More Info:

Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

To enable Automatic OS Upgrades in Azure, follow these steps:
  1. Log in to the Azure portal.
  2. Select the Virtual Machine that you want to configure.
  3. In the Virtual Machine pane, select the “Update Management” option.
  4. In the “Update Management” pane, select the “Schedule update deployments” option.
  5. In the “Schedule update deployments” pane, select the “Automatic” option for “OS upgrades”.
  6. Choose the maintenance window time that suits your needs.
  7. Click on the “Save” button to save the changes.
That’s it! Now your Virtual Machine will automatically receive OS upgrades during the maintenance window you have selected, ensuring that your system is always up-to-date and secure.

To remediate the misconfiguration of not having automatic OS upgrades enabled for Azure using Azure CLI, you can follow these steps:
  1. Open the Azure CLI and log in to your Azure account using the command: az login
  2. Once you are logged in, set the subscription where the virtual machine is located using the command: az account set --subscription <subscription_id>
  3. Identify the virtual machine that needs to have automatic OS upgrades enabled using the command: az vm list
  4. Once you have identified the virtual machine, run the following command to enable automatic OS upgrades: az vm auto-upgrade --resource-group <resource_group_name> --name <vm_name> --set upgradePolicy.mode="Automatic"
  5. This command will enable automatic OS upgrades for the specified virtual machine.
It is important to note that automatic OS upgrades may cause some issues with certain applications or services running on the virtual machine. Therefore, it is recommended to test the automatic OS upgrade feature in a non-production environment before enabling it in a production environment.
To remediate the misconfiguration “Enable Automatic OS Upgrades” for Azure using Python, you can follow these steps:
  1. Import the required Azure Python SDK modules: 
    from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.subscription import SubscriptionClient
  2. Authenticate and create a client object for the Azure subscription: 
    credentials = ServicePrincipalCredentials(client_id=<client_id>, secret=<secret>, tenant=<tenant_id>)
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
    Replace <client_id>, <secret>, and <tenant_id> with the appropriate values for your Azure account.
  3. Create a client object for the Azure Resource Manager: 
    resource_client = ResourceManagementClient(credentials, subscription.subscription_id)
  4. Get the list of virtual machines in the Azure subscription: 
    compute_client = ComputeManagementClient(credentials, subscription.subscription_id)
vms = compute_client.virtual_machines.list_all()
  5. For each virtual machine, enable automatic OS upgrades: 
    for vm in vms:
    update_resource = compute_client.virtual_machines.begin_update(resource_group_name=vm.id.split('/')[4], vm_name=vm.name, parameters={'automatic_os_upgrade_policy': {'enable_automatic_os_upgrade': True}})
    This will enable automatic OS upgrades for all virtual machines in the subscription.
Note: Make sure you have the necessary permissions to perform these actions in your Azure subscription before running the script.