Question about VM update and Policy

Question

Hi everyone,

I have been tasked to create a policy that will do a weekly VM update at a certain time but I have been reading more about this and if my understanding is correct, policy is not meant to be used this way.

My understanding is I will need to do this scheduled weekly VM update via Update Manager's Maintenance Configuration.
Is this correct?

Also part of the requirement is I will need to be able to handle update failure by disabling the schedule auto update on a VM that has a failed update.
Could this be done via a policy?

Thank you

Answer 1

Your understanding is correct: Azure Policy is not designed for managing scheduled VM updates. Instead, Azure Update Manager is the appropriate tool for this scenario.

You might want to consider the following approach:

1. Scheduling Weekly VM Updates You should use Update Manager's Maintenance Configuration to schedule weekly updates. Maintenance configurations allow you to specify:

• The frequency of updates (e.g., weekly).
• The time window for updates.
• The specific VMs or VM groups to include in the maintenance scope.

Steps:

1. Navigate to Azure Update Manager in the Azure portal.
2. Create a Maintenance Configuration with a weekly schedule and specify the time.
3. Assign this configuration to the target VMs or VM groups.
4. Handling Update Failures Disabling auto-update for a VM after an update failure can be handled indirectly by scripting and automation. Azure Policy itself cannot dynamically disable scheduled updates based on the success or failure of previous updates. However, you can achieve this with Azure Automation, Runbooks, and Logic Apps. Here's how:
5. Monitor Update Status: Use Azure Update Manager's built-in reporting to track update failures. Alternatively, enable Azure Monitor or Log Analytics to capture update statuses.
6. Automate Response to Failures: Create an Azure Automation Runbook or Logic App to:
   • Check for VMs with update failures using logs.
   • Modify or remove the maintenance configuration for the affected VMs to disable auto-updates.
7. Integrate with Alerts: Set up an alert in Azure Monitor to trigger the automation process when an update failure is detected.

For example:

1. Log Update Failures:
   • Use Update Manager logs in Log Analytics to monitor the OperationName and ResultType fields for update failures.
2. Trigger Automation:
   • Use an alert in Azure Monitor to invoke a Runbook or Logic App.
3. Runbook Example:

      $failedVMs = Get-LogAnalyticsQueryResult -WorkspaceId <LogAnalyticsWorkspaceId> -Query "
          AzureDiagnostics
          | where OperationName == 'UpdateDeployment' and ResultType == 'Failed'
          | distinct Resource
      "
      
      foreach ($vm in $failedVMs) {
          Remove-AzAutomationScheduledRunbook -AutomationAccountName "UpdateAccount" -ResourceGroupName "MyResourceGroup" -RunbookName "WeeklyUpdate" -Target $vm
          Write-Output "Disabled auto-update for VM: $($vm.Resource)"
      }
   

4. Re-enable Updates Manually:
   • Investigate the failure, resolve the issue, and reassign the VM to the maintenance configuration.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin