diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep index 7e0a6bd7ca..c89ae71d7d 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep @@ -155,6 +155,8 @@ module testDeployment '../../deploy.bicep' = { } } ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep index 9ed0f6f0a7..46d86fb3fe 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep @@ -159,6 +159,8 @@ module testDeployment '../../deploy.bicep' = { } } ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 444797bcd8..6dd2081619 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -272,9 +272,26 @@ param disablePasswordAuthentication bool = false @description('Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later.') param provisionVMAgent bool = true -@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') +@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true +@description('Optional. VM guest patching orchestration mode. \'AutomaticByOS\' & \'Manual\' are for Windows only, \'ImageDefault\' for Linux only. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') +@allowed([ + 'AutomaticByPlatform' + 'AutomaticByOS' + 'Manual' + 'ImageDefault' + '' +]) +param patchMode string = '' + +@description('Optional. VM guest patching assessment mode. Set it to \'AutomaticByPlatform\' to enable automatically check for updates every 24 hours.') +@allowed([ + 'AutomaticByPlatform' + 'ImageDefault' +]) +param patchAssessmentMode string = 'ImageDefault' + @description('Optional. Specifies the time zone of the virtual machine. e.g. \'Pacific Standard Time\'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`.') param timeZone string = '' @@ -305,11 +322,19 @@ var linuxConfiguration = { publicKeys: publicKeysFormatted } provisionVMAgent: provisionVMAgent + patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'ImageDefault')) ? { + patchMode: patchMode + assessmentMode: patchAssessmentMode + } : null } var windowsConfiguration = { provisionVMAgent: provisionVMAgent enableAutomaticUpdates: enableAutomaticUpdates + patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'AutomaticByOS' || patchMode =~ 'Manual')) ? { + patchMode: patchMode + assessmentMode: patchAssessmentMode + } : null timeZone: empty(timeZone) ? null : timeZone additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent winRM: !empty(winRM) ? { diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 60fe90117c..121aca230a 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -64,7 +64,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | | `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | @@ -86,6 +86,8 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | +| `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | +| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | | `pipdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | @@ -1137,6 +1139,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' disablePasswordAuthentication: true + enableAutomaticUpdates: true enableDefaultTelemetry: '' encryptionAtHost: false extensionAzureDiskEncryptionConfig: { @@ -1180,6 +1183,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { lock: 'CanNotDelete' monitoringWorkspaceId: '' name: '<>cvmlincom' + patchMode: 'AutomaticByPlatform' publicKeys: [ { keyData: '' @@ -1342,6 +1346,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "disablePasswordAuthentication": { "value": true }, + "enableAutomaticUpdates": { + "value": true + }, "enableDefaultTelemetry": { "value": "" }, @@ -1411,6 +1418,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "name": { "value": "<>cvmlincom" }, + "patchMode": { + "value": "AutomaticByPlatform" + }, "publicKeys": { "value": [ { @@ -1826,6 +1836,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + enableAutomaticUpdates: true enableDefaultTelemetry: '' encryptionAtHost: false extensionAntiMalwareConfig: { @@ -1887,6 +1898,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { lock: 'CanNotDelete' monitoringWorkspaceId: '' name: '<>cvmwincom' + patchMode: 'AutomaticByPlatform' proximityPlacementGroupResourceId: '' roleAssignments: [ { @@ -2044,6 +2056,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "diagnosticWorkspaceId": { "value": "" }, + "enableAutomaticUpdates": { + "value": true + }, "enableDefaultTelemetry": { "value": "" }, @@ -2133,6 +2148,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "name": { "value": "<>cvmwincom" }, + "patchMode": { + "value": "AutomaticByPlatform" + }, "proximityPlacementGroupResourceId": { "value": "" },