Share via

This VM was restored from Azure Backup and is now stuck with patchMode set to "Manual" with no ability to change it

Ty Farquhar 25 Reputation points
2026-03-25T02:13:54.05+00:00

VM Restored from Backup — Stuck on Manual Patch Mode, Cannot Re-enable Hotpatching (Windows Server 2022 Azure Edition)

OS: Windows Server 2022 Datacenter: Azure Edition (originally from hotpatch marketplace image) VM Size: Standard_D2s_v3 Region: South Central US Security: Trusted Launch (Secure Boot + vTPM)

Problem

I have a VM that was restored from Azure Backup. After the restore, the patch orchestration is stuck on "Manual" and I cannot change it to AutomaticByPlatform or re-enable hotpatching. The portal throws an error saying enableAutomaticUpdates must be set to true, but there's no way to set it.

Querying the patch settings shows:

"assessmentMode": "AutomaticByPlatform",
"automaticByPlatformSettings": null,
"enableHotpatching": null,
"patchMode": "Manual"

Querying the full osProfile returns null — the restore wiped out the OS profile metadata entirely.

What I've Tried

Portal → Update Manager: Tried changing patch orchestration to anything other than Manual. Fails because enableAutomaticUpdates is not set to true, and there's no toggle for it.

REST API PATCH (VM running): Used az rest to PATCH the VM resource with enableAutomaticUpdates: true and patchMode: AutomaticByPlatform. Got HTTP 409: PropertyChangeNotAllowed — Changing property 'osProfile' is not allowed.

Deallocated VM + REST API PATCH: Same REST call with the VM deallocated. Same PropertyChangeNotAllowed error.

Deleted and recreated the VM using the existing OS disk: Deleted the VM resource (kept the OS disk and NIC), then ran az vm create with --attach-os-disk and flags for --enable-auto-update true, --patch-mode AutomaticByPlatform, --enable-hotpatching true. VM created successfully, but because the disk is specialized, Azure created it with a null osProfile again. The patch flags were ignored. REST API calls afterward still return PropertyChangeNotAllowed.

Question

Is there any way to re-establish a valid osProfile on a VM built from a specialized backup-restored disk? Or does this require a Microsoft support ticket to fix the backend metadata? This is a production server that needs to be under Azure-managed patching with hotpatching enabled.

This seems like a gap in the backup/restore workflow — the osProfile should be preserved or there should be a supported way to set it after the fact.

Any help appreciated.

Azure Update Manager
Azure Update Manager

An Azure service to centrally manages updates and compliance at scale.

0 comments
Answer accepted by question author
  1. Siva shunmugam Nadessin 8,415 Reputation points Microsoft External Staff Moderator
    2026-03-25T03:06:00.32+00:00

    Hello Ty Farquhar,

    Thank you for reaching out to the Microsoft Q&A forum.

    When investigated we see that there is currently no supported way to re‑establish or repair a missing osProfile on a VM that was restored from Azure Backup using a specialized OS disk.

    When osProfile is null:

    • enableAutomaticUpdates cannot be set
    • patchMode cannot be changed from Manual
    • enableHotpatching cannot be re-enabled
    • REST, CLI, ARM, PowerShell all correctly return PropertyChangeNotAllowed

    This requires a Microsoft support ticket to fix backend metadata and this is a known gap/bug in the Azure Backup restore workflow. There is no self-service workaround that preserves hotpatching on a restored specialized disk

    But, If downtime is acceptable for you Rebuild VM properly (no metadata repair),

    Create a new VM from the marketplace hotpatch image

    Ensure:

    • AutomaticByPlatform.
    • Hotpatching enabled.
    • Migrate data/applications from the restored VM.
    • Decommission the restored VM.

    This is the only self‑service, fully supported path today.

    Azure Update Manager does support specialized VMs but hotpatching does not survive Backup restore when osProfile is lost.

    Microsoft’s own documentation states:

    • Automatic guest patching requires supported image lineage
    • Metadata must exist at creation time

    Azure Backup currently breaks that contract.

    Reference:

    Automatic Guest Patching for Azure Virtual Machines | Azure Docs

    If it doesn’t work kindly share the below details in private message, we will create a support ticket to check with the backend team.

    • VM resource ID.
    • Proof it was originally deployed from Windows Server 2022 Azure Edition Hotpatch image.
    • Backup restore job ID.
    • Current VM JSON (showing osProfile: null).

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.