Custom azure policy to enable automatic VM guest patching

Thanks for your feedback. I updated the definition to only evaluates Windows VM. However, it still produces inaccurate compliance result. Do you know what could be the problem?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/imagePublisher",
          "equals": "MicrosoftWindowsServer"
        },
        {
          "field": "Microsoft.Compute/imageOffer",
          "equals": "WindowsServer"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines",
        "existenceCondition": {
          "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode",
          "equals": "AutomaticByPlatform"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.Compute/virtualMachines",
                  "apiVersion": "2019-03-01",
                  "name": "[field('name')]",
                  "location": "[field('location')]",
                  "properties": {
                    "osProfile": {
                      "windowsConfiguration": {
                        "patchSettings": {
                          "provisionVMAgent": true,
                          "enableAutomaticUpdates": true,
                          "patchMode": "AutomaticByPlatform"
                        }
                      }
                    }
                  }
                }
              ]
            },
            "parameters": {
              "vmName": {
                "value": "[field('name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

Did you figure this out? I have exactly the same problem. Everything validates to compliant....

Maybe add the below in front of the existence condition

"evaluationDelay": "AfterProvisioningSuccess",

The "enableAutomaticUpdates": true only works for the datacenter images. Not for all windows images. Furthmore ditch the anyoff in the existence condition and leave only the one you need for the windows os. Got it working from my side.

Unfortunately, even after adding the evaluationdelay, I still face the same issue. My VM uses datacenter image and configured to manual updates but it marked as compliant.

It worked last week once and now with the same all is constantly compliant again.

Something seems inconsistent here.

I have added patchmode to the if part of the policy rule to check if the field actually gets evaluated and it does:

value of existencecondition parameter here is:

'Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode'

                    {
                        "field": "[parameters('existenceCondition')]",
                        "notequals": "AutomaticByPlatform"
                    },

But having this field ion the existencecondition always evaluates to true.

                    "type": "Microsoft.Compute/virtualMachines",
                    "existenceCondition": {
                        "field": "[parameters('existenceCondition')]",
                        "equals": "AutomaticByPlatform"
                },

I see no good reason why the same in the existencecondition doesn't work. The images used are part of the rule logic as well.