Control updates with Maintenance Configurations and Azure PowerShell
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
Creating a Maintenance Configurations lets you decide when to apply platform updates to various Azure resources. This topic covers the Azure PowerShell options for Dedicated Hosts and Isolated VMs. For more about benefits of using Maintenance Configurations, its limitations, and other management options, see Managing platform updates with Maintenance Configurations.
If you are looking for information about Maintenance Configurations for scale sets, see Maintenance Control for virtual machine scale sets.
Important
There are different scopes which support certain machine types and schedules, so please ensure you are selecting the right scope for your virtual machine.
Enable the PowerShell module
Make sure PowerShellGet is up to date.
Install-Module -Name PowerShellGet -Repository PSGallery -Force
Install the Az.Maintenance PowerShell module.
Install-Module -Name Az.Maintenance
If you are installing locally, make sure you open your PowerShell prompt as an administrator.
You may also be asked to confirm that you want to install from an untrusted repository. Type Y or select Yes to All to install the module.
Create a maintenance configuration
Create a resource group as a container for your configuration. In this example, a resource group named myMaintenanceRG is created in eastus. If you already have a resource group that you want to use, you can skip this part and replace the resource group name with your own in the rest of the examples.
New-AzResourceGroup `
-Location eastus `
-Name myMaintenanceRG
Use New-AzMaintenanceConfiguration to create a maintenance configuration. This example creates a maintenance configuration named myConfig scoped to the host.
$config = New-AzMaintenanceConfiguration `
-ResourceGroup myMaintenanceRG `
-Name myConfig `
-MaintenanceScope host `
-Location eastus
Using -MaintenanceScope host ensures that the maintenance configuration is used for controlling updates to the host.
If you try to create a configuration with the same name, but in a different location, you will get an error. Configuration names must be unique to your resource group.
You can query for available maintenance configurations using Get-AzMaintenanceConfiguration.
Get-AzMaintenanceConfiguration | Format-Table -Property Name,Id
Create a maintenance configuration with scheduled window
You can also declare a scheduled window when Azure will apply the updates on your resources. This example creates a maintenance configuration named myConfig with a scheduled window of 5 hours on the fourth Monday of every month. Once you create a scheduled window you no longer have to apply the updates manually.
$config = New-AzMaintenanceConfiguration `
-ResourceGroup $RGName `
-Name $MaintenanceConfig `
-MaintenanceScope Host `
-Location $location `
-StartDateTime "2020-10-01 00:00" `
-TimeZone "Pacific Standard Time" `
-Duration "05:00" `
-RecurEvery "Month Fourth Monday"
Important
Maintenance duration must be 2 hours or longer.
Maintenance recurrence can be expressed as daily, weekly or monthly. Some examples are:
- daily- RecurEvery "Day" or "3Days"
- weekly- RecurEvery "3Weeks" or "Week Saturday,Sunday"
- monthly- RecurEvery "Month day23,day24" or "Month Last Sunday" or "Month Fourth Monday"
Assign the configuration
Use New-AzConfigurationAssignment to assign the configuration to your isolated VM or Azure Dedicated Host.
Isolated VM
Apply the configuration to a VM using the ID of the configuration. Specify -ResourceType VirtualMachines and supply the name of the VM for -ResourceName, and the resource group of the VM for -ResourceGroupName.
New-AzConfigurationAssignment `
-ResourceGroupName myResourceGroup `
-Location eastus `
-ResourceName myVM `
-ResourceType VirtualMachines `
-ProviderName Microsoft.Compute `
-ConfigurationAssignmentName $config.Name `
-MaintenanceConfigurationId $config.Id
Dedicated host
To apply a configuration to a dedicated host, you also need to include -ResourceType hosts, -ResourceParentName with the name of the host group, and -ResourceParentType hostGroups.
New-AzConfigurationAssignment `
-ResourceGroupName myResourceGroup `
-Location eastus `
-ResourceName myHost `
-ResourceType hosts `
-ResourceParentName myHostGroup `
-ResourceParentType hostGroups `
-ProviderName Microsoft.Compute `
-ConfigurationAssignmentName $config.Name `
-MaintenanceConfigurationId $config.Id
Check for pending updates
Use Get-AzMaintenanceUpdate to see if there are pending updates. Use -subscription to specify the Azure subscription of the VM if it is different from the one that you are logged into.
If there are no updates to show, this command will return nothing. Otherwise, it will return a PSApplyUpdate object:
{
"maintenanceScope": "Host",
"impactType": "Freeze",
"status": "Pending",
"impactDurationInSec": 9,
"notBefore": "2020-02-21T16:47:44.8728029Z",
"properties": {
"resourceId": "/subscriptions/39c6cced-4d6c-4dd5-af86-57499cd3f846/resourcegroups/Ignite2019/providers/Microsoft.Compute/virtualMachines/MCDemo3"
}
Isolated VM
Check for pending updates for an isolated VM. In this example, the output is formatted as a table for readability.
Get-AzMaintenanceUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myVM `
-ResourceType VirtualMachines `
-ProviderName Microsoft.Compute | Format-Table
Dedicated host
To check for pending updates for a dedicated host. In this example, the output is formatted as a table for readability. Replace the values for the resources with your own.
Get-AzMaintenanceUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myHost `
-ResourceType hosts `
-ResourceParentName myHostGroup `
-ResourceParentType hostGroups `
-ProviderName Microsoft.Compute | Format-Table
Apply updates
Use New-AzApplyUpdate to apply pending updates. Apply update calls can take upto 2 hours to complete.
Isolated VM
Create a request to apply updates to an isolated VM.
New-AzApplyUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myVM `
-ResourceType VirtualMachines `
-ProviderName Microsoft.Compute
On success, this command will return a PSApplyUpdate object. You can use the Name attribute in the Get-AzApplyUpdate command to check the update status. See Check update status.
Dedicated host
Apply updates to a dedicated host.
New-AzApplyUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myHost `
-ResourceType hosts `
-ResourceParentName myHostGroup `
-ResourceParentType hostGroups `
-ProviderName Microsoft.Compute
Check update status
Use Get-AzApplyUpdate to check on the status of an update. The commands shown below show the status of the latest update by using default for the -ApplyUpdateName parameter. You can substitute the name of the update (returned by the New-AzApplyUpdate command) to get the status of a specific update.
Status : Completed
ResourceId : /subscriptions/12ae7457-4a34-465c-94c1-17c058c2bd25/resourcegroups/TestShantS/providers/Microsoft.Comp
ute/virtualMachines/DXT-test-04-iso
LastUpdateTime : 1/1/2020 12:00:00 AM
Id : /subscriptions/12ae7457-4a34-465c-94c1-17c058c2bd25/resourcegroups/TestShantS/providers/Microsoft.Comp
ute/virtualMachines/DXT-test-04-iso/providers/Microsoft.Maintenance/applyUpdates/default
Name : default
Type : Microsoft.Maintenance/applyUpdates
LastUpdateTime will be the time when the update got complete, either initiated by you or by the platform in case self-maintenance window was not used. If there has never been an update applied through maintenance configurations it will show default value.
Isolated VM
Check for updates to a specific virtual machine.
Get-AzApplyUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myVM `
-ResourceType VirtualMachines `
-ProviderName Microsoft.Compute `
-ApplyUpdateName default
Dedicated host
Check for updates to a dedicated host.
Get-AzApplyUpdate `
-ResourceGroupName myResourceGroup `
-ResourceName myHost `
-ResourceType hosts `
-ResourceParentName myHostGroup `
-ResourceParentType hostGroups `
-ProviderName Microsoft.Compute `
-ApplyUpdateName myUpdateName
Remove a maintenance configuration
Use Remove-AzMaintenanceConfiguration to delete a maintenance configuration.
Remove-AzMaintenanceConfiguration `
-ResourceGroupName myResourceGroup `
-Name $config.Name
Next steps
To learn more, see Maintenance and updates.
Feedback
Submit and view feedback for