Use the Knowledge Base AI to help improve your Cloud Posture

Apply Latest OS Patches

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the latest OS patches (critical security and system updates) are being applied to all Microsoft Azure virtual machines (Windows and Linux) in order to improve the operating system (OS) general stability, address a specific bug or flaw, or fix a security vulnerability.

Security

Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on the service configured on your virtual machines (VMs). The Defender for Cloud service also checks for the latest updates within Linux systems. If one of your virtual machines is missing a system update, Microsoft Defender for Cloud will recommend updating the VM's operating system. Trend Cloud One™ – Conformity strongly recommends applying the latest system updates/OS patches as soon as these become available, in order to improve your VM's security, functionality, and performance.

To apply latest OS patches using Microsoft Defender for Cloud, Defender for Servers Plan 2 must be enabled.


Audit

To ensure that your Azure virtual machines (VMs) are up-to-date with the latest OS patches, perform the following operations:

Checking the latest system updates on Azure virtual machines (VMs) via Azure Command Line Interface (CLI) is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under General, choose Recommendations to access the Microsoft Defender for Cloud recommendations made for the cloud resources available within the current Azure subscription. A recommendation represents an action for you to take in order to secure your Azure cloud resources. Each Defender for Cloud recommendation consists of 1) a short description of what is being recommended, 2) the steps required to implement the recommendation, 3) the affected resource(s) that require the recommended actions and 4) the secure score impact if the recommendation is implemented.

04 On the Recommendations page, search for the following recommendation: System updates should be installed on your machines. If there is no such recommendation, Microsoft Defender for Cloud did not find any virtual machines that require the latest OS patches to be installed. If System updates should be installed on your machines (powered by Azure Update Manager) is available as recommendation, one or more Azure virtual machines (Windows and/or Linux), provisioned within the current Azure subscription, are missing the latest system updates (i.e., OS patches).

05 Repeat steps no. 2 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To apply the latest OS patches (critical security and system updates) to your Azure virtual machines (VMs) following Microsoft Defender for Cloud recommendations, perform the following operations:

Applying the latest OS patches to your Azure virtual machines using the Azure Command Line Interface (CLI) is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under General, choose Recommendations to access the Microsoft Defender for Cloud recommendations made for the cloud resources available in the current Azure subscription.

04 On the Recommendations page, perform the following actions:

  1. Click on the Machines should be configured to periodically check for missing system updates recommendation, choose View recommendation for all resources from the top menu, select all the affected resources (i.e., virtual machines) listed under Unhealthy resources, and choose Fix.
  2. Click on the System updates should be installed on your machines recommendation, choose View recommendation for all resources from the top menu, select all the affected resources listed under Unhealthy resources, and choose Fix to install the latest OS patches recommended by Microsoft Defender for Cloud.

05 Repeat steps no. 3 and 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 7, 2025