Tutorial: Monitor and update a Windows virtual machine in Azure

Azure monitoring uses agents to collect boot and performance data from Azure VMs, store this data in Azure storage, and make it accessible through portal, the Azure PowerShell module, and the Azure CLI. Update management allows you to manage updates and patches for your Azure Windows VMs.

In this tutorial, you learn how to:

  • Enable boot diagnostics on a VM
  • View boot diagnostics
  • View VM host metrics
  • Install the diagnostics extension
  • View VM metrics
  • Create an alert
  • Manage Windows updates
  • Monitor changes and inventory
  • Set up advanced monitoring

This tutorial requires the Azure PowerShell module version 5.7.0 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure PowerShell module.

Create virtual machine

To configure Azure monitoring and update management in this tutorial, you need a Windows VM in Azure. First, set an administrator username and password for the VM with Get-Credential:

$cred = Get-Credential

Now create the VM with New-AzureRmVM. The following example creates a VM named myVM in the EastUS location. If they do not already exist, the resource group myResourceGroupMonitorMonitor and supporting network resources are created:

New-AzureRmVm `
    -ResourceGroupName "myResourceGroupMonitor" `
    -Name "myVM" `
    -Location "East US" `
    -Credential $cred

It takes a few minutes for the resources and VM to be created.

View boot diagnostics

As Windows virtual machines boot up, the boot diagnostic agent captures screen output that can be used for troubleshooting purpose. This capability is enabled by default. The captured screen shots are stored in an Azure storage account, which is also created by default.

You can get the boot diagnostic data with the Get-​Azure​Rm​VM​Boot​Diagnostics​Data command. In the following example, boot diagnostics are downloaded to the root of the *c:* drive.

Get-AzureRmVMBootDiagnosticsData -ResourceGroupName "myResourceGroupMonitor" -Name "myVM" -Windows -LocalPath "c:\"

View host metrics

A Windows VM has a dedicated Host VM in Azure that it interacts with. Metrics are automatically collected for the Host and can be viewed in the Azure portal.

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.
  2. Click Metrics on the VM blade, and then select any of the Host metrics under Available metrics to see how the Host VM is performing.

    View host metrics

Install diagnostics extension

The basic host metrics are available, but to see more granular and VM-specific metrics, you to need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM. You can view these performance metrics and create alerts based on how the VM performs. The diagnostic extension is installed through the Azure portal as follows:

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.
  2. Click Diagnosis settings. The list shows that Boot diagnostics are already enabled from the previous section. Click the check box for Basic metrics.
  3. Click the Enable guest-level monitoring button.

    View diagnostic metrics

View VM metrics

You can view the VM metrics in the same way that you viewed the host VM metrics:

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.
  2. To see how the VM is performing, click Metrics on the VM blade, and then select any of the diagnostics metrics under Available metrics.

    View VM metrics

Create alerts

You can create alerts based on specific performance metrics. Alerts can be used to notify you when average CPU usage exceeds a certain threshold or available free disk space drops below a certain amount, for example. Alerts are displayed in the Azure portal or can be sent via email. You can also trigger Azure Automation runbooks or Azure Logic Apps in response to alerts being generated.

The following example creates an alert for average CPU usage.

  1. In the Azure portal, click Resource Groups, select myResourceGroupMonitor, and then select myVM in the resource list.
  2. Click Alert rules on the VM blade, then click Add metric alert across the top of the alerts blade.
  3. Provide a Name for your alert, such as myAlertRule
  4. To trigger an alert when CPU percentage exceeds 1.0 for five minutes, leave all the other defaults selected.
  5. Optionally, check the box for Email owners, contributors, and readers to send email notification. The default action is to present a notification in the portal.
  6. Click the OK button.

Manage Windows updates

Update management allows you to manage updates and patches for your Azure Windows VMs. Directly from your VM, you can quickly assess the status of available updates, schedule installation of required updates, and review deployment results to verify updates were applied successfully to the VM.

For pricing information, see Automation pricing for Update management

Enable Update management

Enable Update management for your VM:

  1. On the left-hand side of the screen, select Virtual machines.
  2. From the list, select a VM.
  3. On the VM screen, in the Operations section, click Update management. The Enable Update Management screen opens.

Validation is performed to determine if Update management is enabled for this VM. The validation includes checks for a Log Analytics workspace and linked Automation account, and if the solution is in the workspace.

A Log Analytics workspace is used to collect data that is generated by features and services such as Update management. The workspace provides a single location to review and analyze data from multiple sources. To perform additional actions on VMs that require updates, Azure Automation allows you to run runbooks against VMs, such as download and apply updates.

The validation process also checks to see if the VM is provisioned with the Microsoft Monitoring Agent (MMA) and Automation hybrid runbook worker. This agent is used to communicate with the VM and obtain information about the update status.

Choose the Log analytics workspace and automation account and click Enable to enable the solution. The solution takes up to 15 minutes to enable.

If any of the following prerequisites were found to be missing during onboarding, they're automatically added:

The Update Management screen opens. Configure the location, Log analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used.

Enable Update management solution

Enabling the solution can take up to 15 minutes. During this time, you shouldn't close the browser window. After the solution is enabled, information about missing updates on the VM flows to Log Analytics. It can take between 30 minutes and 6 hours for the data to be available for analysis.

View update assessment

After Update management is enabled, the Update management screen appears. After the evaluation of updates is complete, you see a list of missing updates on the Missing updates tab.

View update status

Schedule an update deployment

To install updates, schedule a deployment that follows your release schedule and service window. You can choose which update types to include in the deployment. For example, you can include critical or security updates and exclude update rollups.

Schedule a new Update Deployment for the VM by clicking Schedule update deployment at the top of the Update management screen. In the New update deployment screen, specify the following information:

  • Name - Provide a unique name to identify the update deployment.
  • Update classification - Select the types of software the update deployment included in the deployment. The classification types are:

    • Critical updates
    • Security updates
    • Update rollups
    • Feature packs
    • Service packs
    • Definition updates
    • Tools
    • Updates
  • Schedule settings - You can either accept the default date and time, which is 30 minutes after current time, or specify a different time. You can also specify whether the deployment occurs once or set up a recurring schedule. Click the Recurring option under Recurrence to set up a recurring schedule.

    Update Schedule Settings screen

  • Maintenance window (minutes) - Specify the period of time you want the update deployment to occur within. This helps ensure changes are performed within your defined service windows.

After you have completed configuring the schedule, click Create button and you return to the status dashboard. Notice that the Scheduled table shows the deployment schedule you created.

Warning

For updates that require a reboot, the VM is restarted automatically.

View results of an update deployment

After the scheduled deployment starts, you can see the status for that deployment on the Update deployments tab on the Update management screen. If it is currently running, it's status shows as In progress. After it completes, if successful, it changes to Succeeded. If there is a failure with one or more updates in the deployment, the status is Partially failed. Click the completed update deployment to see the dashboard for that update deployment.

Update Deployment status dashboard for specific deployment

In Update results tile is a summary of the total number of updates and deployment results on the VM. In the table to the right is a detailed breakdown of each update and the installation results, which could be one of the following values:

  • Not attempted - the update was not installed because there was insufficient time available based on the maintenance window duration defined.
  • Succeeded - the update succeeded
  • Failed - the update failed

Click All logs to see all log entries that the deployment created.

Click the Output tile to see job stream of the runbook responsible for managing the update deployment on the target VM.

Click Errors to see detailed information about any errors from the deployment.

Monitor changes and inventory

You can collect and view inventory for software, files, Linux daemons, Windows Services, and Windows Registry keys on your computers. Tracking the configurations of your machines can help you pinpoint operational issues across your environment and better understand the state of your machines.

Enable Change and Inventory management

Enable Change and Inventory management for your VM:

  1. On the left-hand side of the screen, select Virtual machines.
  2. From the list, select a VM.
  3. On the VM screen, in the Operations section, click Inventory or Change tracking. The Enable Change Tracking and Inventory screen opens.

Configure the location, Log analytics workspace and Automation account to use and click Enable. If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used. Eventhough the solutions are separate on the menu, they are the same solution. Enabling one enables both for your VM.

Enable Change and Inventory tracking

After the solution has been enabled it may take some time while inventory is being collected on the VM before data appears.

Track changes

On your VM select Change Tracking under OPERATIONS. Click Edit Settings, the Change Tracking page is displayed. Select the type of setting you want to track and then click + Add to configure the settings. The available options for Windows are:

  • Windows Registry
  • Windows Files

For detailed information on Change Tracking see, Troubleshoot changes on a VM

View inventory

On your VM select Inventory under OPERATIONS. On the Software tab, there is a table list the software that had been found. The high-level details for each software record are viewable in the table. These details include the software name, version, publisher, last refreshed time.

View inventory

Monitor Activity logs and changes

From the Change tracking page on your VM, select Manage Activity Log Connection. This task opens the Azure Activity log page. Select Connect to connect Change tracking to the Azure activity log for your VM.

With this setting enabled, navigate to the Overview page for your VM and select Stop to stop your VM. When prompted, select Yes to stop the VM. When it is deallocated, select Start to restart your VM.

Stopping and starting a VM logs an event in its activity log. Navigate back to the Change tracking page. Select the Events tab at the bottom of the page. After a while, the events shown in the chart and the table. Each event can be selected to view detailed information on the event.

View changes in the activity log

The chart shows changes that have occurred over time. After you have added an Activity Log connection, the line graph at the top displays Azure Activity Log events. Each row of bar graphs represents a different trackable Change type. These types are Linux daemons, files, Windows Registry keys, software, and Windows services. The change tab shows the details for the changes shown in the visualization in descending order of time that the change occurred (most recent first).

Advanced monitoring

You can do more advanced monitoring of your VM by using the solutions like Update Management and Change and Inventory provided by Azure Automation.

When you have access to the Log Analytics workspace, you can find the workspace key and workspace identifier on by selecting Advanced settings under SETTINGS. Use the Set-AzureRmVMExtension command to add the Microsoft Monitoring agent extension to the VM. Update the variable values in the below sample to reflect you Log Analytics workspace key and workspace Id.

$workspaceId = "<Replace with your workspace Id>"
$key = "<Replace with your primary key>"

Set-AzureRmVMExtension -ResourceGroupName "myResourceGroupMonitor" `
  -ExtensionName "Microsoft.EnterpriseCloud.Monitoring" `
  -VMName "myVM" `
  -Publisher "Microsoft.EnterpriseCloud.Monitoring" `
  -ExtensionType "MicrosoftMonitoringAgent" `
  -TypeHandlerVersion 1.0 `
  -Settings @{"workspaceId" = $workspaceId} `
  -ProtectedSettings @{"workspaceKey" = $key} `
  -Location "East US"

After a few minutes, you should see the new VM in the Log Analytics workspace.

Log Analytics blade

Next steps

In this tutorial, you configured and reviewed VMs with Azure Security Center. You learned how to:

  • Create a virtual network
  • Create a resource group and VM
  • Enable boot diagnostics on the VM
  • View boot diagnostics
  • View host metrics
  • Install the diagnostics extension
  • View VM metrics
  • Create an alert
  • Manage Windows updates
  • Monitor changes and inventory
  • Set up advanced monitoring

Advance to the next tutorial to learn about Azure security center.