Using Azure update management (AUM) you can schedule the updates for your Azure VMs and report on compliance. AUM is an Azure automation account feature. Obviously you can manually create each schedule but that is time consuming and…well manual. This is where PowerShell comes in.
If you don’t have the PowerShell Az module already installed then you can follow this Microsoft document: Install Azure PowerShell
The first job is to connect or login to your Azure account. If you have access to multiple subscriptions you also need to set which subscription to work with. Use the commands below to login and set your subscription scope for the session:
Connect-AzAccount Get-AzSubscription Set-AzContext -Subscription "subscriptionId"
Once connected get the automation account object managing the update management into a variable: $autoacc = Get-AzAutomationAccount -ResourceGroupName "rgName" -Name "autoAccName"
This is an optional step but you can run the below if you want to remove any existing Azure update management schedules.
$cfgs = $autoacc | Get-AzAutomationSoftwareUpdateConfiguration
Foreach ($cfg in $cfgs) { $cfg | Remove-AzAutomationSoftwareUpdateConfiguration }
One way and I believe the best way to make sure the VMs you want to update are patched is to generate an Azure query. This query is dynamic so when the schedule runs it will get the list of VMs to patch at that moment in time. This query will get all VMs in all subscriptions.
$tenantid = (Get-AzContext).Tenant.Id
$subs = Get-AzSubscription | where {$_.TenantId -eq $tenantid}
$scope = @()
Foreach ($sub in $subs) { $scope += "/subscriptions/" + $sub.Id }
$query = $autoacc | New-AzAutomationUpdateManagementAzureQuery -Scope $scope
Once you have your Azure query you can proceed with creating the schedule(s). The below commands will create a Windows and Linux update management schedule for each month up to December of the current year. The schedules will run 3 days after patch Tuesday each month at 19:00 with a patching window duration of 5 hours. Obviously feel free to change those values as per your requirements.
$year = (Get-Date).Year
$month = (Get-Date).Month
$duration = New-TimeSpan -Hours 5
$time = "19:00"
$days = 3
while($month -le 12) {
$day1 = [datetime]($month.ToString().PadLeft(2,'0') + "/01/" + $year.ToString() + " " + $time)
$patchtues = (0..30 | % {$day1.adddays($_) } | ? {$_.dayofweek -like "Tue*"})[1]
$winschname = $year.ToString() + "_" + $month.ToString().PadLeft(2,'0') + "_windows"
$linschname = $year.ToString() + "_" + $month.ToString().PadLeft(2,'0') + "_linux"
$schstart = $patchtues.AddDays($days)
#Adjust for BST because Azure portal doesn't handle it
if ((Get-Date -Date $schstart).IsDaylightSavingTime()) { $schstart = $schstart.AddHours(1) }
$winsch = $autoacc | New-AzAutomationSchedule -Name $winschname -StartTime $schstart -TimeZone "GMT Standard Time" -OneTime -ForUpdateConfiguration
$wincfg = $autoacc | New-AzAutomationSoftwareUpdateConfiguration -Windows -Schedule $winsch -AzureQuery $query -IncludedUpdateClassification Critical, Security -Duration $duration -RebootSetting IfRequired
$linsch = $autoacc | New-AzAutomationSchedule -Name $linschname -StartTime $schstart -TimeZone "GMT Standard Time" -OneTime -ForUpdateConfiguration
$lincfg = $autoacc | New-AzAutomationSoftwareUpdateConfiguration -Linux -Schedule $linsch -AzureQuery $query -IncludedPackageClassification Critical, Security -Duration $duration -RebootSetting IfRequired
$month++
}
Combine all those commands into a script to quickly and easily create Azure update management schedules. Feel free to duplicate the commands to create more schedules in a month for example to cater for patching phases. Add filters to the New-AzAutomationUpdateManagementAzureQuery command such as -Tag to limit the VMs in a particular schedule.
Be First to Comment