Azure Now Installs Security Updates On Windows VMs Automatically

Azure Now Installs Security Updates On Windows VMs Automatically

Microsoft has announced a new Azure capability known as automatic VM guest patching and designed to automatically apply patch Windows virtual machines against newly discovered vulnerabilities.

The new feature is now in Public Preview for Windows virtual machines on Azure and it is designed to help admins maintain their environments’ security compliance by having Azure Virtual Machines (VM) automatically patched.

On VMs where it is enabled, patches will be installed within 30 days of the monthly Windows Update release, but only during off-peak hours.

At the moment, while in Public Preview, automatic VM guest patching comes with the following characteristics:• Patches classified as Critical or Security are automatically downloaded and applied on the VM.
• Patches are applied during off-peak hours in the VM’s time zone.
• Patch orchestration is managed by Azure and patches are applied following availability-first principles.
• Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
• Works for all VM sizes.

On-demand patch assessments also available

“With automatic VM guest patching enabled, the VM is assessed periodically to determine the applicable patches for that VM,” Microsoft explains.

“Updates classified as ‘Critical’ or ‘Security’ are automatically downloaded and applied on the VM during off-peak hours. Patch orchestration is managed by Azure and patches are applied following availability-first principles.”

While Azure will perform periodic patch assessments for VMs where automatic VM guest patching is enabled, admins can also trigger on-demand patch assessments at any time, for any of their VMs.

“Patch assessment can take a few minutes to complete and the status of the latest assessment is updated on the VM’s instance view,” Microsoft adds.

Also read: Website Ownership Laws: Your Rights And What It Protects

How to enable automatic VM guest patching

“To enable automatic VM guest patching, ensure that the property osProfile.windowsConfiguration.enableAutomaticUpdates is set to true in the VM template definition. This property can only be set when creating the VM,” Microsoft says.

After being enabled on a virtual machine, the Azure platform automatically installs a Microsoft.CPlat.Core.WindowsPatchExtension extension, with the enablement to take as long as three hours during off-peak hours.

While in Public Preview, automatic VM guest patching only supports VMs created using a very short list of OS platform images — with more to be added periodically — including these Windows Server SKUs: 2012-R2-Datacenter, 2016-Datacenter, 2016-Datacenter-Server-Core, 2019-Datacenter, 2019-Datacenter-Server-Core.

For this feature to work on a virtual machine, the VMs are required to have the Azure VM Agent installed, the Windows Update service running, must be able to access Windows Update endpoints, and must use Compute API version 2020-06-01 or higher.

Until the feature starts rolling out, an opt-in procedure is needed to use it while in public preview.

The preview version is not recommended for use in production environments seeing that some of its features might come with constrained capabilities or might not be currently supported.

Also read: 5 Self Assessment Tools To Find The Right Professional Fit