Post

Azure Update Manager - Set Patch Orchestration Mode to AutomaticByPlatform

Posted
By The Azure Guys
1 min read

One of the prerequisites to patch VMs using Azure Update Manager is to set the orchestration mode to “AutomaticByPlatform”. If this is not set, when you deploy a new Update Schedule, you may receive the following error in your deploytment:

Error “code”: “UnsupportedResourceOperation”, “message”: “"Patch orchestration mode is not set to AutomaticByPlatform”,The prerequisites to patch your machine were not met. Please set the patchMode to AutomaticByPlatform and bypassPlatformChecksOnUserSchedule as true.

Resolution

To fix this, you need to set the orchestration mode to “AutomaticByPlatform” for all the vms in your scope.

Portal Method - Enable for existing VMs

You can update the patch orchestration option for existing VMs that either already have schedules associated or will be newly associated with a schedule.

If Patch orchestration is set as Azure-orchestrated or Azure Managed - Safe Deployment (AutomaticByPlatform), BypassPlatformSafetyChecksOnUserSchedule is set to false, and there’s no schedule associated, the VMs will be autopatched.

To update the patch mode:

  1. Sign in to the Azure portal.
  2. Go to Azure Update Manager and select Update Settings.
  3. In Change update settings, select Add machine.
  4. In Select resources, select your VMs and then select Add.
  5. On the Change update settings pane, under Patch orchestration, select Customer Managed Schedules and then select Save.

Attach a schedule after you finish the preceding steps.

To check if BypassPlatformSafetyChecksOnUserSchedule is enabled, go to the Virtual machine home page and select Overview > JSON View.

Powershell Method

Enable on Windows VMs

1
2
3
4
5
6
7
8
9
10
11

$VirtualMachine = Get-AzVM -ResourceGroupName "<resourceGroup>" -Name "<vmName>"
Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -PatchMode "AutomaticByPlatform"
$AutomaticByPlatformSettings = $VirtualMachine.OSProfile.WindowsConfiguration.PatchSettings.AutomaticByPlatformSettings

if ($null -eq $AutomaticByPlatformSettings) {
   $VirtualMachine.OSProfile.WindowsConfiguration.PatchSettings.AutomaticByPlatformSettings = New-Object -TypeName Microsoft.Azure.Management.Compute.Models.WindowsVMGuestPatchAutomaticByPlatformSettings -Property @{BypassPlatformSafetyChecksOnUserSchedule = $true}
} else {
   $AutomaticByPlatformSettings.BypassPlatformSafetyChecksOnUserSchedule = $true
}

Update-AzVM -VM $VirtualMachine -ResourceGroupName "<resourceGroup>"

Enable on Linux VMs

1
2
3
4
5
6
7
8
9
10
11

$VirtualMachine = Get-AzVM -ResourceGroupName "<resourceGroup>" -Name "<vmName>"
Set-AzVMOperatingSystem -VM $VirtualMachine -Linux -PatchMode "AutomaticByPlatform"
$AutomaticByPlatformSettings = $VirtualMachine.OSProfile.LinuxConfiguration.PatchSettings.AutomaticByPlatformSettings

if ($null -eq $AutomaticByPlatformSettings) {
   $VirtualMachine.OSProfile.LinuxConfiguration.PatchSettings.AutomaticByPlatformSettings = New-Object -TypeName Microsoft.Azure.Management.Compute.Models.LinuxVMGuestPatchAutomaticByPlatformSettings -Property @{BypassPlatformSafetyChecksOnUserSchedule = $true}
} else {
   $AutomaticByPlatformSettings.BypassPlatformSafetyChecksOnUserSchedule = $true
}

Update-AzVM -VM $VirtualMachine -ResourceGroupName "<resourceGroup>"

Enable schedule patching on Azure VMs

Azure, Update Manager
azure aum update manager prerequisites automaticbyplatform
This post is licensed under CC BY 4.0 by the author.