Preview: Control updates with Maintenance Control and Azure PowerShell

Manage platform updates, that don't require a reboot, using maintenance control. Azure frequently updates its infrastructure to improve reliability, performance, security or launch new features. Most updates are transparent to users. Some sensitive workloads, like gaming, media streaming, and financial transactions, can’t tolerate even few seconds of a VM freezing or disconnecting for maintenance. Maintenance control gives you the option to wait on platform updates and apply them within a 35-day rolling window.

Maintenance control lets you decide when to apply updates to your isolated VMs.

With maintenance control, you can:

  • Batch updates into one update package.
  • Wait up to 35 days to apply updates.
  • Automate platform updates for your maintenance window using Azure Functions.
  • Maintenance configurations work across subscriptions and resource groups.

Important

Maintenance Control is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Limitations

  • VMs must be on a dedicated host, or be created using an isolated VM size.
  • After 35 days, an update will automatically be applied.
  • User must have Resource Contributor access.

Enable the PowerShell module

Make sure PowerShellGet is up to date.

Install-Module -Name PowerShellGet -Repository PSGallery -Force

The Az.Maintenance PowerShell cmdlets are in preview, so you need to install the module with the AllowPrerelease parameter in Cloud Shell or your local PowerShell installation.

Install-Module -Name Az.Maintenance -AllowPrerelease

If you are installing locally, make sure you open your PowerShell prompt as an administrator.

You may also be asked to confirm that you want to install from an untrusted repository. Type Y or select Yes to All to install the module.

Create a maintenance configuration

Create a resource group as a container for your configuration. In this example, a resource group named myMaintenanceRG is created in eastus. If you already have a resource group that you want to use, you can skip this part and replace the resource group name with you own in the rest of the examples.

New-AzResourceGroup `
   -Location eastus `
   -Name myMaintenanceRG

Use New-AzMaintenanceConfiguration to create a maintenance configuration. This example creates a maintenance configuration named myConfig scoped to the host.

$config = New-AzMaintenanceConfiguration `
   -ResourceGroup myMaintenanceRG `
   -Name myConfig `
   -MaintenanceScope host `
   -Location  eastus

Using -MaintenanceScope host ensures that the maintenance configuration is used for controlling updates to the host.

If you try to create a configuration with the same name, but in a different location, you will get an error. Configuration names must be unique to your subscription.

You can query for available maintenance configurations using Get-AzMaintenanceConfiguration.

Get-AzMaintenanceConfiguration | Format-Table -Property Name,Id

Assign the configuration

Use New-AzConfigurationAssignment to assign the configuration to your isolated VM or Azure Dedicated Host.

Isolated VM

Apply the configuration to a VM using the ID of the configuration. Specify -ResourceType VirtualMachines and supply the name of the VM for -ResourceName, and the resource group of the VM for -ResourceGroupName.

New-AzConfigurationAssignment `
   -ResourceGroupName myResourceGroup `
   -Location eastus `
   -ResourceName myVM `
   -ResourceType VirtualMachines `
   -ProviderName Microsoft.Compute `
   -ConfigurationAssignmentName $config.Name `
   -MaintenanceConfigurationId $config.Id

Dedicated host

To apply a configuration to a dedicated host, you also need to include -ResourceType hosts, -ResourceParentName with the name of the host group, and -ResourceParentType hostGroups.

New-AzConfigurationAssignment `
   -ResourceGroupName myResourceGroup `
   -Location eastus `
   -ResourceName myHost `
   -ResourceType hosts `
   -ResourceParentName myHostGroup `
   -ResourceParentType hostGroups `
   -ProviderName Microsoft.Compute `
   -ConfigurationAssignmentName $config.Name `
   -MaintenanceConfigurationId $config.Id

Check for pending updates

Use Get-AzMaintenanceUpdate to see if there are pending updates. Use -subscription to specify the Azure subscription of the VM if it is different from the one that you are logged into.

If there are no updates to show, this command will return nothing. Otherwise, it will return a PSApplyUpdate object:

{
   "maintenanceScope": "Host",
   "impactType": "Freeze",
   "status": "Pending",
   "impactDurationInSec": 9,
   "notBefore": "2020-02-21T16:47:44.8728029Z",
   "properties": {
      "resourceId": "/subscriptions/39c6cced-4d6c-4dd5-af86-57499cd3f846/resourcegroups/Ignite2019/providers/Microsoft.Compute/virtualMachines/MCDemo3"
} 

Isolated VM

Check for pending updates for an isolated VM. In this example, the output is formatted as a table for readability.

Get-AzMaintenanceUpdate `
  -ResourceGroupName myResourceGroup `
  -ResourceName myVM `
  -ResourceType VirtualMachines `
  -ProviderName Microsoft.Compute | Format-Table

Dedicated host

To check for pending updates for a dedicated host. In this example, the output is formatted as a table for readability. Replace the values for the resources with your own.

Get-AzMaintenanceUpdate `
   -ResourceGroupName myResourceGroup `
   -ResourceName myHost `
   -ResourceType hosts `
   -ResourceParentName myHostGroup `
   -ResourceParentType hostGroups `
   -ProviderName Microsoft.Compute | Format-Table

Apply updates

Use New-AzApplyUpdate to apply pending updates.

Isolated VM

Create a request to apply updates to an isolated VM.

New-AzApplyUpdate `
   -ResourceGroupName myResourceGroup `
   -ResourceName myVM `
   -ResourceType VirtualMachines `
   -ProviderName Microsoft.Compute

On success, this command will return a PSApplyUpdate object. You can use the Name attribute in the Get-AzApplyUpdate command to check the update status. See Check update status.

Dedicated host

Apply updates to a dedicated host.

New-AzApplyUpdate `
   -ResourceGroupName myResourceGroup `
   -ResourceName myHost `
   -ResourceType hosts `
   -ResourceParentName myHostGroup `
   -ResourceParentType hostGroups `
   -ProviderName Microsoft.Compute

Check update status

Use Get-AzApplyUpdate to check on the status of an update. The commands shown below show the status of the latest update by using default for the -ApplyUpdateName parameter. You can substitute the name of the update (returned by the New-AzApplyUpdate command) to get the status of a specific update.

Status         : Completed
ResourceId     : /subscriptions/12ae7457-4a34-465c-94c1-17c058c2bd25/resourcegroups/TestShantS/providers/Microsoft.Comp
ute/virtualMachines/DXT-test-04-iso
LastUpdateTime : 1/1/2020 12:00:00 AM
Id             : /subscriptions/12ae7457-4a34-465c-94c1-17c058c2bd25/resourcegroups/TestShantS/providers/Microsoft.Comp
ute/virtualMachines/DXT-test-04-iso/providers/Microsoft.Maintenance/applyUpdates/default
Name           : default
Type           : Microsoft.Maintenance/applyUpdates

LastUpdateTime will be the time when the update got complete, either initiated by you or by the platform in case self-maintenance window was not used. If there has never been an update applied through maintenance control it will show default value.

Isolated VM

Check for updates to a specific virtual machine.

Get-AzApplyUpdate `
   -ResourceGroupName myResourceGroup `
   -ResourceName myVM `
   -ResourceType VirtualMachines `
   -ProviderName Microsoft.Compute `
   -ApplyUpdateName default

Dedicated host

Check for updates to a dedicated host.

Get-AzApplyUpdate `
   -ResourceGroupName myResourceGroup `
   -ResourceName myHost `
   -ResourceType hosts `
   -ResourceParentName myHostGroup `
   -ResourceParentType hostGroups `
   -ProviderName Microsoft.Compute `
   -ApplyUpdateName myUpdateName

Remove a maintenance configuration

Use Remove-AzMaintenanceConfiguration to delete a maintenance configuration.

Remove-AzMaintenanceConfiguration `
   -ResourceGroupName myResourceGroup `
   -Name $config.Name

Next steps

To learn more, see Maintenance and updates.