Custom azure policy to enable automatic VM guest patching

Yasmin, Fitri 266 Reputation points
2024-01-31T10:18:40.4+00:00

I would like to enable Automatic VM guest patching using Azure Policy with DeployIfNotExist mode. I drafted a definition but it does not seems to work properly (it shows non compliant VM as compliant).

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines",
        "existenceCondition": {
          "anyOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode",
              "equals": "AutomaticByPlatform"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode",
              "equals": "AutomaticByPlatform"
            }
          ]
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.Compute/virtualMachines",
                  "apiVersion": "2019-03-01",
                  "name": "[field('name')]",
                  "location": "[field('location')]",
                  "properties": {
                    "osProfile": {
                      "windowsConfiguration": {
                        "patchSettings": {
                          "patchMode": "AutomaticByPlatform"
                        }
                      }
                    }
                  }
                }
              ]
            },
            "parameters": {
              "vmName": {
                "value": "[field('name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,467 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
818 questions
Azure Update Manager
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
266 questions
{count} vote

3 answers

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,466 Reputation points
    2024-02-07T09:25:12.2333333+00:00

    @Yasmin, Fitri Thanks for reaching out. I would suggest you to create separate custom policy definitions based on operating systems as the process of enabling automatic VM guest patching differs in the properties provided.

    Windows Snippet to enable automatic VM guest patching.

    {
      "location": "<location>",
      "properties": {
        "osProfile": {
          "windowsConfiguration": {
            "provisionVMAgent": true,
            "enableAutomaticUpdates": true,
            "patchSettings": {
              "patchMode": "AutomaticByPlatform"
            }
          }
        }
      }
    }
    
    

    Linux Snippet to enable automatic VM guest patching.

    {
      "location": "<location>",
      "properties": {
        "osProfile": {
          "linuxConfiguration": {
            "provisionVMAgent": true,
            "patchSettings": {
              "patchMode": "AutomaticByPlatform"
            }
          }
        }
      }
    }
    

  2. Yasmin, Fitri 266 Reputation points
    2024-02-23T12:31:29.1166667+00:00

    [UPDATE] add the following before existenceCondition solved the problem

    "name": "[field('name')]",
    "evaluationDelay": "AfterProvisioningSuccess",
    

  3. Cristian SPIRIDON 4,471 Reputation points
    2024-03-10T12:56:55.3166667+00:00

    Hi, please note that enabling automatic patching is one thing and verifying the patch level is a different thing. You may need to let the VMs running outside business hours to be able the be patched. Hope this helps!

    0 comments No comments