Skip to content

Azure update management schedules using PowerShell

Using Azure update management (AUM) you can schedule the updates for your Azure VMs and report on compliance. AUM is an Azure automation account feature. Obviously you can manually create each schedule but that is time consuming and…well manual. This is where PowerShell comes in.

Azure update management with an Azure automation account

If you don’t have the PowerShell Az module already installed then you can follow this Microsoft document: Install Azure PowerShell

The first job is to connect or login to your Azure account. If you have access to multiple subscriptions you also need to set which subscription to work with. Use the commands below to login and set your subscription scope for the session:

Set-AzContext -Subscription "subscriptionId"

Once connected get the automation account object managing the update management into a variable: $autoacc = Get-AzAutomationAccount -ResourceGroupName "rgName" -Name "autoAccName"

This is an optional step but you can run the below if you want to remove any existing Azure update management schedules.

$cfgs = $autoacc | Get-AzAutomationSoftwareUpdateConfiguration

Foreach ($cfg in $cfgs) { $cfg | Remove-AzAutomationSoftwareUpdateConfiguration }

One way and I believe the best way to make sure the VMs you want to update are patched is to generate an Azure query. This query is dynamic so when the schedule runs it will get the list of VMs to patch at that moment in time. This query will get all VMs in all subscriptions.

$tenantid = (Get-AzContext).Tenant.Id
$subs = Get-AzSubscription | where {$_.TenantId -eq $tenantid}
$scope = @()
Foreach ($sub in $subs) { $scope += "/subscriptions/" + $sub.Id }
$query =  $autoacc | New-AzAutomationUpdateManagementAzureQuery -Scope $scope

Once you have your Azure query you can proceed with creating the schedule(s). The below commands will create a Windows and Linux update management schedule for each month up to December of the current year. The schedules will run 3 days after patch Tuesday each month at 19:00 with a patching window duration of 5 hours. Obviously feel free to change those values as per your requirements.

$year = (Get-Date).Year
$month = (Get-Date).Month
$duration = New-TimeSpan -Hours 5
$time = "19:00"
$days = 3

while($month -le 12) {
  $day1 = [datetime]($month.ToString().PadLeft(2,'0') + "/01/" + $year.ToString() + " " + $time)
  $patchtues = (0..30 | % {$day1.adddays($_) } | ? {$_.dayofweek -like "Tue*"})[1]
  $winschname = $year.ToString() + "_" + $month.ToString().PadLeft(2,'0') + "_windows"
  $linschname = $year.ToString() + "_" + $month.ToString().PadLeft(2,'0') + "_linux"
  $schstart = $patchtues.AddDays($days)
  #Adjust for BST because Azure portal doesn't handle it
  if ((Get-Date -Date $schstart).IsDaylightSavingTime()) { $schstart = $schstart.AddHours(1) }
  $winsch = $autoacc | New-AzAutomationSchedule -Name $winschname -StartTime $schstart -TimeZone "GMT Standard Time" -OneTime -ForUpdateConfiguration
  $wincfg = $autoacc | New-AzAutomationSoftwareUpdateConfiguration -Windows -Schedule $winsch -AzureQuery $query -IncludedUpdateClassification Critical, Security -Duration $duration -RebootSetting IfRequired
  $linsch = $autoacc | New-AzAutomationSchedule -Name $linschname -StartTime $schstart -TimeZone "GMT Standard Time" -OneTime -ForUpdateConfiguration
  $lincfg = $autoacc | New-AzAutomationSoftwareUpdateConfiguration -Linux -Schedule $linsch -AzureQuery $query -IncludedPackageClassification Critical, Security -Duration $duration -RebootSetting IfRequired

Combine all those commands into a script to quickly and easily create Azure update management schedules. Feel free to duplicate the commands to create more schedules in a month for example to cater for patching phases. Add filters to the New-AzAutomationUpdateManagementAzureQuery command such as -Tag to limit the VMs in a particular schedule.

Published inAzure

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.