Info on "Windows Update" setting

[ChiragPavecha]

Would be great if we can add Banner/Warning/Link to clusters where Windows Update is still enabled and potentially causing VM’s to reboot unexpectedly. Link in banner pointing to recommended SF configuration for VMSS OS Updates or POA

[jeffj6123]

So I feel like there are a few scenarios we would need to be able to handle for this to work and expose as an API:

• What would we do for linux cluster
• How would this work for on prem clusters

I feel that this would actually be a prime place for SF Observer. @GitTorre would this be pretty straight forward to implement as an observer?

[sridmad]

Agree. Fabric Observer is a better tool to surface this information.

[GitTorre]

Thanks for the feature request. Yes, this is something that OSObserver could look for and, if detected, emit an informational health event that contains a link to related documentation much as it does today with links to kb articles about OS updates/patches that have been installed on the VM it's running on. This information would also reside in the structured telemetry data OSO emits.

[GitTorre]

How about this?

[sridmad]

May be create a different health event specifically for Windows Updates related information so they can be marked as warning and/or error as the case may be.

Auto Windows update enabled should always be a warning in SF scenarios - Use automatic Image update or POA (for bronze durability)

Warnings if OS updates are not installed after a grace period?

[GitTorre]

@sridmad Yes, if it should be a warning, then OSO will generate one if AU service is enabled.

In terms of OS update grace period expiration warnings, that should really be something POA does, as it is already configurable for that type of thing, for example. I'm not sure FO should join the WU game. For stuff like AU detection, that's easy. For monitoring updates, generally, this will add redundancy if POA is installed. FO doesn't orchestrate patching and as such warning users that an update must take place due to some configurable (?) grace period expiration makes more sense in a service that does.

AU enabled Warning, which will take place on each node:

[GitTorre]

Pushed change to develop. It's not ready for merge into master (code refinement/refactoring/review, more testing). You can pull latest from there and test it out. I will merge into master and produce signed builds early next week. Let me know what you think.

If you can think of more OS-level configurations/settings/services to monitor, please create a new Issue. Thanks again for filing this one.

[GitTorre]

Pull latest from develop. The first impl was too aggressive.

[GitTorre]

[markwragg]

I think this should be reopened. Currently the code does the following check for if Windows Updates are enabled (which is if the service is enabled then the setting must be "notify before download"):

   this.isWindowsUpdateAutoDownloadEnabled =
                    wuLibAutoUpdates.ServiceEnabled &&
                    wuLibAutoUpdates.Settings.NotificationLevel != AutomaticUpdatesNotificationLevel.aunlNotifyBeforeDownload;

In my environment, the service is enabled but Windows Update is set to "never check for updates". I think the above check should be amended to include that as an acceptable sign that Windows updates are disabled (the enum to check I believe would be AutomaticUpdatesNotificationLevel.aunlDisabled).

Note also that I set virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates to false in the ARM template as per the guide on VMSS automatic OS image upgrades and this still didn't end up putting Windows Update in a state where it was disabled for my environment (even for new nodes that were created after the change). Although its worth noting that we have a boot script that sets auto updates to "never check for updates" in the registry so maybe this has overridden the default setting that this ARM property sets. I was surprised it didn't disable the Windows Update service tbh.

[markwragg]

Created a new issue for this as I think it makes more sense/easier to relate to the next release.