Enable Automatic OS Upgrades

More Info:

Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, NISTCSF

Triage and Remediation

Remediation

To enable Automatic OS Upgrades in Azure, follow these steps:

Log in to the Azure portal.
Select the Virtual Machine that you want to configure.
In the Virtual Machine pane, select the “Update Management” option.
In the “Update Management” pane, select the “Schedule update deployments” option.
In the “Schedule update deployments” pane, select the “Automatic” option for “OS upgrades”.
Choose the maintenance window time that suits your needs.
Click on the “Save” button to save the changes.

That’s it! Now your Virtual Machine will automatically receive OS upgrades during the maintenance window you have selected, ensuring that your system is always up-to-date and secure.

To remediate the misconfiguration “Enable Automatic OS Upgrades” for Azure using Python, you can follow these steps:

Import the required Azure Python SDK modules:

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.subscription import SubscriptionClient

Authenticate and create a client object for the Azure subscription:

credentials = ServicePrincipalCredentials(client_id=<client_id>, secret=<secret>, tenant=<tenant_id>)
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())

Replace <client_id>, <secret>, and <tenant_id> with the appropriate values for your Azure account.

Create a client object for the Azure Resource Manager:

resource_client = ResourceManagementClient(credentials, subscription.subscription_id)

Get the list of virtual machines in the Azure subscription:

compute_client = ComputeManagementClient(credentials, subscription.subscription_id)
vms = compute_client.virtual_machines.list_all()

For each virtual machine, enable automatic OS upgrades:

for vm in vms:
    update_resource = compute_client.virtual_machines.begin_update(resource_group_name=vm.id.split('/')[4], vm_name=vm.name, parameters={'automatic_os_upgrade_policy': {'enable_automatic_os_upgrade': True}})

This will enable automatic OS upgrades for all virtual machines in the subscription.

Note: Make sure you have the necessary permissions to perform these actions in your Azure subscription before running the script.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Enable Automatic OS Upgrades

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation