Automatic Guest Patching for Azure Virtual Machines and Scale Sets

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets

Enabling automatic guest patching for your Azure Virtual Machines (VMs) and Scale Sets (VMSS) helps ease update management by safely and automatically patching virtual machines to maintain security compliance, while limiting the blast radius of VMs.

Automatic VM guest patching has the following characteristics:

• Patches classified as Critical or Security are automatically downloaded and applied on the VM.
• Patches are applied during off-peak hours for IaaS VMs in the VM's time zone.
• Patches are applied during all hours for VMSS Flex.
• Azure manages the patch orchestration and follows availability-first principles.
• Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
• Application health can be monitored through the Application Health extension.
• Works for all VM sizes.

How does automatic VM guest patching work?

If automatic VM guest patching is enabled on a VM, then the available Critical and Security patches are downloaded and applied automatically on the VM. This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as configured. The rebootSetting parameter on the VM Model takes precedence over settings in another system, such as Maintenance Configuration.

The VM is assessed periodically every few days and multiple times within any 30-day period to determine the applicable patches for that VM. The patches can be installed any day on the VM during off-peak hours for the VM. This automatic assessment ensures that any missing patches are discovered at the earliest possible opportunity.

Patches are installed within 30 days of the monthly patch releases, following availability-first orchestration. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the platform automatically assess and apply patches (if necessary) during the next periodic assessment (usually within a few days) when the VM is powered on.

Definition updates and other patches not classified as Critical or Security won't be installed through automatic VM guest patching. To install patches with other patch classifications or schedule patch installation within your own custom maintenance window, you can use Azure Update Manager.

Enabling Automatic Guest Patching on single-instance VMs or Virtual Machine Scale Sets in Flexible orchestration mode allows the Azure platform to update your fleet in phases. Phased deployment follows Azure's Safe Deployment Practices and reduces the impact radius if any issues are identified with the latest update. Health monitoring is recommended for single instance VMs and required for Virtual Machine Scale Sets in Flexible orchestration mode to detect issues any issues with the update.

Availability-first Updates

Azure orchestrates the patch installation process across all public and private clouds for VMs that have enabled Automatic Guest Patching. The orchestration follows availability-first principles across different levels of availability provided by Azure.

For a group of virtual machines undergoing an update, the Azure platform orchestrates updates:

Across regions:

• A monthly update is orchestrated across Azure globally in a phased manner to prevent global deployment failures.
• A phase can have one or more regions, and an update moves to the next phases only if eligible VMs in a phase update successfully.
• Geo-paired regions aren't updated concurrently and can't be in the same regional phase.
• The success of an update is measured by tracking the VM’s health post update. VM Health is tracked through platform health indicators for the VM.

Within a region:

• VMs in different Availability Zones aren't updated concurrently with the same update.
• VMs that aren't part of an availability set are batched on a best effort basis to avoid concurrent updates for all VMs in a subscription.

Within an availability set:

• All VMs in a common availability set aren't updated concurrently.
• VMs in a common availability set are updated within Update Domain boundaries and VMs across multiple Update Domains aren't updated concurrently.
• In an Update Domain, no more than 20% of the VMs within an availability set are be updated at a time. For availability sets with fewer than 10 VMs, VMs update one at a time within an Update Domain.

Restricting the number of concurrently patched VMs across regions, within a region, or within an availability set limits the impact of a faulty patch on a given set of VMs. With health monitoring, any potential issues are flagged before they impact the entire workload.

The patch installation date for a given VM may vary month-to-month, as a specific VM may be picked up in a different batch between monthly patching cycles.

Which patches are installed?

The patches installed depend on the rollout stage for the VM. Every month, a new global rollout is started where all security and critical patches assessed for an individual VM are installed for that VM. The rollout is orchestrated across all Azure regions in batches.

The exact set of patches to be installed vary based on the VM configuration, including OS type, and assessment timing. It's possible for two identical VMs in different regions to get different patches installed if there are more or less patches available when the patch orchestration reaches different regions at different times. Similarly, but less frequently, VMs within the same region but assessed at different times (due to different Availability Zone or Availability Set batches) might get different patches.

As the Automatic VM Guest Patching doesn't configure the patch source, two similar VMs configured to different patch sources, such as public repository vs private repository, may also see a difference in the exact set of patches installed.

For OS types that release patches on a fixed cadence, VMs configured to the public repository for the OS can expect to receive the same set of patches across the different rollout phases in a month. For example, Windows VMs configured to the public Windows Update repository.

As a new rollout is triggered every month, a VM receives at least one patch rollout every month if the VM is powered on during off-peak hours. This process ensures that the VM is patched with the latest available security and critical patches on a monthly basis. To ensure consistency in the set of patches installed, you can configure your VMs to assess and download patches from your own private repositories.

Supported OS images

Supported Windows Images (Hotpatchable)

Supported Windows Images (non-Hotpatchable)

Supported Linux Images

Patch orchestration modes

VMs on Azure now support the following patch orchestration modes:

AutomaticByPlatform (Azure-orchestrated patching):

• This mode is supported for both Linux and Windows VMs.
• This mode enables automatic VM guest patching for the virtual machine and subsequent patch installation is orchestrated by Azure.
• During the installation process, this mode assesses the VM for available patches and save the details in Azure Resource Graph.
• This mode is required for availability-first patching.
• This mode is only supported for VMs that are created using the supported OS platform images above.
• For Windows VMs, setting this mode also disables the native Automatic Updates on the Windows virtual machine to avoid duplication.
• To use this mode on Linux VMs, set the property osProfile.linuxConfiguration.patchSettings.patchMode=AutomaticByPlatform in the VM template.
• To use this mode on Windows VMs, set the property osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByPlatform in the VM template.
• Enabling this mode sets the Registry Key SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate to 1

AutomaticByOS:

• This mode is supported only for Windows VMs.
• This mode enables Automatic Updates on the Windows virtual machine, and patches are installed on the VM through Automatic Updates.
• This mode doesn't support availability-first patching.
• This mode is set by default if no other patch mode is specified for a Windows VM.
• To use this mode on Windows VMs, set the property osProfile.windowsConfiguration.enableAutomaticUpdates=true, and set the property osProfile.windowsConfiguration.patchSettings.patchMode=AutomaticByOS in the VM template.
• Enabling this mode sets the Registry Key SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate to 0

Manual:

• This mode is supported only for Windows VMs.
• This mode disables Automatic Updates on the Windows virtual machine. When deploying a VM using CLI or PowerShell, setting --enable-auto-updates to false also sets patchMode to manual and disables Automatic Updates.
• This mode doesn't support availability-first patching.
• This mode should be set when using custom patching solutions.
• To use this mode on Windows VMs, set the property osProfile.windowsConfiguration.enableAutomaticUpdates=false, and set the property osProfile.windowsConfiguration.patchSettings.patchMode=Manual in the VM template.
• Enabling this mode sets the Registry Key SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate to 1

ImageDefault:

• This mode is supported only for Linux VMs.
• This mode doesn't support availability-first patching.
• This mode honors the default patching configuration in the image used to create the VM.
• This mode is set by default if no other patch mode is specified for a Linux VM.
• To use this mode on Linux VMs, set the property osProfile.linuxConfiguration.patchSettings.patchMode=ImageDefault in the VM template.

Requirements for enabling automatic VM guest patching

• The virtual machine must have the Azure VM Agent for Windows or Linux installed.
• For Linux VMs, the Azure Linux agent must be version 2.2.53.1 or higher. Update the Linux agent if the current version is lower than the required version.
• For Windows VMs, the Windows Update service must be running on the virtual machine.
• The virtual machine must be able to access the configured update endpoints. If your virtual machine is configured to use private repositories for Linux or Windows Server Update Services (WSUS) for Windows VMs, the relevant update endpoints must be accessible.
• Use Compute API version 2021-03-01 or higher to access all functionality including on-demand assessment and on-demand patching.
• Custom images aren't currently supported.
• VMSS Flexible Orchestration requires the installation of Application Health extension. This is optional for IaaS VMs.

Enable automatic VM guest patching

Automatic VM guest patching can be enabled on any Windows or Linux VM that is created from a supported platform image.

REST API for Linux VMs

The following example describes how to enable automatic VM guest patching:

PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2020-12-01`

{
  "location": "<location>",
  "properties": {
    "osProfile": {
      "linuxConfiguration": {
        "provisionVMAgent": true,
        "patchSettings": {
          "patchMode": "AutomaticByPlatform"
        }
      }
    }
  }
}

REST API for Windows VMs

The following example describes how to enable automatic VM guest patching:

PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2020-12-01`

{
  "location": "<location>",
  "properties": {
    "osProfile": {
      "windowsConfiguration": {
        "provisionVMAgent": true,
        "enableAutomaticUpdates": true,
        "patchSettings": {
          "patchMode": "AutomaticByPlatform"
        }
      }
    }
  }
}

Azure PowerShell when creating a Windows VM

Use the Set-AzVMOperatingSystem cmdlet to enable automatic VM guest patching when creating a VM.

Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate -PatchMode "AutomaticByPlatform"

Azure PowerShell when updating a Windows VM

Use the Set-AzVMOperatingSystem and