Custom azure policy to enable automatic VM guest patching

Question

I would like to enable Automatic VM guest patching using Azure Policy with DeployIfNotExist mode. I drafted a definition but it does not seems to work properly (it shows non compliant VM as compliant).

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines",
        "existenceCondition": {
          "anyOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode",
              "equals": "AutomaticByPlatform"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode",
              "equals": "AutomaticByPlatform"
            }
          ]
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.Compute/virtualMachines",
                  "apiVersion": "2019-03-01",
                  "name": "[field('name')]",
                  "location": "[field('location')]",
                  "properties": {
                    "osProfile": {
                      "windowsConfiguration": {
                        "patchSettings": {
                          "patchMode": "AutomaticByPlatform"
                        }
                      }
                    }
                  }
                }
              ]
            },
            "parameters": {
              "vmName": {
                "value": "[field('name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

Answer 1

@Yasmin, Fitri Thanks for reaching out. I would suggest you to create separate custom policy definitions based on operating systems as the process of enabling automatic VM guest patching differs in the properties provided.

Windows Snippet to enable automatic VM guest patching.

{
  "location": "<location>",
  "properties": {
    "osProfile": {
      "windowsConfiguration": {
        "provisionVMAgent": true,
        "enableAutomaticUpdates": true,
        "patchSettings": {
          "patchMode": "AutomaticByPlatform"
        }
      }
    }
  }
}

Linux Snippet to enable automatic VM guest patching.

{
  "location": "<location>",
  "properties": {
    "osProfile": {
      "linuxConfiguration": {
        "provisionVMAgent": true,
        "patchSettings": {
          "patchMode": "AutomaticByPlatform"
        }
      }
    }
  }
}

Answer 2

[UPDATE] add the following before existenceCondition solved the problem

"name": "[field('name')]",
"evaluationDelay": "AfterProvisioningSuccess",

Answer 3

Hi, please note that enabling automatic patching is one thing and verifying the patch level is a different thing. You may need to let the VMs running outside business hours to be able the be patched. Hope this helps!