Tag: Linux

Azure Automatic VM Guest OS Patching

How to configure Azure Automatic VM guest OS patching

If you want to keep your Azure virtual machines (VMs) up-to-date, then there is a service called Azure Update Management, which helps you to manage updates on your Azure VM guest operating system. However, this needed some additional planning and configuration. To make patching of your Azure virtual machines (VMs) easier, there is a new option called Automatic VM guest patching, which helps ease update management by safely and automatically patching virtual machines to maintain security compliance.

Automatic VM guest patching is now available in public preview for Windows virtual machines on Azure.

With Azure automatic VM guest patching enabled, the VM is assessed periodically to check for available operating system patches for that Azure VM. Updates classified as ‘Critical’ or ‘Security’ are automatically downloaded and installed on the VM during off-peak hours. This patch orchestration is managed and handled by Azure and patches are applied following availability-first principles.

In a nutshell, Azure automatic VM guest patching has the following capabilities:

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours in the VM’s time zone.
  • Patch orchestration is managed by Azure and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
  • Works for all VM sizes.

Patches are installed within 30 days of the monthly Windows Update release, following availability-first orchestration described below. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the VM will be automatically assessed and applicable patches will be installed automatically during the next periodic assessment when the VM is powered on.

You can find more information on Azure automatic VM guest patching on Microsoft Docs.

How to enable Azure Automatic VM guest OS patching

To enable Azure automatic VM guest OS (operating system) patching, we currently have a couple of requirements.

  • Currently, only Windows VMs are supported (Preview). Currently, Windows Server 2012 R2, 2016, 2019 Datacenter SKUs are supported. (and more are added periodically).
  • Only VMs created from certain OS platform images are currently supported in the preview. Which means custom images are currently not supported in the preview.
  • The virtual machine must have the Azure VM Agent installed.
  • The Windows Update service must be running on the virtual machine.
  • The virtual machine must be able to access Windows Update endpoints. If your virtual machine is configured to use Windows Server Update Services (WSUS), the relevant WSUS server endpoints must be accessible.
  • Use Compute API version 2020-06-01 or higher.

These requirements might change in the future during the preview phase (for the current requirements check out Microsoft Docs).

During the preview, this feature requires a one-time opt-in for the feature InGuestAutoPatchVMPreview per subscription. You can run the following Azure PowerShell or Azure CLI command.

Azure PowerShell:

# Register AzProvider
Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Check the registration status
Get-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Once the feature is registered for your subscription, complete the opt-in process by changing the Compute resource provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Compute

Now you can enable automatic VM guest patching for your Azure virtual machines within that subscription. To do that you can currently use the REST API, Azure PowerShell, or the Azure CLI.

With Azure CLI, you can use the az vm get-instance-view .

az vm update --resource-group test-autopatch-rg--name azwinvm01 --set osProfile.windowsConfiguration.enableAutomaticUpdates=true osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByPlatform

You can see that there are two important parameters for this cmdlet. First the -enableAutoUpdate and secondly the -PatchMode. There are currently three different patch orchestration modes you can configure.

AutomaticByPlatform

  • This mode enables automatic VM guest patching for the Windows virtual machine and subsequent patch installation is orchestrated by Azure.
  • Setting this mode also disables the native Automatic Updates on the Windows virtual machine to avoid duplication.
  • This mode is only supported for VMs that are created using the supported OS platform images above.

AutomaticByOS

  • This mode enables Automatic Updates on the Windows virtual machine, and patches are installed on the VM through Automatic Updates.
  • This mode is set by default if no other patch mode is specified.

Manual

  • This mode disables Automatic Updates on the Windows virtual machine.
  • This mode should be set when using custom patching solutions.

If you need more control, I recommend that you have a look at Azure Update Management, which is already publicly available and also supports Windows and Linux servers running in Azure or on-premises.

To verify whether automatic VM guest patching has completed and the patching extension is installed on the VM, you can review the VM’s instance view.

az vm get-instance-view --resource-group test-autopatch-rg --name azwinvm01

This will show you the following result:

Azure Automatic VM Guest OS Patching Status

Azure Automatic VM Guest OS Patching Status

You can also create the patch assessment on-demand.

Invoke-AzVmPatchAssessment -ResourceGroupName "myResourceGroup" -VMName "myVM"

I hope this provides you with an overview of the new Azure automatic VM guest patching feature. If you want to have some advanced capabilities to manage updates for your Azure VMs and even your servers running on-premises, check out Azure Update Management. This will provide you with some advanced settings and your own maintenance schedules. If you have any questions, feel free to leave a comment.



Add Custom Script Extension Azure Arc Server

Extensions for Azure Arc enabled Servers

With the latest update for Azure Arc for Servers, you are now able to deploy and use extensions with your Azure Arc enabled servers. Currently, you have six different Azure Arc extensions you can deploy to your servers.

  • Custom Script Extension for Linux – Azure Arc
  • DSCForLinux extension on a Ubuntu
  • OMS Agent for Linux – Azure Arc
  • Custom Script Extension for Windows – Azure Arc
  • PowerShell Desired State Configuration – Azure Arc
  • Microsoft Monitoring Agent – Azure Arc

These extensions are similar and consistent with the virtual machine extensions for Azure VMs. These are small applications that provide post-deployment configuration and automation tasks on Azure Arc enabled servers. For example, if a server requires software installation, anti-virus protection, or to run a script inside of it, an Azure Arc extension can be used. Extensions can be run with the Azure CLI, PowerShell, and the Azure portal.

Introducing Azure Arc
For customers who want to simplify complex and distributed environments across on-premises, edge and multicloud, Azure Arc enables deployment of Azure services anywhere and extends Azure management to any infrastructure.
Learn more about Azure Arc here.

You can find more information about Virtual machine extension management with Azure Arc for servers on Microsoft Docs.



Azure Arc Enabled Servers Extension Management

Azure Arc Enabled Servers Extension Management

Azure Arc for Server just got a couple of new features. In this blog post, we are going to have a look at the new feature on Azure Arc enabled servers called extension management. This new Azure Arc enabled servers features allows you not only to deploy extensions like the Custom Script Extension, or the Microsoft Monitoring Agent but also enable features like Azure Update Management, Inventory, Change Tracking, and more for your servers running in a hybrid environment.

Introducing Azure Arc
For customers who want to simplify complex and distributed environments across on-premises, edge and multicloud, Azure Arc enables deployment of Azure services anywhere and extends Azure management to any infrastructure.
Learn more about Azure Arc here.

Azure Arc enabled servers already could benefit from several Azure Resource Manager features like Tags, Policies, RBAC, and some Azure Management features like logs and Azure Policy. With the new update, you can start using more extensions.  With these extensions available, Azure Arc enabled servers also get features like Azure Update Management, Inventory, Change Tracking, and insights capabilities.

Azure Arc Azure Management Control Plane

Azure Arc Azure Management Control Plane

Azure Arc Enabled Servers Extension Management Video

You can also watch my summary video on YouTube.



Speaking at the Microsoft European Open Source Virtual Summit

Speaking at the Microsoft European Open Source Virtual Summit

I am honored to let you know that I will be speaking at the Microsoft European Open Source Virtual Summit 2020 on June 16th. Microsoft European Virtual Open Source Summit by the Microsoft Open Source team is a unique digital event, designed to celebrate communities, entrepreneurs, and developers coming together to build the future of open source technologies in the cloud.

The day will divide into four parallel tracks designed to provide the best learning experience for IT Pros, Developers, and Data Scientists. Each track will be packed with expert guest speakers who’ll be deep-diving into a wide variety of topics, from chaos engineering and serverless architecture to multi-cloud app development.

  • 2 Keynotes from GitHub and Red Hat
  • 4 Tracks with 7 sessions (check the agenda)
  • Ask the Experts Live Q&A
  • 30 Sessions from the most engaging Open Source speakers
  • Digital Expo Area with Digital booths of our partners

I will be presenting two sessions:

  • Hybrid Management capabilities for open source solutions like Azure Arc.
    11:30 – 12:15 CEST
    Register here
  • Making Windows Awesome for ALL Developers with Scott Hanselman
    13:00 – 13:45 CEST
    Register here.

More tracks and sessions:

  • Keynote Session 1: Open Source Built the Modern World by Nat Friedman, CEO, GitHub
  • Keynote Session 2: Business Benefits of Open Source Collaboration Between Red Hat and Microsoft by Stefanie Chiras, SVP & General Manager, Red Hat Enterprise Linux Business Unit
  • Track 1: Infra & Ops – Infra related topics around Linux, Hybrid Management, Chaos Engineering, and more.
  • Track 2: Innovation – Cloud-native track with diverse line-up of speakers and subjects.
  • Track 3: Data & AI – Learn all there is to know about Open Source and Data. Strong line-up also from partners.
  • Track 4: Developers – 7 amazing sessions ensuring the developer audience get what they want!

I hope to see you at the Microsoft European Open Source Virtual Summit! If you have any questions feel free to leave a comment.



How to SSH into an Azure VM from Windows Terminal Menu

How to SSH into an Azure VM from Windows Terminal Menu

A couple of days ago, I released a blog post on how you can add a PowerShell remote session in the Windows Terminal menu. In my example, I created a menu item in Windows Terminal to use PowerShell remoting to connect to an Azure virtual machine (VM). In the meantime, I got a lot of questions on how you can add an SSH connection to an Azure VM in the Windows Terminal. That is why I am going to share here, how you can add an SSH connection to an Azure VM in the Windows Terminal menu.

Scott Hanselman wrote a great blog post on how you can add tabs to open an SSH connection, so I highly recommend that you read his blog for all the details.



Speaking at Deploy by ShareGate Online Event

Speaking at Deploy by ShareGate Online Event

I am happy to let you know that I will be speaking online at Deploy by ShareGate. Deploy is an expert-led online event focused on Microsoft Azure Governance. On May 7th, at Deploy, I’ll be talking about Manage and govern your hybrid servers using Azure Arc, to help you stay on top of your Azure hybrid environment. This full-day virtual event, led by me and seven other Azure experts, is all about helping you implement Azure governance best practices.

Manage and govern your hybrid servers using Azure Arc

Thomas Maurer shows you how you can manage and govern your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud provider, similarly to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Azure Arc provides you with the familiar cloud-native Azure management experience, like RBAC, Tags, Azure Policy, Log Analytics and more.

If you’re interested in learning how to implement Azure governance best practices, join me (virtually) at Deploy by ShareGate on May 7! Save your free seat now and join me (virtually) at Deploy. I hope to see you there!



PowerShell Remoting over SSH in PowerShell 7

Enable PowerShell SSH Remoting in PowerShell 7

In this blog post, we will have a look at how you can enable and set up PowerShell SSH Remoting or PowerShell Remoting over SSh with PowerShell 7. With PowerShell Core 6, Microsoft introduced PowerShell 7 Remoting over SSH, which allows true multiplatform PowerShell remoting between Linux, macOS, and Windows. PowerShell SSH Remoting creates a PowerShell host process on the target machine as an SSH subsystem. Normally, Windows PowerShell remoting uses WinRM for connection negotiation and data transport. However, WinRM is only available on Windows-based machines.

There are also some downsides to it. SSH-based remoting doesn’t currently support remote endpoint configuration and JEA (Just Enough Administration). It is also important to understand that this is not just another PowerShell SSH client.

Use SSH Transport with PowerShell Remoting

To use PowerShell 7 remoting with SSH on Windows, Linux, and macOS machines, you can use the same cmdlets you are already familiar from Windows PowerShell remoting with WinRM.

  • New-PSSession
  • Enter-PSSession
  • Invoke-Command

There are three new parameters for these cmdlets if you are using PowerShell SSH remoting.

  • -HostName (Instead of -Computername, you define the SSH target)
  • -UserName (Instead of -Credentials you use the -UserName parameter)
  • -KeyFilePath (If you are using SSH key authentication you can use the -KeyFilePath parameter to point to the key file)
New-PSSession -HostName tomsssh.server.com -UserName thomas