Tutorial: Monitor and update a Windows virtual machine in Azure

Azure monitoring uses agents to collect boot and performance data from Azure VMs, store this data in Azure storage, and make it accessible through portal, the Azure PowerShell module, and the Azure CLI. Update management allows you to manage updates and patches for your Azure Windows VMs.

In this tutorial, you learn how to:

  • Enable boot diagnostics on a VM
  • View boot diagnostics
  • View VM host metrics
  • Install the diagnostics extension
  • View VM metrics
  • Create an alert
  • Manage Windows updates
  • Monitor changes and inventory
  • Set up advanced monitoring

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com/powershell. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

Create virtual machine

To configure Azure monitoring and update management in this tutorial, you need a Windows VM in Azure. First, set an administrator username and password for the VM with Get-Credential:

$cred = Get-Credential

Now create the VM with New-AzVM. The following example creates a VM named myVM in the EastUS location. If they do not already exist, the resource group myResourceGroupMonitorMonitor and supporting network resources are created:

New-AzVm `
    -ResourceGroupName "myResourceGroupMonitor" `
    -Name "myVM" `
    -Location "East US" `
    -Credential $cred

It takes a few minutes for the resources and VM to be created.

View boot diagnostics

As Windows virtual machines boot up, the boot diagnostic agent captures screen output that can be used for troubleshooting purpose. This capability is enabled by default. The captured screenshots are stored in an Azure storage account, which is also created by default.

You can get the boot diagnostic data with the Get-​Azure​Rm​VM​Boot​Diagnostics​Data command. In the following example, boot diagnostics are downloaded to the root of the *c:* drive.

Get-AzVMBootDiagnosticsData -ResourceGroupName "myResourceGroupMonitor" -Name "myVM" -Windows -LocalPath "c:\"

View host metrics

A Windows VM has a dedicated Host VM in Azure that it interacts with. Metrics are automatically collected for the Host and can be viewed in the Azure portal.

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.

  2. Click Metrics on the VM blade, and then select any of the Host metrics under Available metrics to see how the Host VM is performing.

    View host metrics

Install diagnostics extension

The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM. You can view these performance metrics and create alerts based on how the VM performs. The diagnostic extension is installed through the Azure portal as follows:

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.

  2. Click Diagnosis settings. The list shows that Boot diagnostics are already enabled from the previous section. Click the check box for Basic metrics.

  3. Click the Enable guest-level monitoring button.

    View diagnostic metrics

View VM metrics

You can view the VM metrics in the same way that you viewed the host VM metrics:

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.

  2. To see how the VM is performing, click Metrics on the VM blade, and then select any of the diagnostics metrics under Available metrics.

    View VM metrics

Create alerts

You can create alerts based on specific performance metrics. Alerts can be used to notify you when average CPU usage exceeds a certain threshold or available free disk space drops below a certain amount, for example. Alerts are displayed in the Azure portal or can be sent via email. You can also trigger Azure Automation runbooks or Azure Logic Apps in response to alerts being generated.

The following example creates an alert for average CPU usage.

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.
  2. Click Alert rules on the VM blade, then click Add metric alert across the top of the alerts blade.
  3. Provide a Name for your alert, such as myAlertRule
  4. To trigger an alert when CPU percentage exceeds 1.0 for five minutes, leave all the other defaults selected.
  5. Optionally, check the box for Email owners, contributors, and readers to send email notification. The default action is to present a notification in the portal.
  6. Click the OK button.

Manage Windows updates

Update management allows you to manage updates and patches for your Azure Windows VMs. Directly from your VM, you can quickly assess the status of available updates, schedule installation of required updates, and review deployment results to verify updates were applied successfully to the VM.

For pricing information, see Automation pricing for Update management

Enable Update management

Enable Update management for your VM:

  1. On the left-hand side of the screen, select Virtual machines.
  2. From the list, select a VM.
  3. On the VM screen, in the Operations section, click Update management. The Enable Update Management screen opens.

Validation is performed to determine if Update management is enabled for this VM. The validation includes checks for a Log Analytics workspace and linked Automation account, and if the solution is in the workspace.

A Log Analytics workspace is used to collect data that is generated by features and services such as Update management. The workspace provides a single location to review and analyze data from multiple sources. To perform additional actions on VMs that require updates, Azure Automation allows you to run runbooks against VMs, such as download and apply updates.

The validation process also checks to see if the VM is provisioned with the Microsoft Monitoring Agent (MMA) and Automation hybrid runbook worker. This agent is used to communicate with the VM and obtain information about the update status.

Choose the Log Analytics workspace and automation account and click Enable to enable the solution. The solution takes up to 15 minutes to enable.

If any of the following prerequisites were found to be missing during onboarding, they're automatically added:

The Update Management screen opens. Configure the location, Log Analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used.

Enable Update management solution

Enabling the solution can take up to 15 minutes. During this time, you shouldn't close the browser window. After the solution is enabled, information about missing updates on the VM flows to Azure Monitor logs. It can take between 30 minutes and 6 hours for the data to be available for analysis.

View update assessment

After Update management is enabled, the Update management screen appears. After the evaluation of updates is complete, you see a list of missing updates on the Missing updates tab.

View update status

Schedule an update deployment

To install updates, schedule a deployment that follows your release schedule and service window. You can choose which update types to include in the deployment. For example, you can include critical or security updates and exclude update rollups.

Schedule a new Update Deployment for the VM by clicking Schedule update deployment at the top of the Update management screen. In the New update deployment screen, specify the following information:

To create a new update deployment, select Schedule update deployment. The New update deployment page opens. Enter values for the properties described in the following table and then click Create:

Property Description
Name Unique name to identify the update deployment.
Operating System Linux or Windows
Groups to update For Azure machines, define a query based on a combination of subscription, resource groups, locations, and tags to build a dynamic group of Azure VMs to include in your deployment.
For Non-Azure machines, select an existing saved search to select a group of Non-Azure machines to include in the deployment.

To learn more, see Dynamic Groups
Machines to update Select a Saved search, Imported group, or pick Machine from the drop-down and select individual machines. If you choose Machines, the readiness of the machine is shown in the UPDATE AGENT READINESS column.
To learn about the different methods of creating computer groups in Azure Monitor logs, see Computer groups in Azure Monitor logs
Update classifications Select all the update classifications that you need
Include/exclude updates This opens the Include/Exclude page. Updates to be included or excluded are on separate tabs. For more information on how inclusion is handled, see inclusion behavior
Schedule settings Select the time to start, and select either Once or recurring for the recurrence
Pre-scripts + Post-scripts Select the scripts to run before and after your deployment
Maintenance window Number of minutes set for updates. The value can't be less than 30 minutes and no more than 6 hours
Reboot control Determines how reboots should be handled. Available options are:
Reboot if required (Default)
Always reboot
Never reboot
Only reboot - will not install updates

Update Deployments can also be created programmatically. To learn how to create an Update Deployment with the REST API, see Software Update Configurations - Create. There is also a sample runbook that can be used to create a weekly Update Deployment. To learn more about this runbook, see Create a weekly update deployment for one or more VMs in a resource group.

After you have completed configuring the schedule, click Create button and you return to the status dashboard. Notice that the Scheduled table shows the deployment schedule you created.

View results of an update deployment

After the scheduled deployment starts, you can see the status for that deployment on the Update deployments tab on the Update management screen. If it is currently running, it's status shows as In progress. After it completes, if successful, it changes to Succeeded. If there is a failure with one or more updates in the deployment, the status is Partially failed. Click the completed update deployment to see the dashboard for that update deployment.

Update Deployment status dashboard for specific deployment

In Update results tile is a summary of the total number of updates and deployment results on the VM. In the table to the right is a detailed breakdown of each update and the installation results, which could be one of the following values:

  • Not attempted - the update was not installed because there was insufficient time available based on the maintenance window duration defined.
  • Succeeded - the update succeeded
  • Failed - the update failed

Click All logs to see all log entries that the deployment created.

Click the Output tile to see job stream of the runbook responsible for managing the update deployment on the target VM.

Click Errors to see detailed information about any errors from the deployment.

Monitor changes and inventory

You can collect and view inventory for software, files, Linux daemons, Windows Services, and Windows Registry keys on your computers. Tracking the configurations of your machines can help you pinpoint operational issues across your environment and better understand the state of your machines.

Enable Change and Inventory management

Enable Change and Inventory management for your VM:

  1. On the left-hand side of the screen, select Virtual machines.
  2. From the list, select a VM.
  3. On the VM screen, in the Operations section, click Inventory or Change tracking. The Enable Change Tracking and Inventory screen opens.

Configure the location, Log Analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used. Even though the solutions are separate on the menu, they are the same solution. Enabling one enables both for your VM.

Enable Change and Inventory tracking

After the solution has been enabled it may take some time while inventory is being collected on the VM before data appears.

Track changes

On your VM select Change Tracking under OPERATIONS. Click Edit Settings, the Change Tracking page is displayed. Select the type of setting you want to track and then click + Add to configure the settings. The available options for Windows are:

  • Windows Registry
  • Windows Files

For detailed information on Change Tracking see, Troubleshoot changes on a VM

View inventory

On your VM select Inventory under OPERATIONS. On the Software tab, there is a table list the software that had been found. The high-level details for each software record are viewable in the table. These details include the software name, version, publisher, last refreshed time.

View inventory

Monitor Activity logs and changes

From the Change tracking page on your VM, select Manage Activity Log Connection. This task opens the Azure Activity log page. Select Connect to connect Change tracking to the Azure activity log for your VM.

With this setting enabled, navigate to the Overview page for your VM and select Stop to stop your VM. When prompted, select Yes to stop the VM. When it is deallocated, select Start to restart your VM.

Stopping and starting a VM logs an event in its activity log. Navigate back to the Change tracking page. Select the Events tab at the bottom of the page. After a while, the events shown in the chart and the table. Each event can be selected to view detailed information on the event.

View changes in the activity log

The chart shows changes that have occurred over time. After you have added an Activity Log connection, the line graph at the top displays Azure Activity Log events. Each row of bar graphs represents a different trackable Change type. These types are Linux daemons, files, Windows Registry keys, software, and Windows services. The change tab shows the details for the changes shown in the visualization in descending order of time that the change occurred (most recent first).

Advanced monitoring

You can do more advanced monitoring of your VM by using the solutions like Update Management and Change and Inventory provided by Azure Automation.

When you have access to the Log Analytics workspace, you can find the workspace key and workspace identifier on by selecting Advanced settings under SETTINGS. Use the Set-AzVMExtension command to add the Microsoft Monitoring agent extension to the VM. Update the variable values in the below sample to reflect you Log Analytics workspace key and workspace Id.

$workspaceId = "<Replace with your workspace Id>"
$key = "<Replace with your primary key>"

Set-AzVMExtension -ResourceGroupName "myResourceGroupMonitor" `
  -ExtensionName "Microsoft.EnterpriseCloud.Monitoring" `
  -VMName "myVM" `
  -Publisher "Microsoft.EnterpriseCloud.Monitoring" `
  -ExtensionType "MicrosoftMonitoringAgent" `
  -TypeHandlerVersion 1.0 `
  -Settings @{"workspaceId" = $workspaceId} `
  -ProtectedSettings @{"workspaceKey" = $key} `
  -Location "East US"

After a few minutes, you should see the new VM in the Log Analytics workspace.

Log Analytics workspace blade

Next steps

In this tutorial, you configured and reviewed VMs with Azure Security Center. You learned how to:

  • Create a virtual network
  • Create a resource group and VM
  • Enable boot diagnostics on the VM
  • View boot diagnostics
  • View host metrics
  • Install the diagnostics extension
  • View VM metrics
  • Create an alert
  • Manage Windows updates
  • Monitor changes and inventory
  • Set up advanced monitoring

Advance to the next tutorial to learn about Azure security center.