Patch compliance scanning on VM Scalesets

Question

At my company, we have a dashboard showing all Virtual Machines on Azure, highlighting any missing Windows or Linux Patches, then marking VMs with missing patches over 30 days old as non-compliant, to alert teams to patch the VM (auto patching is not always an option due to the downtime). We now want to add VM ScaleSet VMs to this wallboard, but I cannot see how. The Microsoft Monitoring agent doesn't seem to be installed on any of the ScaleSet VMs, so I cannot see how to query them. Currently with the standard VMs I query using log analytics queries.

Is there any solution to this without having to ask the dev teams to install the monitoring agent on all the scalesets VMs (if that's even possible).

Answer 1

First of all without the agent installed, you will not be able to collect any logs from within that machine. It's definitely possible to install the Log Analytics Agent (Will be replaced by the Azure Monitor Agent, that's currently in preview) on Scale Sets. You can get your dev team to do it but we've encountered a lot of issues with that.

We build images via pipelines and not all our images are rebuilt frequently and we noticed we started facing issues with the MMA certificate getting expired for some reason. We barely had time to investigate as Policies were already being rolled out.

The best practice to deploy MMA to Scale Sets is to use an Azure Policy - it also ensures compliance. Any machine built automatically gets it and you can be confident it will be installed. It will DeployIfNotExists. The two links below will redirect you to the Azure Policy in your own Azure Portal.

1. Windows VMSS Policy for Log Analytics Agent
2. Linux VMSS Policy for Log Analytics Agent

One thing you should be aware is that if the upgrade mode on your Scale Set is Manual instead of Rolling/Automatic then you'll need to manually upgrade them for the agent installation to take effect.