last sync: 2024-Mar-01 17:50:27 UTC

Machines should be configured to periodically check for missing system updates

Azure BuiltIn Policy definition

Source Azure Portal
Display name Machines should be configured to periodically check for missing system updates
Id bd876905-5b84-4f73-ab2d-2e7a7c4568d9
Version 3.6.0
Details on versioning
Category Azure Update Manager
Microsoft Learn
Description To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (11)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Compute/imageId Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.id
properties.virtualMachineProfile.storageProfile.imageReference.id
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/virtualMachines/osProfile.computerName Microsoft.Compute virtualMachines properties.osProfile.computerName true
Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.assessmentMode Microsoft.Compute virtualMachines properties.osProfile.linuxConfiguration.patchSettings.assessmentMode true
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.assessmentMode Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration.patchSettings.assessmentMode true
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType true
Microsoft.HybridCompute/machines/osName Microsoft.HybridCompute machines properties.osName false
Microsoft.HybridCompute/machines/osProfile.linuxConfiguration.patchSettings.assessmentMode Microsoft.HybridCompute machines properties.osProfile.linuxConfiguration.patchSettings.assessmentMode true
Microsoft.HybridCompute/machines/osProfile.windowsConfiguration.patchSettings.assessmentMode Microsoft.HybridCompute machines properties.osProfile.windowsConfiguration.patchSettings.assessmentMode true
Rule resource types IF (4)
Microsoft.Compute/galleries
Microsoft.Compute/images
Microsoft.Compute/virtualMachines
Microsoft.HybridCompute/machines
Compliance
The following 2 compliance controls are associated with this Policy definition 'Machines should be configured to periodically check for missing system updates' (bd876905-5b84-4f73-ab2d-2e7a7c4568d9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 PV-6 Azure_Security_Benchmark_v3.0_PV-6 Microsoft cloud security benchmark PV-6 Posture and Vulnerability Management Rapidly and automatically remediate vulnerabilities Shared **Security Principle:** Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. **Azure Guidance:** Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. **Implementation and additional context:** How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/update-management/overview Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm n/a link 13
CIS_Azure_2.0.0 2.1.13 CIS_Azure_2.0.0_2.1.13 CIS Microsoft Azure Foundations Benchmark recommendation 2.1.13 2.1 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' Shared Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour. Ensure that the latest OS patches for all virtual machines are applied. Windows and Linux virtual machines should be kept updated to: - Address a specific bug or flaw - Improve an OS or application’s general stability - Fix a security vulnerability The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-02-20 22:44:08 change Minor (3.5.0 > 3.6.0)
2024-01-24 19:15:51 change Minor (3.4.1 > 3.5.0)
2023-09-18 18:02:04 change Patch, old suffix: preview (3.4.0-preview > 3.4.1)
2023-09-11 17:59:12 change Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview)
2023-08-03 17:56:09 change Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview)
2023-07-24 17:56:14 change Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)
2022-12-21 17:43:51 change Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
2022-10-21 16:42:13 change Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
2021-10-08 15:47:40 add bd876905-5b84-4f73-ab2d-2e7a7c4568d9
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC