Common corporate cybersecurity practices involve timely application of software updates that eliminate vulnerabilities that enable the implementation of specific cyberattacks on business systems. To facilitate the application of patches to virtual machines located in Azure, Microsoft recently announced the availability of a new feature called "Automatic VM guest patching". This article describes the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance in the security field.
The main features of Automatic VM guest patching are the following:
- Are automatically downloaded and applied to virtual machines in Azure patches classified as Critical or of security.
- Patches are applied during non-peak hours considering the time zone set on the virtual machine.
- Patch orchestration is managed by the Azure platform and patches are applied taking into account the native Azure availability principles.
- The health of the virtual machine, determined through Azure platform health signals, is monitored to detect any errors in the application of patches.
- Works for all Windows virtual machines, regardless of the configured size.
How to Install Updates on Windows Virtual Machines
Azure Windows Virtual Machines, thanks to the introduction of this new feature, support three different ways to install updates:
- Automatic managed by the operating system (Automatic Updates). This is the default method set for Windows virtual machines.
- Automatic managed by the Azure platform. This is the mode recently introduced and described in this article. This mode provides for the disabling of automatic updates on board the virtual machine. Enabling this mode on the virtual machine will install the extension CPlat.Core.WindowsPatchExtension, fully managed by the Azure platform.
- Manual. This mode, configured when different system patching solutions are adopted, disabling Automatic Updates.
Figure 1 – Choices for installing patches when creating a new VM
Requirements
Enabling the feature Automatic VM guest patching requires that the following requirements be met on the virtual machine:
- The Azure VM Agent must be installed.
- The Windows Update service must be running.
- Windows Update or Windows Server Update Services server endpoints must be reachable (WSUS).
- Compute APIs must be version 2020-06-01 or higher.
How the auto-update mechanism works?
Enabling the feature Automatic VM guest patching only critical and security-classified patches are automatically downloaded and applied to the system. This periodic update process starts automatically every month when new patches are released through Windows Update. The scanning mechanism ensures that all missing patches on the system are discovered as soon as possible, updates can be installed at any day during off-peak hours, and it happens within 30 days after Microsoft's monthly release of updates. This means that you do not have complete control over when you install updates. The upgrade process also involves restarting the virtual machine if it is required by patching.
The patch installation process is orchestrated globally by Azure for all virtual machines on which is enabled the feature Automatic VM guest patching and the principles of availability provided by Azure are covered.
For a group of virtual machines involved in the upgrade process, Azure platform will orchestrate updates taking into account the following principles.
Cross-distribution of updates on regions:
- To avoid errors globally in the distribution of updates, they will be released gradually on the different regions.
- An update phase can affect one or more regions and it can move on to the next phases only if the updates are completed successfully.
- The geo-paired regions are never updated at the same stage to avoid the simultaneous installation of updates.
Deploying updates within a region:
- VMs residing in different Availability Zones are not updated at the same time.
- VMs that are not part of an Availability Zones are grouped together to prevent updates from being distributed simultaneously on all VMs belonging to a specific subscription.
Deploying updates within an Availability Zone:
- VMs belonging to the same Availability Zones are not updated at the same time and updates will be installed in accordance with the Update Domain principle.
Conclusions
This new method provided by the Azure platform allows you to keep Windows systems updated in a simple way, direct and with very little administrative effort. However, often there is a need to have much greater control regarding the distribution of updates on systems and in the Azure environment it is possible to adopt the alternative and more complete solution called Update Management. This solution, compared to the feature Automatic VM guest patching, allows you to have total visibility on the compliance of updates for both Windows and Linux systems and allows you to schedule deployments for the installation of updates by defining specific maintenance windows.
