If you want to keep your Azure virtual machines (VMs) up-to-date, then there is a service called Azure Update Management, which helps you to manage updates on your Azure VM guest operating system. However, this needed some additional planning and configuration. To make patching of your Azure virtual machines (VMs) easier, there is a new option called Automatic VM guest patching, which helps ease update management by safely and automatically patching virtual machines to maintain security compliance.
Automatic VM guest patching is now available in public preview for Windows virtual machines on Azure.
With Azure automatic VM guest patching enabled, the VM is assessed periodically to check for available operating system patches for that Azure VM. Updates classified as ‘Critical’ or ‘Security’ are automatically downloaded and installed on the VM during off-peak hours. This patch orchestration is managed and handled by Azure and patches are applied following availability-first principles.
In a nutshell, Azure automatic VM guest patching has the following capabilities:
- Patches classified as Critical or Security are automatically downloaded and applied on the VM.
- Patches are applied during off-peak hours in the VM’s time zone.
- Patch orchestration is managed by Azure and patches are applied following availability-first principles.
- Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
- Works for all VM sizes.
Patches are installed within 30 days of the monthly Windows Update release, following availability-first orchestration described below. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the VM will be automatically assessed and applicable patches will be installed automatically during the next periodic assessment when the VM is powered on.
You can find more information on Azure automatic VM guest patching on Microsoft Docs.
How to enable Azure Automatic VM guest OS patching
To enable Azure automatic VM guest OS (operating system) patching, we currently have a couple of requirements.
- Currently, only Windows VMs are supported (Preview). Currently, Windows Server 2012 R2, 2016, 2019 Datacenter SKUs are supported. (and more are added periodically).
- Only VMs created from certain OS platform images are currently supported in the preview. Which means custom images are currently not supported in the preview.
- The virtual machine must have the Azure VM Agent installed.
- The Windows Update service must be running on the virtual machine.
- The virtual machine must be able to access Windows Update endpoints. If your virtual machine is configured to use Windows Server Update Services (WSUS), the relevant WSUS server endpoints must be accessible.
- Use Compute API version 2020-06-01 or higher.
These requirements might change in the future during the preview phase (for the current requirements check out Microsoft Docs).
# Register AzProvider Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute # Check the registration status Get-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute # Once the feature is registered for your subscription, complete the opt-in process by changing the Compute resource provider. Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
Now you can enable automatic VM guest patching for your Azure virtual machines within that subscription. To do that you can currently use the REST API, Azure PowerShell, or the Azure CLI.
With Azure CLI, you can use the az vm get-instance-view .
az vm update --resource-group test-autopatch-rg--name azwinvm01 --set osProfile.windowsConfiguration.enableAutomaticUpdates=true osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByPlatform
You can see that there are two important parameters for this cmdlet. First the
-enableAutoUpdate and secondly the
-PatchMode. There are currently three different patch orchestration modes you can configure.
- This mode enables automatic VM guest patching for the Windows virtual machine and subsequent patch installation is orchestrated by Azure.
- Setting this mode also disables the native Automatic Updates on the Windows virtual machine to avoid duplication.
- This mode is only supported for VMs that are created using the supported OS platform images above.
- This mode enables Automatic Updates on the Windows virtual machine, and patches are installed on the VM through Automatic Updates.
- This mode is set by default if no other patch mode is specified.
- This mode disables Automatic Updates on the Windows virtual machine.
- This mode should be set when using custom patching solutions.
If you need more control, I recommend that you have a look at Azure Update Management, which is already publicly available and also supports Windows and Linux servers running in Azure or on-premises.
To verify whether automatic VM guest patching has completed and the patching extension is installed on the VM, you can review the VM’s instance view.
az vm get-instance-view --resource-group test-autopatch-rg --name azwinvm01
This will show you the following result:
You can also create the patch assessment on-demand.
Invoke-AzVmPatchAssessment -ResourceGroupName "myResourceGroup" -VMName "myVM"
I hope this provides you with an overview of the new Azure automatic VM guest patching feature. If you want to have some advanced capabilities to manage updates for your Azure VMs and even your servers running on-premises, check out Azure Update Management. This will provide you with some advanced settings and your own maintenance schedules. If you have any questions, feel free to leave a comment.