Tag: update

Azure Automatic VM Guest OS Patching

How to configure Azure Automatic VM guest OS patching

If you want to keep your Azure virtual machines (VMs) up-to-date, then there is a service called Azure Update Management, which helps you to manage updates on your Azure VM guest operating system. However, this needed some additional planning and configuration. To make patching of your Azure virtual machines (VMs) easier, there is a new option called Automatic VM guest patching, which helps ease update management by safely and automatically patching virtual machines to maintain security compliance.

Automatic VM guest patching is now available in public preview for Windows virtual machines on Azure.

With Azure automatic VM guest patching enabled, the VM is assessed periodically to check for available operating system patches for that Azure VM. Updates classified as ‘Critical’ or ‘Security’ are automatically downloaded and installed on the VM during off-peak hours. This patch orchestration is managed and handled by Azure and patches are applied following availability-first principles.

In a nutshell, Azure automatic VM guest patching has the following capabilities:

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours in the VM’s time zone.
  • Patch orchestration is managed by Azure and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
  • Works for all VM sizes.

Patches are installed within 30 days of the monthly Windows Update release, following availability-first orchestration described below. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the VM will be automatically assessed and applicable patches will be installed automatically during the next periodic assessment when the VM is powered on.

You can find more information on Azure automatic VM guest patching on Microsoft Docs.

How to enable Azure Automatic VM guest OS patching

To enable Azure automatic VM guest OS (operating system) patching, we currently have a couple of requirements.

  • Currently, only Windows VMs are supported (Preview). Currently, Windows Server 2012 R2, 2016, 2019 Datacenter SKUs are supported. (and more are added periodically).
  • Only VMs created from certain OS platform images are currently supported in the preview. Which means custom images are currently not supported in the preview.
  • The virtual machine must have the Azure VM Agent installed.
  • The Windows Update service must be running on the virtual machine.
  • The virtual machine must be able to access Windows Update endpoints. If your virtual machine is configured to use Windows Server Update Services (WSUS), the relevant WSUS server endpoints must be accessible.
  • Use Compute API version 2020-06-01 or higher.

These requirements might change in the future during the preview phase (for the current requirements check out Microsoft Docs).

During the preview, this feature requires a one-time opt-in for the feature InGuestAutoPatchVMPreview per subscription. You can run the following Azure PowerShell or Azure CLI command.

Azure PowerShell:

# Register AzProvider
Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Check the registration status
Get-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Once the feature is registered for your subscription, complete the opt-in process by changing the Compute resource provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Compute

Now you can enable automatic VM guest patching for your Azure virtual machines within that subscription. To do that you can currently use the REST API, Azure PowerShell, or the Azure CLI.

With Azure CLI, you can use the az vm get-instance-view .

az vm update --resource-group test-autopatch-rg--name azwinvm01 --set osProfile.windowsConfiguration.enableAutomaticUpdates=true osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByPlatform

You can see that there are two important parameters for this cmdlet. First the -enableAutoUpdate and secondly the -PatchMode. There are currently three different patch orchestration modes you can configure.

AutomaticByPlatform

  • This mode enables automatic VM guest patching for the Windows virtual machine and subsequent patch installation is orchestrated by Azure.
  • Setting this mode also disables the native Automatic Updates on the Windows virtual machine to avoid duplication.
  • This mode is only supported for VMs that are created using the supported OS platform images above.

AutomaticByOS

  • This mode enables Automatic Updates on the Windows virtual machine, and patches are installed on the VM through Automatic Updates.
  • This mode is set by default if no other patch mode is specified.

Manual

  • This mode disables Automatic Updates on the Windows virtual machine.
  • This mode should be set when using custom patching solutions.

If you need more control, I recommend that you have a look at Azure Update Management, which is already publicly available and also supports Windows and Linux servers running in Azure or on-premises.

To verify whether automatic VM guest patching has completed and the patching extension is installed on the VM, you can review the VM’s instance view.

az vm get-instance-view --resource-group test-autopatch-rg --name azwinvm01

This will show you the following result:

Azure Automatic VM Guest OS Patching Status

Azure Automatic VM Guest OS Patching Status

You can also create the patch assessment on-demand.

Invoke-AzVmPatchAssessment -ResourceGroupName "myResourceGroup" -VMName "myVM"

I hope this provides you with an overview of the new Azure automatic VM guest patching feature. If you want to have some advanced capabilities to manage updates for your Azure VMs and even your servers running on-premises, check out Azure Update Management. This will provide you with some advanced settings and your own maintenance schedules. If you have any questions, feel free to leave a comment.



The Az Update Show

Join The Az Update Show with the latest Azure News from Microsoft Build 2020

In this week’s Az Update Show, Anthony Bartolo and I will be talking about the latest Microsoft Azure news from Microsoft Build 2020. Make sure you join us today (4pm CEST May 22). The Az Update Show is our weekly Azure News livestream, in which Cloud Advocate Anthony Bartolo and I share the latest news and updates for Microsoft Azure.

This week will be a special highlight since the virtual Microsoft Build 2020 developer conference just finished. This means we will have many news and announcements to cover! You can join directly on YouTube or watch here:

If you can’t make it this week, the recording will be available for you to watch.

I hope you tune in for this week’s Az Update Show on Microsoft Build 2020, and see you in the live stream! If you have any questions or comments, feel free to leave a comment below. Also, follow me on YouTube when I will go live on May 27 for my livestream about Hybrid Server Management with Azure Arc.



Azure IaaS VM enable Update Management

How to Manage Updates for Azure IaaS VMs

As a lot of customers are moving their workloads to Azure and specifically moving virtual machines to Azure Infrastructure-as-a-service (IaaS), the question is how do I manage my Azure virtual machines (VMs) efficiently. The great thing about Azure IaaS, it is not just another virtualization platform. Azure IaaS also offers a lot of other benefits versus classic virtualization. Azure IaaS and Azure Management provide a lot of functionality to it make it more efficient to run and manage virtual machines. One of them is Azure Update Management. In this blog post, I am going to show you how you can efficiently manage updates for your Azure IaaS VMs.

Overview and benefits Azure Update Management ☁

The Azure Update Management solution is part of Azure Automation. And with Azure Update Management you can manage operating system updates for your Windows and Linux computers in Azure, in on-premises environments, or in other cloud providers. That is right, it is not only for your Azure VMs, it also works with all your environment and provides you with a single pane of glass for your Update Management. It allows you to quickly assess the status of available updates on all virtual machines and servers, and manage the process of installing required updates for servers.

  • Azure Update Management works with Azure IaaS VMs, on-premise servers and even servers running at other cloud service providers.
  • Update Management supports Linux and Windows servers
  • It is directly integrated into the Azure portal and onboarding of Azure VMs is very simple.
  • It works with existing update sources like Microsoft Update, WSUS or on Linux with private and public update repositories.
  • Azure Update Management can be integrated into System Center Configuration Manager. You can learn more about Azure Update Management and System Center Configuration Manager integration on Microsoft Docs.
  • You can onboard new Azure VMs automatically to Update Management in multiple subscriptions in the same tenant.
Architecture

Architecture

How to onboard Azure IaaS VMs ✈

Onboarding Azure VMs to Azure Update Management is fairly simple and there are many different ways you can enable Update Management for an Azure VM.

One thing I want to highlight is, that you can set up automatic enablement for future virtual machines. With that Azure virtual machines, you create in the future, will automatically be added to the Update Mangement solution.

Onboarding

Onboarding

Since this blog post is all about managing updates for Azure VMs, I will keep it short, but if you want to add servers running on-premises or at other service providers, you can have a look how you can configure Azure Update management from Windows Admin Center. If you are running Azure Stack, you can also easily add your Azure Stack VMs to the Update Management solution.

Update Assesment 📃

Azure Update Management Compliant Assessment

Azure Update Management Compliant Assessment

After you have enabled and connected your virtual machines, Azure Log Analytics and Update Management start to collect data and analyze it and creates a continuous assessment of your Azure VM infrastructure and the additional servers you added. It will let you know which servers are compliant and which updates are missing. In the Azure documentation for Azure Update Management, you can find the schedules and time new updates will be added to the assessment.

Manage and deploy updates to Azure VMs 🔧

After you know which servers are compliant or not, you can schedule an update deployment, to update your servers.

Update Azure VMs using Update Deployment

Update Azure VMs using Update Deployment

An update deployment configuration is done very easily.

  1. Enter a name for the update deployment
  2. Select which operating system you want to target with the deployment (Linux or Windows)
  3. Choose the machines you want to update. You can select specific Azure virtual machines, non-Azure machines, groups, AD, WSUS, SCCM groups and filters.
  4. Select the Update Classifications you want to deploy
  5. Include or exclude updates
  6. Schedule the deployment. You can also create recurring update deployments for example for monthly patching.
  7. Configure pre- and post-scripts
  8. Configure the maintenance window size
  9. Configure the reboot update after the updates are installed

View update deployments ✔

Update Azure VMs Status

Update Azure VMs Status

During and after the duration of the update deployment, you can see an overview of the deployment, which updates on which machine were installed and if they were successful.

Pricing – What does it cost? 💵

Now I know what you are thinking now, this is great, but I am sure Microsoft is making me pay for this. No! there are no charges for the service, you only pay for log data stored in the Azure Log Analytics service. You can find more pricing information here.

Conclusion and Learn more 🎓

Update Management is a great solution to keep your environment up to date. If you want to know more, check out Microsoft Docs or follow this tutorial to onboard Azure VMs. There is also a very good blog series by Microsoft MVP Samuel Erskine. If you don’t have Azure today, create an Azure Free account.

Create free Azure Account ☁

Create your Azure free account today and get started with 12 months of free services!

If you have any questions, let me know in the comments.




PowerShell 7 Installer

How to Install and Update PowerShell 7

The PowerShell team just announced PowerShell 7. PowerShell 7 is built on .NET Core 3 and brings back many APIs required by modules built on .NET Framework so that they work with .NET Core runtime. While PowerShell Core 6 was focusing on bringing cross-platform compatibility, PowerShell 7 will focus on making it a viable replacement for Windows PowerShell 5.1 and bringing near parity with Windows PowerShell. Here is how you can install and update PowerShell 7 on Windows and Linux using a simple one-liner.

If you want to know what’s new in PowerShell 7, check out my blog post!

One great example of how cross-platform PowerShell can work, check out my blog post: How to set up PowerShell SSH Remoting.

Install PowerShell 7

Before showing you the one-liner option to install PowerShell 7, I want to share with you the documentation to install PowerShell 7 on different operating systems like Windows, macOS, and Linux.

One-liner to install or update PowerShell 7 on Windows 10

Steve Lee (Microsoft Principal Software Engineer Manager in the PowerShell Team) shared some one-liner, which helps you quickly install and update:

Install and Update PowerShell 7

You can use this single command in Windows PowerShell to install PowerShell 7.

iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"

There are additional switches to, for example, install daily builds of the latest PowerShell previews.

-Destination
The destination path to install PowerShell Core to.

-Daily
Install PowerShell Core from the daily build.
Note that the ‘PackageManagement’ module is required to install a daily package.

-Preview
Install the latest preview, which is currently version 7.

-UseMSI
Use the MSI installer.

-Quiet
The quiet command for the MSI installer.

-DoNotOverwrite
Do not overwrite the destination folder if it already exists.

-AddToPath
On Windows, add the absolute destination path to the ‘User’ scope environment variable ‘Path’;
On Linux, make the symlink ‘/usr/bin/pwsh’ points to “$Destination/pwsh”;
On MacOS, make the symlink ‘/usr/local/bin/pwsh’ points to “$Destination/pwsh”.

One-liner to install or update PowerShell 7 on Linux

Install PowerShell 7 on Linux

You can use this as a single command to install PowerShell 7 on Linux.

wget https://aka.ms/install-powershell.sh; sudo bash install-powershell.sh; rm install-powershell.sh

Depending on your distro you are using, this will register Microsoft’s pkg repos and install that package (deb or rpm).

You can also use the following switches:

-includeide
Installs VSCode and VSCode PowerShell extension (only relevant to machines with a desktop environment)

-interactivetesting
Do a quick launch test of VSCode (only applicable when used with -includeide)

-skip-sudo-check
Use sudo without verifying its availability (hard to accurately do on some distros)

-preview
Installs the latest preview release of PowerShell side-by-side with any existing production releases

To currently run the PowerShell Preview, you can run the following command:

pwsh

After Installing

After you have installed PowerShell 7, also make sure to update PowerShellGet and the PackageManagement module.

I hope this blog post was helpful. If you have any questions, please let me know in the comments.



Install or Update PowerShell 6 on Windows 10

How to Install and Update PowerShell 6

Today Windows 10 and Windows Server 2019 ship with Windows PowerShell 5.1 as the default version. PowerShell Core 6 is a new edition of PowerShell that is cross-platform (Windows, macOS, and Linux), open-source, and built for heterogeneous environments and the hybrid cloud. PowerShell 6 today is a side by side version next to Windows PowerShell 5.1. That means on Windows you cannot just upgrade to PowerShell 6, you will need to install it, same as on Linux and macOS. This blog post shows you how simple you can install PowerShell 6 or update PowerShell 6, if you have already installed it, on Windows 10, Windows Server 2019 or Linux.

One great example of how cross-platform PowerShell can work, check out my blog post: How to set up PowerShell SSH Remoting

Of course, you can find excellent documentation out there on Microsoft Docs. However, Steve Lee (Microsoft Principal Software Engineer Manager in the PowerShell Team) shared some one-liner, which helps you quickly install and update PowerShell 6.

Install PowerShell Core 6

Before showing you the one-liner option to install PowerShell 6, I want to share with you the documentation to install PowerShell Core 6 on different operating systems like Windows, macOS, and Linux.



Updated PowerShellGet and PackageManagment

Update PowerShellGet and PackageManagement

Since I am just setting up a new work machine, I wanted to share some information how you can update PowerShellGet and PackageManagement to the latest version. This will give you the usual bug fixes and performance enhancements. Since you don’t get the latest version in Windows PowerShell nor PowerShell Core, you will need to update it manually.

PowerShellGet is a PowerShell module with commands for discovering, installing, updating and publishing the PowerShell artifacts like Modules, DSC Resources, Role Capabilities and Scripts. For example you use PowerShellGet to install the Azure PowerShell module, or other modules.

PowerShellGet module is also integrated with the PackageManagement module as a provider, users can also use the PowerShell PackageManagement cmdlets for discovering, installing and updating the PowerShell artifacts like Modules and Scripts.

(source: GitHub)

How to update PowerShellGet and PackageManagement

Updating to the latest version of PowerShellGet and the PackageManagement module is simple. Since both modules are part of the PowerShell Gallery, you can update them using a couple of simple commands.

You can find both modules in the PowerShell Gallery:

First lets check which versions of the modules you have available. If you use Update-Module, it will automatically load PowerShellGet and PackageManagement and list them as loaded PowerShell modules. Of course you can also use Get-Module -ListAvailable.

PowerShell Modules PowerShellGet and PackageManagement

 
Get-Module -ListAvailable PackageManagement, PowerShellGet

As you can see, In my default installation, I got PowerShellGet version 1.6.7 and PackageManagement 1.1.7.2. If you have a look at PSGallery, you will see that these are pretty old versions and that there are newer available.

To get the latest version from PowerShell Gallery, you should first install the latest Nuget provider. You will need to run PowerShell as an Administrator for all  the following commands.

 
Install-PackageProvider Nuget –Force
Exit

If you run PowerShell 5.0 or newer, you can install the latest PowerShellGet using the following command. PowerShell 5.0 is included in Windows 10, Windows Server 2016, Windows Server 2019, any system with WMF 5.0 and 5.1 or a system running PowerShell 6.

 
Install-Module –Name PowerShellGet –Force
Exit

Two quick tips, first of, you will need to set the execution policy to RemoteSigned to allow the new module to run. Secondly in some cases you will need to use the -AllowClobber parameter to install the updated version of the module.

 
Set-ExecutionPolicy RemoteSigned
 
Install-Module –Name PowerShellGet –Force -AllowClobber

You can then use Update-Module to get newer versions:

 
Update-Module -Name PowerShellGet
Exit

Updated PowerShellGet and PackageManagment

After that you will see the latest versions of PowerShellGet and PackageMangement available

If you run older versions of PowerShell you can check out the full documention on the PowerShell Docs. I hope this blog post helps you to update PowerShellGet and benefit from the latest versions. If you have any questions, please let me know in the comments.