Tag: Updates

Manage updates and patches for your Azure VMs

Manage updates and patches for your Azure VMs

In this week’s Azure tip video we are going to have a look at how to manage updates and patches for your Azure virtual machines (VMs). After watching this video, you’ll be able to enable Azure Update Management, deploy updates, review an update assessment, and manage updates for your Azure VMs.

You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux machines in Azure, in on-premises environments, and in other cloud environments. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. If you want to learn more, check out my blog post on how to manage updates on Azure VMs. Also, make sure you check out a new feature called Azure Automatic VM Guest OS patching. To learn more about that feature, check out my blog post: How to configure Azure Automatic VM guest OS patching

To learn more about Azure Update management for your Azure virtual machines, check out the following links:

I hope this video was help full when it comes to managing updates and patches for your Azure VMs. If you have any questions, comments, or another great idea for an Azure tip video, feel free to leave a comment below.



Azure Automatic VM Guest OS Patching

How to configure Azure Automatic VM guest OS patching

If you want to keep your Azure virtual machines (VMs) up-to-date, then there is a service called Azure Update Management, which helps you to manage updates on your Azure VM guest operating system. However, this needed some additional planning and configuration. To make patching of your Azure virtual machines (VMs) easier, there is a new option called Automatic VM guest patching, which helps ease update management by safely and automatically patching virtual machines to maintain security compliance.

Automatic VM guest patching is now available in public preview for Windows virtual machines on Azure.

With Azure automatic VM guest patching enabled, the VM is assessed periodically to check for available operating system patches for that Azure VM. Updates classified as ‘Critical’ or ‘Security’ are automatically downloaded and installed on the VM during off-peak hours. This patch orchestration is managed and handled by Azure and patches are applied following availability-first principles.

In a nutshell, Azure automatic VM guest patching has the following capabilities:

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours in the VM’s time zone.
  • Patch orchestration is managed by Azure and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
  • Works for all VM sizes.

Patches are installed within 30 days of the monthly Windows Update release, following availability-first orchestration described below. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the VM will be automatically assessed and applicable patches will be installed automatically during the next periodic assessment when the VM is powered on.

You can find more information on Azure automatic VM guest patching on Microsoft Docs.

How to enable Azure Automatic VM guest OS patching

To enable Azure automatic VM guest OS (operating system) patching, we currently have a couple of requirements.

  • Currently, only Windows VMs are supported (Preview). Currently, Windows Server 2012 R2, 2016, 2019 Datacenter SKUs are supported. (and more are added periodically).
  • Only VMs created from certain OS platform images are currently supported in the preview. Which means custom images are currently not supported in the preview.
  • The virtual machine must have the Azure VM Agent installed.
  • The Windows Update service must be running on the virtual machine.
  • The virtual machine must be able to access Windows Update endpoints. If your virtual machine is configured to use Windows Server Update Services (WSUS), the relevant WSUS server endpoints must be accessible.
  • Use Compute API version 2020-06-01 or higher.

These requirements might change in the future during the preview phase (for the current requirements check out Microsoft Docs).

During the preview, this feature requires a one-time opt-in for the feature InGuestAutoPatchVMPreview per subscription. You can run the following Azure PowerShell or Azure CLI command.

Azure PowerShell:

# Register AzProvider
Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Check the registration status
Get-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
 
# Once the feature is registered for your subscription, complete the opt-in process by changing the Compute resource provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Compute

Now you can enable automatic VM guest patching for your Azure virtual machines within that subscription. To do that you can currently use the REST API, Azure PowerShell, or the Azure CLI.

With Azure CLI, you can use the az vm get-instance-view .

az vm update --resource-group test-autopatch-rg--name azwinvm01 --set osProfile.windowsConfiguration.enableAutomaticUpdates=true osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByPlatform

You can see that there are two important parameters for this cmdlet. First the -enableAutoUpdate and secondly the -PatchMode. There are currently three different patch orchestration modes you can configure.

AutomaticByPlatform

  • This mode enables automatic VM guest patching for the Windows virtual machine and subsequent patch installation is orchestrated by Azure.
  • Setting this mode also disables the native Automatic Updates on the Windows virtual machine to avoid duplication.
  • This mode is only supported for VMs that are created using the supported OS platform images above.

AutomaticByOS

  • This mode enables Automatic Updates on the Windows virtual machine, and patches are installed on the VM through Automatic Updates.
  • This mode is set by default if no other patch mode is specified.

Manual

  • This mode disables Automatic Updates on the Windows virtual machine.
  • This mode should be set when using custom patching solutions.

If you need more control, I recommend that you have a look at Azure Update Management, which is already publicly available and also supports Windows and Linux servers running in Azure or on-premises.

To verify whether automatic VM guest patching has completed and the patching extension is installed on the VM, you can review the VM’s instance view.

az vm get-instance-view --resource-group test-autopatch-rg --name azwinvm01

This will show you the following result:

Azure Automatic VM Guest OS Patching Status

Azure Automatic VM Guest OS Patching Status

You can also create the patch assessment on-demand.

Invoke-AzVmPatchAssessment -ResourceGroupName "myResourceGroup" -VMName "myVM"

I hope this provides you with an overview of the new Azure automatic VM guest patching feature. If you want to have some advanced capabilities to manage updates for your Azure VMs and even your servers running on-premises, check out Azure Update Management. This will provide you with some advanced settings and your own maintenance schedules. If you have any questions, feel free to leave a comment.



Azure IaaS VM enable Update Management

How to Manage Updates for Azure IaaS VMs

As a lot of customers are moving their workloads to Azure and specifically moving virtual machines to Azure Infrastructure-as-a-service (IaaS), the question is how do I manage my Azure virtual machines (VMs) efficiently. The great thing about Azure IaaS, it is not just another virtualization platform. Azure IaaS also offers a lot of other benefits versus classic virtualization. Azure IaaS and Azure Management provide a lot of functionality to it make it more efficient to run and manage virtual machines. One of them is Azure Update Management. In this blog post, I am going to show you how you can efficiently manage updates for your Azure IaaS VMs.

Overview and benefits Azure Update Management ☁

The Azure Update Management solution is part of Azure Automation. And with Azure Update Management you can manage operating system updates for your Windows and Linux computers in Azure, in on-premises environments, or in other cloud providers. That is right, it is not only for your Azure VMs, it also works with all your environment and provides you with a single pane of glass for your Update Management. It allows you to quickly assess the status of available updates on all virtual machines and servers, and manage the process of installing required updates for servers.

  • Azure Update Management works with Azure IaaS VMs, on-premise servers and even servers running at other cloud service providers.
  • Update Management supports Linux and Windows servers
  • It is directly integrated into the Azure portal and onboarding of Azure VMs is very simple.
  • It works with existing update sources like Microsoft Update, WSUS or on Linux with private and public update repositories.
  • Azure Update Management can be integrated into System Center Configuration Manager. You can learn more about Azure Update Management and System Center Configuration Manager integration on Microsoft Docs.
  • You can onboard new Azure VMs automatically to Update Management in multiple subscriptions in the same tenant.
Architecture

Architecture

How to onboard Azure IaaS VMs ✈

Onboarding Azure VMs to Azure Update Management is fairly simple and there are many different ways you can enable Update Management for an Azure VM.

One thing I want to highlight is, that you can set up automatic enablement for future virtual machines. With that Azure virtual machines, you create in the future, will automatically be added to the Update Mangement solution.

Onboarding

Onboarding

Since this blog post is all about managing updates for Azure VMs, I will keep it short, but if you want to add servers running on-premises or at other service providers, you can have a look how you can configure Azure Update management from Windows Admin Center. If you are running Azure Stack, you can also easily add your Azure Stack VMs to the Update Management solution.

Update Assesment 📃

Azure Update Management Compliant Assessment

Azure Update Management Compliant Assessment

After you have enabled and connected your virtual machines, Azure Log Analytics and Update Management start to collect data and analyze it and creates a continuous assessment of your Azure VM infrastructure and the additional servers you added. It will let you know which servers are compliant and which updates are missing. In the Azure documentation for Azure Update Management, you can find the schedules and time new updates will be added to the assessment.

Manage and deploy updates to Azure VMs 🔧

After you know which servers are compliant or not, you can schedule an update deployment, to update your servers.

Update Azure VMs using Update Deployment

Update Azure VMs using Update Deployment

An update deployment configuration is done very easily.

  1. Enter a name for the update deployment
  2. Select which operating system you want to target with the deployment (Linux or Windows)
  3. Choose the machines you want to update. You can select specific Azure virtual machines, non-Azure machines, groups, AD, WSUS, SCCM groups and filters.
  4. Select the Update Classifications you want to deploy
  5. Include or exclude updates
  6. Schedule the deployment. You can also create recurring update deployments for example for monthly patching.
  7. Configure pre- and post-scripts
  8. Configure the maintenance window size
  9. Configure the reboot update after the updates are installed

View update deployments ✔

Update Azure VMs Status

Update Azure VMs Status

During and after the duration of the update deployment, you can see an overview of the deployment, which updates on which machine were installed and if they were successful.

Pricing – What does it cost? 💵

Now I know what you are thinking now, this is great, but I am sure Microsoft is making me pay for this. No! there are no charges for the service, you only pay for log data stored in the Azure Log Analytics service. You can find more pricing information here.

Conclusion and Learn more 🎓

Update Management is a great solution to keep your environment up to date. If you want to know more, check out Microsoft Docs or follow this tutorial to onboard Azure VMs. There is also a very good blog series by Microsoft MVP Samuel Erskine. If you don’t have Azure today, create an Azure Free account.

Create free Azure Account ☁

Create your Azure free account today and get started with 12 months of free services!

If you have any questions, let me know in the comments.



Azure Stack VM Update Management

Using Azure Update Management on Azure Stack

At Microsoft Ignite 2018, Microsoft announced the integration of Azure Update and Configuration Management on Azure Stack. This is a perfect example how Azure services from the public cloud can be extended into your datacenter using Azure Stack. Azure Update and Configuration Management brings Azure Update Management, Change Tracking and Inventory to your Azure Stack VMs. In the case of Azure Stack, the backend services and orchestrator like Azure Automation and Log Analytics, will remain to run in Azure, but it lets you connect your VMs running on Azure Stack.

Azure Update and Configuration Managemen Schemat

Today, the Azure Update and Configuration Management extension, gives you the following features:

  • Update Management – With the Update Management solution, you can quickly assess the status of available updates on all agent computers and manage the process of installing required updates for these Windows VMs.
  • Change Tracking – Changes to installed software, Windows services, Windows registry, and files on the monitored servers are sent to the Log Analytics service in the cloud for processing. Logic is applied to the received data and the cloud service records the data. By using the information on the Change Tracking dashboard, you can easily see the changes that were made in your server infrastructure.
  • Inventory – The Inventory tracking for an Azure Stack Windows virtual machine provides a browser-based user interface for setting up and configuring inventory collection.

If you want to use Azure Update Management and more on VMs on-premise (without Azure Stack) or running at another Cloud Provider, you can do this as well. Have a look at Windows Admin Center, which allows you to directly integrate with Azure Update Management. However, there will be a difference in pricing.



Download Azure Stack Update

How to install and manage Azure Stack Updates

At itnetX, we help customers to implement as well as to operate  Azure Stack. One part of operating Azure Stack is keeping it up-to-date. This means installing Microsoft Azure Stack Updates, hotfixes as well as OEM update packages like drivers and firmware. In this blog post, I will cover all the information you need to keep your Azure Stack up-to-date.

Why should you update your Azure Stack

Azure Stack Update

This may sound like a simple question, but a lot of people ask for it. First of all, Microsoft and the hardware vendors are delivering quality fixes and security updates to keep Azure Stack stable and secure. But Microsoft also adds new functionality with their updates packages to keep up with the rapid cloud development on Azure. This is important if you want that your Azure Stack stays consistent with Azure in terms of functionality.

Another essential reason to stay current is to remain supported. You are allowed to be behind two major versions of Azure Stack, which means 2-3 months. You basically should update monthly, to make sure that you are secure and stable. However, there are reasons why you might have to defer an update. For example, this can happen for some companies, when they are in a freeze period where they are not allowed to do changes in their systems. If you are more than three major versions behind, your Azure Stack is considered out of support and will not be supported from Microsoft, until you have the at least required version installed.

You can read more about the Azure Stack servicing policy on the Azure Stack documentation site.

Updates for the Azure Stack Integrated System

Azure Stack Operations

As mentioned before, there are three types of updates to Azure Stack. The monthly Azure Stack Update Packages from Microsoft, Hotfixes, and OEM updates.

  • Microsoft software updates – Microsoft is responsible for the end-to-end servicing lifecycle for the Microsoft software update packages. These packages can include the latest Windows Server security updates, non-security updates, and Azure Stack feature updates. These update packages are non-cumulative updates and need to be installed one after the other. These updates are fully automated and will update the complete Azure Stack infrastructure.
  • OEM hardware vendor-provided updates – Azure Stack hardware partners are responsible for the end-to-end servicing lifecycle (including guidance) for the hardware-related firmware and driver update packages. In addition, Azure Stack hardware partners own and maintain guidance for all software and hardware on the hardware lifecycle host.
  • Microsoft hotfixes – Microsoft provides hotfixes for Azure Stack that address a specific issue that is often preventative or time-sensitive. Each hotfix is released with a corresponding Microsoft Knowledge Base article that details the issue, cause, and resolution. Hotfixes are downloaded and installed just like the regular full update packages for Azure Stack. Other then the major updates, Azure Stack hotfixes are cumulative per iteration.
 ReleaseCumulativeWhere to find
Microsoft Software UpdatesMonthly (4th Tuesday of very month)NoRelease Notes
OEM Hardware Vendor UpdatesDepending on OEMDependsOEM Website
Microsoft HotfixesWhen neededYesKnowledge Base article

By the way, you can only update Azure Stack multi-node systems, and the Azure Stack Development Kit needs to be redeployed.



Windows Server Semi-annual Channel Overview

Windows Server release information – Windows Server Semi-Annual Channel and LTSC

As mentioned a couple of months ago, Microsoft has updated the Windows Server servicing model. The Semi-Annual Channel is a twice-per-year feature update release with 18-month servicing timelines for each release and the Long Term Servicing Channel (LTSC) will be support for 5+5 years as we know it form previous Windows Server releases as Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. This is similar servicing model as the Windows 10 client.

In short:

The Semi-Annual Channel provides opportunity for customers who are innovating quickly to take advantage of new operating system capabilities at a faster pace, both in applications – particularly those built on containers and microservices – and in the software-defined hybrid datacenter.

Customers also have the option to continue using the Long-Term Servicing Channel releases, which continue to be released every 2-3 years. Each Long-Term Servicing Channel release is supported for 5 years of mainstream support and 5 years of extended support.

You can find more information about the Windows Server Servicing changes in my blog post: What is next for Windows Server and System Center with a faster release cadence

Today Microsoft released a page where you can get an overview about the Windows Server versions and their support end dates.

Windows Server current versions by servicing Overview

This will quickly get you an overview about the Windows Server releases.

 

 



Install Updates on Nano Server

How to install Updates on Nano Server

Microsoft just released Windows Server 2016, which comes with a new deployment option called Nano Server. Nano Server is a very small version of Windows Server which addresses a lot of different issues. Now after the release of Windows Server 2016 Microsoft is releasing the first updates for Windows Server 2016 and Nano Server.

Microsoft released the first Cumulative Update for Windows Server 2016 was released on September 26, 2016 (KB3192366) and the prerequisite for this and future Cumulative Update is the Servicing Stack Update for Windows 10 Version 1607 (KB3176939).

Download

You can download the .msu updates from the Windows Server Catalog:

Folder Structure

Just to make it easier for you, here is the folder structure I use:

  • C:\NanoServer – The Folder where I put all my files and folders to create and manage NanoServer. I copied the NanoServerImageGenerator PowerShell module to this folder
    Nano Server Folder
  • C:\NanoServer\Files – Copied all the files from the Windows Server 2016 ISO file
    Nano Server ISO Folder
  • C:\NanoServer\Updates – Downloaded .msu files and extracted .cab files
    Nano Server Update Folder
  • C:\NanoServer\Images – Created Nano Server Images

Extract the .cab files from the .msu file

For the most update scenarios you will need the .cab update package , which is included in the .msu file. To extract the .cab file from the .msu file you can use the expand command line utility.

In my case renamed the .msu files to for easier identification and copied both files to C:\NanoServer\Updates.

nano Server Epxand MSU Update Files

expand .\KB3176936.msu -F:* C:\NanoServer\Updates\
 
expand .\KB3192366.msu -F:* C:\NanoServer\Updates\

Integrate Updates into a new Nano Server Image

If you create a new Nano Server Image you can simply include the latest updates and cumulative updates while building the image. With that you have a new fresh NanoServer Image which will be fully patched after the first boot.

New Nano Server Image with Updates

Import-Module .\Files\NanoServer\NanoServerImageGenerator\NanoServerImageGenerator.psm1
 
New-NanoServerImage -MediaPath .\Files -BasePath .\Base -TargetPath .\Images\NanoVM.vhd -MaxSize 20GB -DeploymentType Guest -Edition Datacenter -ComputerName "Nano01" -ServicingPackagePath ".\Updates\Windows10.0-KB3176936-x64.cab", ".\Updates\Windows10.0-KB3176936-x64.cab"

Integrate Updates into an existing Nano Server Image

If you already have an existing Nano Server Image you can also updates this one.

Add Updates to Nano Server Image

Import-Module .\Files\NanoServer\NanoServerImageGenerator\NanoServerImageGenerator.psm1
 
Edit-NanoServerImage -TargetPath .\Images\NanoServer.wim -ServicingPackagePath ".\Updates\Windows10.0-KB3176936-x64.cab", ".\Updates\Windows10.0-KB3176936-x64.cab"

Integrate Updates into an VHD or VHDX (offline)

If you have VHD or VHDX templates and you want to integrate new updates you can do this as well using the DISM PowerShell module. You can also update existing Virtual Machines with this if you shutdown the VM (Offline Patching).

Mount-WindowsImage -ImagePath .\Images\NanoVM.vhdx -Path .\Mount -Index 1
 
Add-WindowsPackage -Path .\Mount -PackagePath  C:\NanoServer\Updates
 
Dismount-WindowsImage -Path .\Mount -Save

Install Updates on a running Nano Server (online)

If you have a running Nano Server in a virtual machine or on a physical host you can also use the downloaded .cap files and the DISM PowerShell module to install the patches on a Nano Server. For that you will need to use PowerShell remoting to connect to the Nano Server.

Install Updates on Nano Server

# Copy Update Files to Nano Server
$pssession = New-PSSession -VMName "NanoServer" -Credential (Get-Credential)
Invoke-Command -Session $pssession -ScriptBlock {md C:\Update}
Copy-Item -ToSession $pssession -Path C:\NanoServer\Updates\*.cab -Destination C:\Update\ -Recurse
 
# Install the servicing stack update first (reboot needed)
Enter-PSSession -ComputerName "NanoServer" -Credential (Get-Credential)
Add-WindowsPackage -Online -PackagePath C:\Update\Windows10.0-KB3176936-x64.cab
Restart-Computer
 
# Install update after reboot
Enter-PSSession -ComputerName (Read-Host "Enter Nano Server IP address") -Credential (Get-Credential)
Add-WindowsPackage -Online -PackagePath C:\Update\Windows10.0-KB3192366-x64.cab
Restart-Computer

If the Nano Server is running inside a VM, you can also use PowerShell Direct to connect directly to the Virtual Machine from the Hyper-V host.

Download and Install Updates on a running Nano Server from Windows Update (online from Windows Update)

If you have a running Nano Server VM or physical host, you can use the Windows Update WMI provider to download and install the update from Microsoft Update.

Enter-PSSession -ComputerName "NanoServer" -Credential (Get-Credential)
 
# Scan for updates
 
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=0";OnlineScan=$true}
$result.Updates
 
# Install all updates
 
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
Invoke-CimMethod -InputObject $ci -MethodName ApplyApplicableUpdates
 
Restart-Computer
 
# List Installed Updates
 
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=1";OnlineScan=$true}
$result.Updates

Download and Install Updates on a running Nano Server from Windows Update using the Azure Remote Server Management Tools

You can also use a graphical UI to update Nano Server directly from the Remote Server Management Tools.

Install Updates on Nano Server from Server Management Tools SMT

You can get more information about Updating Nano Server on this Microsoft blog post.