Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic OS Upgrades

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-022

Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, the upgrades take place in multiple batches, with a maximum of 20% of the scale set upgrading at any time.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Cost
optimisation

Enabling automatic OS image upgrades for your VM scale sets can help ease the update management by safely and securely upgrading the instance OS disks. With automatic OS upgrades enabled, you don't have to manually manage image updates on your scale set. The Azure OS upgrade orchestrator will automatically apply the latest available image version to your virtual machine scale set instances without any manual intervention.

Note: The OS platform images currently supported by the feature are listed at this URL.

Audit

To determine if Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to examine.

06 In the navigation panel, under Settings, select Operating system to view the configuration details of the operating system (OS) image used by the VM instances within the selected scale set.

07 On the Operating system page, check the Automatic OS upgrades configuration attribute value. If the attribute value is set to Off, the Automatic OS Upgrades feature is not enabled for the selected Microsoft Azure virtual machine scale set.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vmss list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine scale set deployed in the selected Azure subscription: 

az vmss list
	--subscription abcd1234-abcd-1234-abcd-abcd1234abcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine scale set identifiers (IDs): 

Name                    ResourceGroup
---------------------   ------------------------------
cc-web-prod-scale-set   cloud-shell-storage-westeurope
cc-web-test-scale-set   cloud-shell-storage-westeurope

05 Run vmss show command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to examine as identifier parameter, to describe the Automatic OS Upgrades feature status, available for the selected VM scale set: 

az vmss show
	--name cc-web-prod-scale-set
	--resource-group cloud-shell-storage-westeurope
	--query '{"AutomaticOsUpgrades": upgradePolicy.automaticOsUpgradePolicy.enableAutomaticOsUpgrade}'

06 The command output should return the requested feature status: 

{
  "AutomaticOsUpgrades": false
}

If the "AutomaticOsUpgrades" configuration attribute value is set to null or false, as shown in the output example above, the Automatic OS Upgrades feature is not currently enabled for the selected Microsoft Azure virtual machine scale set.

07 Repeat step no. 5 and 6 for each Azure virtual machine scale set provisioned in the selected subscription.

08 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable automatic OS image upgrades for your Microsoft Azure virtual machine scale sets, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine scale set to list only the Azure virtual machine scale sets created in the selected subscription.

05 Click on the name of the virtual machine scale set that you want to remediate.

06 In the navigation panel, under Settings, select Operating system to view the configuration details of the operating system (OS) image used by the VM instances within the selected scale set.

07 On the Operating system page, select On on the Automatic OS upgrades configuration attribute value. Click Save to apply the configuration change.

08 Repeat steps no. 5 – 7 for each Azure virtual machine scale set available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vmss update command (Windows/macOS/Linux) using the name of the virtual machine scale set that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enable automatic OS image upgrades for the selected Azure virtual machine scale set. The following command request example configures automatic OS upgrades for a VM scale set named "cc-web-prod-scale-set" deployed in a resource group named "cloud-shell-storage-westeurope": 

az vmss update
	--name cc-web-prod-scale-set
	--resource-group cloud-shell-storage-westeurope
	--set UpgradePolicy.AutomaticOSUpgradePolicy.EnableAutomaticOSUpgrade=true
	--query 'upgradePolicy'

02 The command output should return the enabled feature configuration metadata: 

{
  "automaticOsUpgradePolicy": {
    "disableAutomaticRollback": false,
    "enableAutomaticOsUpgrade": true
  },
  "mode": "Manual",
  "rollingUpgradePolicy": {
    "maxBatchInstancePercent": 20,
    "maxUnhealthyInstancePercent": 20,
    "maxUnhealthyUpgradedInstancePercent": 20,
    "pauseTimeBetweenBatches": "PT0S"
  }
}

03 Repeat step no. 1 and 2 to enable automatic OS upgrades for other Azure virtual machine scale sets available in the selected subscription.

04 Repeat step no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 26, 2020

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Automatic OS Upgrades

Risk Level: Medium