux VMs that are running through a Site-to-Site VPN
For Windows Server:
Application Management
Compliance Settings
Endpoint Protection
Inventory – Software, Hardware, and Asset Intelligence
Network Access Protection
Software Updates Deployment
Software Metering
Remote Control
Reporting
For Linux:
Software Distribution
Endpoint Protection
Inventory – Hardware, Software
Reporting

25. Azure Virtual Machine Management
A new single stand-alone Primary site in an Azure VM to manage Azure Windows or Linux VMs that are running in the same virtual network.
For Windows Server:
Application Management
Compliance Settings
Endpoint Protection
Inventory – Software, Hardware, and Asset Intelligence
Software Updates Deployment
Software Metering
Remote Control
Reporting
For Linux:
Software Distribution
Endpoint Protection
Inventory – Hardware, Software
Reporting

26. SMSG Readiness
2/21/2018
SCCM and Azure
System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection support for Microsoft Azure Virtual Machines
System Center 2012 Configuration Manager Service Pack 1 (SP1) or later versions and System Center 2012 Endpoint Protection SP1 or later versions support two specific scenarios to manage server software in the Microsoft Azure Virtual Machine environment. The following table lists the scenarios and supported Configuration Manager features in each scenario.
Supported scenarios
Supported Configuration Manager features
Use an existing on-premises Configuration Manager infrastructure to manage Microsoft Azure Virtual Machines that are running Windows Server or Linux through a secure site-to-Site connection(
For Windows Server:Application Management
Compliance Settings
Endpoint Protection
Inventory – Software, Hardware, and Asset Intelligence
Network Access Protection
Software Updates Deployment
Software Metering
Remote Control
Reporting
For Linux: Software Distribution
Inventory – Hardware, Software
Set up a single stand-alone Primary site in the Microsoft Azure Virtual Machines environment to manage Microsoft Azure Virtual Machines that are running Windows Server or Linux in the same virtual network. Note The all-in-one, stand-alone Primary site is a single Microsoft Azure Virtual Machine that runs all required site system roles and Microsoft SQL Server locally without using any remote site systems or roles.
For Linux:Software Distribution
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Custom Solutions 2/21/2018 8:12 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Considerations
None of the existing solutions (WU, WSUS, SCCM) are effective for patching services and multi-VM applications (as one object)
The existing solutions are based on patching individual virtual machines or groups of similar virtual machines
Without customization, there is no notion of application tiers (app models) or infrastructure constructs (Azure fault and update domains, regions, etc.)
The PaaS model (stateless application tiers) eases maintenance significantly
The Azure Resource Group model is an enabling factor for updating and maintenance
In many cases there will likely be a bifurcation of updating strategies: individual VMs using one strategy (ex. WSUS) and another for multi-VM applications or services (custom)
The model previously discussed can be applied to updating (next slide)

29. Automating Azure Deployment and Operations
Level 1
Level 2
Level 3
Purpose: Application/Service “superstructure” deploy & manage
Use: Azure Resource Manager
Consumes: JSON File (gallery template)
Purpose: Repetitive Activities/Activities not supported by Resource Manager
Use: Azure Automation
Consumes: PowerShell Runbook
Purpose: Configuration Items and Settings in VMs, Compliance
Use: PowerShell DSC
Consumes: MOF File
Competition: AWS Cloud Formation, OVF, Vagrant
Competition: Scripts, AWS Simple Workflow, Vagrant, Chef/Puppet
Competition: Scripts, Chef, Puppet

30. 2/21/2018 8:12 AM
Decisions
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Decision Points for Maintenance Strategy
Existing Toolsets
Are there existing investment in maintenance systems (SCCM, third parties, maintenance scripting)? Is there a reason to continue to use these toolsets to maintain the Azure environment?
Degree of Connectivity from On-Premises to Azure
Is the Azure environment operating as “standalone” or is there connectivity (ExpressRoute, VPN) to the on-premises infrastructure?

32. 2/21/2018 8:12 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.