Azure-VirtualMachines-Automatic-OS-Upgrades-Enabled

Severity : High

Description: This control ensures that automatic OS image patching is enabled for Virtual Machine. Enabling automatic OS updates, the latest OS image published by image publishers is automatically applied to the scale set without user intervention. Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all instances in the scale set. The OS security patches get updated automatically, which reduces vulnerability of the VM. The OS Disk of a VM is replaced with the new OS Disk created with latest image version. Configured extensions and custom data scripts are run on the new VM.

Remediation Steps:

Perform following to enable automatic OS upgrade for VMs :

1. Login to Azure Portal using https://portal.azure.com.

2. Navigate to Virtual Machine Scale set.

3. Select Virtual Machine Scale set to be remediated.

4. Under Settings, click the Guest + host updates .

5. This functionality is supported by specific OS images.

6. Select Enable automatic OS upgrades. The windows automatic upgrade parameter should be disabled.

7. Select Save.

Important:

• Though it works for all VM sizes, and for both Windows and Linux images, only certain OS platform images are currently supported. Windows updates should be disabled as it updates OS without replacing the OS disk

Reference:

• Azure virtual machine scale set automatic OS image upgrades