Merge pull request #231002 from SnehaSudhirG/16Mar-UMC-WhatsNew

Updated What'sNew on new Pre-req and the recommendation info

Author: Court72

articles/update-center/manage-multiple-machines.md

@@ -2,7 +2,7 @@
 title: Manage multiple machines in update management center (preview)
 description: The article details how to use Update management center (preview) in Azure to manage multiple supported machines and view their compliance state in the Azure portal.
 ms.service: update-management-center
-ms.date: 04/11/2023
+ms.date: 04/26/2023
 ms.topic: conceptual
 author: SnehaSudhirG
 ms.author: sudhirsneha
@@ -12,6 +12,10 @@ ms.author: sudhirsneha
 
 **Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
 
+> [!IMPORTANT]
+> - For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch mode to *Azure orchestrated with user managed schedules (preview)* before **May 19, 2023**. If you fail to update the patch mode before **May 19, 2023**, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.[Learn more](prerequsite-for-schedule-patching.md).
+> - To update the patch mode, go to **Update management center (Preview)** home page > **Update Settings**. In **Change update settings**, add the machines and under **Patch orchestration**, select *Azure-orchestrated-safe deployment*.
+
 This article describes the various features that update management center (Preview) offers to manage the system updates on your machines. Using the update management center (preview), you can:
 
 - Quickly assess the status of available operating system updates.
@@ -46,7 +50,7 @@ Instead of performing these actions from a selected Azure VM or Arc-enabled serv
       - **Reboot Required**—pending a reboot for the updates to take effect.
       - **No updates data**—no assessment data is available for these machines. 
 
-      There following could be the reasons for no assessment data:
+      The following could be the reasons for no assessment data:
       - No assessment has been done over the last seven days
       - The machine has an unsupported OS
       - The machine is in an unsupported region and you can't perform an assessment.
@@ -174,4 +178,4 @@ When the Resource Graph Explorer opens, it is automatically populated with the s
 ## Next steps
 
 * To set up and manage recurring deployment schedules, see [Schedule recurring updates](scheduled-patching.md)
-* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).
+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

articles/update-center/prerequsite-for-schedule-patching.md

@@ -0,0 +1,264 @@
+---
+title: Configure schedule patching on Azure VMs to ensure business continuity in update management center (preview).
+description: The article describes the new prerequisites to configure scheduled patching to ensure business continuity in Update management center (preview).
+ms.service: update-management-center
+ms.date: 04/26/2023
+ms.topic: conceptual
+author: snehasudhirG
+ms.author: sudhirsneha
+---
+
+# Configure schedule patching on Azure VMs to ensure business continuity
+
+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: Azure VMs.
+
+This article is an overview on how to configure Schedule patching and Automatic guest VM patching on Azure VMs using the new prerequisite to ensure business continuity. The steps to configure both the patching options on Arc VMs remain the same.
+
+Currently, you can enable [Automatic guest VM patching](../virtual-machines/automatic-vm-guest-patching.md) (Autopatch) by setting the patch mode to **Azure-orchestrated**/**AutomaticByPlatform** on Azure portal/REST API respectively, where patches are automatically applied during off-peak hours.
+
+For customizing control over your patch installation, you can use [schedule patching](updates-maintenance-schedules.md#scheduled-patching) to define your maintenance window. You can [enable schedule patching](scheduled-patching.md#schedule-recurring-updates-on-single-vm) by setting the patch mode to **Azure orchestrated**/**AutomaticByPlatform** and attaching a schedule to the Azure VM. So, the VM properties couldn't be differentiated between **schedule patching** or **Automatic guest VM patching** as both had the patch mode set to *Azure-Orchestrated*. 
+
+Additionally, in some instances, when you remove the schedule from a VM, there is a possibility that the VM may be auto patched and rebooted. To overcome the limitations, we have introduced a new prerequisite - **ByPassPlatformSafetyChecksOnUserSchedule**, which can now be set to *true* to identify a VM using schedule patching. It means that VMs with this property set to *true* will no longer be auto patched when the VMs don't have an associated maintenance configuration.
+
+> [!IMPORTANT]
+> For a continued scheduled patching experience, you must ensure that the new VM property, *BypassPlatformSafetyChecksOnUserSchedule*, is enabled on all your Azure VMs (existing or new) that have schedules attached to them **before May 19, 2023**. This setting will ensure machines are patched using your configured schedules and not autopatched. Failing to enable the pre-requisite will give an error that the prerequisites aren't met.
+
+## Find VMs with associated schedules
+
+To identify the list of VMs with the associated schedules for which you have to enable new VM property, follow these steps:
+
+1. Go to **Update management center (Preview)** home page and select **Machines** tab.
+1. In **Patch orchestration** filter, select **Azure-orchestrated safe deployment**.
+1. Use the **Select all** option to select the machines and then select **Export to CSV**.
+1. Open the CSV file and in the column **Associated schedules**,  select the rows that have an entry. 
+   
+    In the corresponding **Name** column, you can view the list the VMs to which you would need to enable the **ByPassPlatformSafetyChecksOnUserSchedule** flag.
+
+
+## Enable schedule patching on Azure VMs
+
+# [Azure portal](#tab/new-prereq-portal)
+
+**Prerequisite**
+
+Patch orchestration = Customer managed schedules.
+
+Select the patch orchestration option as **Customer managed schedules**.
+The new patch orchestration option enables the following VM properties on your behalf after receiving your consent:
+
+  - Patch mode = Azure-orchestrated
+  - BypassPlatformSafetyChecksOnUserSchedule = TRUE
+
+**Enable for new VMs**
+
+You can select the patch orchestration option for new VMs that would be associated with the schedules:
+
+To update the patch mode, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Go to **Virtual machine**, and select **+Create** to open *Create a virtual machine* page.
+1. In **Basics** tab, complete all the mandatory fields.
+1. In **Management** tab, under **Guest OS updates**, for **Patch orchestration options**, select *Azure-orchestrated*.
+1. After you complete the entries in **Monitoring**, **Advanced** and **Tags** tabs.
+1. Select **Review + Create** and select **Create** to create a new VM with the appropriate patch orchestration option.
+
+To schedule patch the newly created VMs, follow the procedure from step 2 in **Enable for existing VMs**.
+
+
+**Enable for existing VMs**
+
+You can update the patch orchestration option for existing VMs that either already have schedules associated or are to be newly associated with a schedule:  
+
+> [!NOTE]
+> If the **Patch orchestration** is set as *Azure-orchestrated or Azure-orchestrated safe deployment (AutomaticByPlatform)*, the **BypassPlatformSafetyChecksOnUserSchedule** is set to *False* and there is no schedule associated, the VM(s) will be autopatched.
+
+To update the patch mode, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Go to **Update management center (Preview)**, select **Update Settings**.    
+1. In **Change update settings**, select **+Add machine**.
+1. In **Select resources**, select your VMs and then select **Add**.
+1. In **Change update settings**, under **Patch orchestration**, select *Customer managed schedules* and then select **Save**.
+
+Attach a schedule after you complete the above steps.
+
+To check if the **BypassPlatformSafetyChecksOnUserSchedule** is enabled, go to **Virtual machine** home page > **Overview** tab > **JSON View**.
+
+# [REST API](#tab/new-prereq-rest-api)
+
+**Prerequisite**
+
+- Patch mode = AutomaticByPlatform
+- BypassPlatformSafetyChecksOnUserSchedule = TRUE 
+
+**Enable on Windows VMs**
+
+```
+PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01` 
+```
+
+```json
+{ 
+  "location":"<location>", 
+  "properties": { 
+    "osProfile": { 
+      "windowsConfiguration": { 
+        "provisionVMAgent": true, 
+        "enableAutomaticUpdates": true, 
+        "patchSettings": { 
+        "patchMode": "AutomaticByPlatform", 
+  "automaticByPlatformSettings":{ 
+"bypassPlatformSafetyChecksOnUserSchedule":true 
+  } 
+        } 
+      } 
+    } 
+  } 
+} 
+
+```
+**Enable on Linux VMs**
+
+```
+PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01` 
+```
+
+```json
+{ 
+
+  "location":"<location>", 
+  "properties": { 
+    "osProfile": { 
+      " linuxConfiguration": { 
+        "provisionVMAgent": true, 
+        "enableAutomaticUpdates": true, 
+        "patchSettings": { 
+          "patchMode": "AutomaticByPlatform", 
+  "automaticByPlatformSettings":{ 
+"bypassPlatformSafetyChecksOnUserSchedule":true 
+  } 
+        } 
+      } 
+    } 
+  } 
+} 
+```
+---
+
+> [!NOTE]
+> Currently, you can only enable the new prerequisite for schedule patching via Azure portal and REST API. It cannot be enabled via Azure CLI and PowerShell.
+
+
+## Enable automatic guest VM patching on Azure VMs
+
+To enable automatic guest VM patching on your Azure VMs now, follow these steps:
+
+# [Azure portal](#tab/auto-portal)
+
+**Prerequisite**
+
+Patch mode = Azure-orchestrated
+
+**Enable for new VMs**
+
+You can select the patch orchestration option for new VMs that would be associated with the schedules:
+
+To update the patch mode, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Go to **Virtual machine**, and select **+Create** to open *Create a virtual machine* page.
+1. In **Basics** tab, complete all the mandatory fields.
+1. In **Management** tab, under **Guest OS updates**, for **Patch orchestration options**, select *Azure-orchestrated*.
+1. After you complete the entries in **Monitoring**, **Advanced** and **Tags** tabs.
+1. Select **Review + Create** and select **Create** to create a new VM with the appropriate patch orchestration option.
+
+
+**Enable for existing VMs**
+
+To update the patch mode, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Go to **Update management center (Preview)**, select **Update Settings**. 
+1. In **Change update settings**, select **+Add machine**.
+1. In **Select resources**, select your VMs and then select **Add**.
+1. In **Change update settings**, under **Patch orchestration**, select *Azure-orchestrated-safe deployment* and then select **Save**.
+
+
+# [REST API](#tab/auto-rest-api)
+
+**Prerequisites**
+
+- Patch mode = AutomaticByPlatform
+- BypassPlatformSafetyChecksOnUserSchedule = FALSE
+
+**Enable on Windows VMs**
+
+```
+PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01` 
+```
+
+```json
+{ 
+
+  "location":"<location>", 
+  "properties": { 
+    "osProfile": { 
+      "windowsConfiguration": { 
+        "provisionVMAgent": true, 
+        "enableAutomaticUpdates": true, 
+        "patchSettings": { 
+          "patchMode": "AutomaticByPlatform", 
+  "automaticByPlatformSettings":{ 
+"bypassPlatformSafetyChecksOnUserSchedule":false 
+  } 
+        } 
+      } 
+    } 
+  } 
+} 
+```
+
+**Enable on Linux VMs**
+
+```
+PUT on `/subscriptions/subscription_id/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVirtualMachine?api-version=2023-03-01` 
+```
+
+```json
+{ 
+  "location":"<location>", 
+  "properties": { 
+    "osProfile": { 
+      " linuxConfiguration": { 
+        "provisionVMAgent": true, 
+        "enableAutomaticUpdates": true, 
+        "patchSettings": { 
+          "patchMode": "AutomaticByPlatform", 
+  "automaticByPlatformSettings":{ 
+"bypassPlatformSafetyChecksOnUserSchedule":false 
+  } 
+        } 
+      } 
+    } 
+  } 
+} 
+```
+---
+
+
+## User scenarios
+
+**Scenarios** | **Azure-orchestrated** | **BypassPlatformSafetyChecksOnUserSchedule** | **Schedule Associated** |**Expected behavior in Azure** |
+--- | --- | --- | --- | ---|
+Scenario 1 | Yes | True | Yes | The schedule patch runs as defined by user. |
+Scenario 2 | Yes | True | No | Neither autopatch nor the schedule patch will run.|
+Scenario 3 | Yes | False | Yes | Neither autopatch nor schedule patch will run. You'll get an error that the prerequisites for schedule patch aren't met.| 
+Scenario 4 | Yes |  False | No   | The VM is autopatched.|
+Scenario 5 | No | True | Yes | Neither autopatch nor schedule patch will run. You'll get an error that the prerequisites for schedule patch aren't met. |
+Scenario 6 | No | True | No | Neither the autopatch nor the schedule patch will run.|
+Scenario 7 | No | False | Yes | Neither autopatch nor schedule patch will run. You'll get an error that the prerequisites for schedule patch aren't met.| 
+Scenario 8 | No | False | No | Neither the autopatch nor the schedule patch will run.|
+
+## Next steps
+
+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) update management center (preview).

articles/update-center/scheduled-patching.md

@@ -2,7 +2,7 @@
 title: Scheduling recurring updates in Update management center (preview)
 description: The article details how to use update management center (preview) in Azure to set update schedules that install recurring updates on your machines.
 ms.service: update-management-center
-ms.date: 04/11/2023
+ms.date: 04/26/2023
 ms.topic: conceptual
 author: SnehaSudhirG
 ms.author: sudhirsneha
@@ -12,6 +12,10 @@ ms.author: sudhirsneha
 
 **Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
 
+> [!IMPORTANT]
+> - For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch mode to *Azure orchestrated with user managed schedules (preview)* before **May 19, 2023**. If you fail to update the patch mode before **May 19, 2023**, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.[Learn more](prerequsite-for-schedule-patching.md).
+> - To update the patch mode, go to **Update management center (Preview)** home page > **Update Settings**. In **Change update settings**, add the machines and under **Patch orchestration**, select *Azure-orchestrated-safe deployment*.
+
 You can use update management center (preview) in Azure to create and save recurring deployment schedules. You can create a schedule on a daily, weekly or hourly cadence, specify the machines that must be updated as part of the schedule, and the updates to be installed. This schedule will then automatically install the updates as per the created schedule for single VM and at scale.
 
 Update management center (preview) uses maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see [Maintenance control documentation](/azure/virtual-machines/maintenance-control).
@@ -22,7 +26,7 @@ Update management center (preview) uses maintenance control schedule instead of
 1. Patch orchestration of the Azure machines should be set to **Azure Orchestrated (Automatic By Platform)**. For Azure Arc-enabled machines, it isn't a requirement.
 
 	> [!Note]
-	> If you set the patch orchestration mode to Azure orchestrated (Automatic By Platform) but don't attach a maintenance configuration to an Azure machine, it is treated as [Automatic Guest patching](../virtual-machines/automatic-vm-guest-patching.md) enabled machine and Azure platform will automatically install updates as per its own schedule.
+	> If you set the patch orchestration mode to Azure orchestrated (AutomaticByPlatform) but don't attach a maintenance configuration to an Azure machine, it is treated as [Automatic Guest patching](../virtual-machines/automatic-vm-guest-patching.md) enabled machine and Azure platform will automatically install updates as per its own schedule.
 
 
 ## Schedule recurring updates on single VM

articles/update-center/toc.yml

@@ -16,6 +16,8 @@
   items:
   - name: Update and maintenance options
     href: updates-maintenance-schedules.md
+  - name: Schedule patching configuration on Azure VMs for business continuity
+    href: prerequsite-for-schedule-patching.md
   - name: Assessment options
     href: assessment-options.md
   - name: Query resources with Azure Resource Graph

articles/update-center/updates-maintenance-schedules.md

@@ -2,7 +2,7 @@
 title: Updates and maintenance in update management center (preview).
 description: The article describes the updates and maintenance options available in Update management center (preview).
 ms.service: update-management-center
-ms.date: 04/21/2022
+ms.date: 04/26/2023
 ms.topic: conceptual
 author: snehasudhirG
 ms.author: sudhirsneha
@@ -12,6 +12,11 @@ ms.author: sudhirsneha
 
 **Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.
 
+> [!IMPORTANT]
+> - For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch mode to *Azure orchestrated with user managed schedules (preview)* before **May 19, 2023**. If you fail to update the patch mode before **May 19, 2023**, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.[Learn more](prerequsite-for-schedule-patching.md).
+> - To update the patch mode, go to **Update management center (Preview)** home page > **Update Settings**. In **Change update settings**, add the machines and under **Patch orchestration**, select *Azure-orchestrated-safe deployment*.
+
+
 This article provides an overview of the various update and maintenance options available by update management center (preview). 
 
 Update management center (preview) provides you the flexibility to take an immediate action or schedule an update within a defined maintenance window. It also supports new patching methods such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md), [Hotpatching](../automanage/automanage-hotpatch.md?context=%2fazure%2fvirtual-machines%2fcontext%2fcontext) and so on.

articles/update-center/whats-new.md

@@ -12,6 +12,16 @@ ms.date: 03/03/2023
 
 [Update management center (preview)](overview.md) helps you manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. This article summarizes new releases and features in Update management center (Preview).
 
+## April 2023
+
+### New prerequisite for scheduled patching
+
+A new patch mode - **Azure orchestrated with user managed schedules (Preview)** is introduced as a prerequisite to enable scheduled patching on Azure VMs. The new patch enables the *Azure-orchestrated using Automatic guest patching* and *BypassPlatformSafteyChecksOnUserSchedule* VM properties on your behalf after receiving the consent. [Learn more](prerequsite-for-schedule-patching.md).
+
+> [!IMPORTANT]
+> For a seamless scheduled patching experience, we recommend that for all Azure VMs, you update the patch mode to *Azure orchestrated with user managed schedules (preview)* before **May 19, 2023**. If you fail to update the patch mode before **May 19, 2023**, you can experience a disruption in business continuity because the schedules will fail to patch the VMs.
+
+
 ## November 2022
 
 ### New region support