Skip to content

Instantly share code, notes, and snippets.

Created April 19, 2022 13:58
Show Gist options
  • Save 1RedOne/561d090e8028331020ef2cd5bb2699f5 to your computer and use it in GitHub Desktop.
Save 1RedOne/561d090e8028331020ef2cd5bb2699f5 to your computer and use it in GitHub Desktop.
A script to update sublib VMs
Import-Module Az.Accounts
Import-Module Az.Automation
Import-Module Az.Compute
A runbook to iterate through VMs in this Sublib and tell them to patch, if they don't have a 'DontPatch' tag
AUTHOR: Stephen Owen
LASTEDIT: April 14, 2022
write-output "This script will send a Run Command to all Running VMs in this Subscription"
write-output "To exclude a VM from patching, add the `DontPatch:true` tag to the VM"
get-command Invoke-AzVmInstallPatch
function Patch-VM($VM){
$imageType = $VM.StorageProfile.ImageReference.Offer
$LinuxVM = $false
if ($imageType -like "*Ubuntu*"){
Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, an ubuntu varient, preping command"
$LinuxVM = $true
if ($imageType -like "*cent*"){
Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, an cent varient, preping command"
if ($imageType -like "*RHEL*"){
Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a RedHat varient, preping command"
if ($imageType -like "*sles*"){
Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a SLES varient, preping command"
if ($imageType -like "*windows*"){
Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a Windows varient, preping command"
if ($LinuxVM){
$null = Invoke-AzVmInstallPatch -ResourceId $Vm.Id -RebootSetting "Always" -MaximumDuration PT2H -ClassificationToIncludeForLinux Critical,Security -AsJob -Linux
$null = Invoke-AzVmInstallPatch -ResourceId $Vm.Id -Windows -RebootSetting "Always" -MaximumDuration PT2H -ClassificationToIncludeForWindows Critical,Security -AsJob
$connectionName = "AzureRunAsConnection"
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection= Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
catch {
if (!$servicePrincipalConnection)
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
$context = get-azcontext
$subName = $context.Subscription.Name
Write-Output "running against context of $($subName)"
if ($subName -notlike "*SubLib*"){
Write-Error "not running against sublib, exiting"
#Get all Azure VMs from all resource groups
$RGs = Get-AzResourceGroup
foreach ($RG in $RGs)
$VMs = Get-AzVm -ResourceGroupName $RG.ResourceGroupName
foreach($VM in $VMs)
$VMDetail = Get-AzVm -ResourceGroupName $RG.ResourceGroupName -Name $VM.Name -Status
$RGN = $VMDetail.ResourceGroupName
foreach ($VMStatus in $VMDetail.Statuses)
$VMStatusDetail = $VMStatus.DisplayStatus
Write-Output "VM: $RGN\$($VM.Name) - [$VMStatusDetail]"
if ($VMStatusDetail -ne "VM running"){
Write-Output "$($VM.Name):> VM offline with $VMStatusDetail, skipping"
$canPatch = $true
if ($vm.Tags) {
if ($vm.Tags['DontPatch']) {
$canPatch = $false
write-output "$($VM.Name):> VM has DontPatch Tag, we should skip"
write-output "$($VM.Name):> VM has tags, but didn't have 'DontPatch' tag assigned"
write-output "$($VM.Name):> VM has no tags"
if ($canPatch){
write-output "$($VM.Name)\Patching:> VM is OK to patch, proceed with firing command"
Patch-VM -VM $VM
write-output "$($VM.Name)\Patching:> !!!!!VM has 'DontPatch' tag assigned, skipping"
write-output "============================================================================="
Write-Output "Waiting on results"
get-job | wait-job
get-job | receive-job
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment