Skip to content

add TSG for Azure Local 2601 #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andyk-ms wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add TSG for Azure Local 2601 #260

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions TSG/Update/AZLUpate2601.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
Azure Local Update Failed when updating from earlier preview versions (Local Identity Deployment, or ADLess Deployment) to 2601 with Error: "Access is denied"
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file is named AZLUpate2601.md — "Upate" is a typo for "Update". Other TSGs in this directory use a descriptive hyphenated naming convention (e.g., Update-fails-with-ARB-offline.md, Resumed-update-fails-immediately.md). Per the project guidelines, most new MD files should follow <Type>-<Topic>-<Specifics>.md. Consider renaming to something like Update-2601-Access-Denied-LocalIdentity.md.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TSG/Update/README.md table of contents has not been updated to include a link to this new TSG. Per the project guidelines, "The table of contents in the component's README.md files should be updated when adding new content." Please add an entry such as * [Azure Local Update to 2601 fails with "Access is denied" for Local Identity Deployments](./AZLUpate2601.md) to TSG/Update/README.md.

Copilot generated this review using guidance from repository custom instructions.

#Symptoms
Comment on lines +1 to +3
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The markdown headings on lines 3, 14, and 17 are missing a space after the # symbol. Standard markdown requires a space (e.g., # Symptoms instead of #Symptoms). Without the space, many markdown renderers will not interpret these as headings. Also, the title on line 1 should be formatted as a markdown heading with # prefix, consistent with all other TSGs in this directory (see, e.g., TSG/Update/ECEAgent-Slowness-During-Update.md line 1, TSG/Update/CauPostVersionCheck-2510-23H2.md line 1, TSG/Update/Resumed-update-fails-immediately.md line 1).

Copilot generated this review using guidance from repository custom instructions.
An Update action plan fails with an AgentLifecycleManager error message "Access is denied" during update action plan.
```
Connecting to remote server v-Host1 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
at New-AgentUpdateTriggerOnNode, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Roles\AgentLifecycleManager\AgentLifecycleManagerUtils.psm1: line 345
at Update, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Classes\AgentLifecycleManager\AgentLifecycleManager.psm1: line 505
at UpdateRuntimeAgents, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Classes\AgentLifecycleManager\AgentLifecycleManager.psm1: line 158
at , C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\content\ECEWinService\InvokeInterfaceInternal.psm1: line 165
at Invoke-EceInterfaceInternal, C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\content\ECEWinService\InvokeInterfaceInternal.psm1: line 160
at , : line 50
```
#Cause
User provided local admin credentials are removed in ECE Store to avoid the situation needing to keep stored credential in-sync, given this is a customer owned local admin account. The update process has a step still trying to access this credential from the ECE Store instead of the input parameters from the update process with local admin credentials for day-N operations.

#Mitigation
This issue is addressed in 2602, if customers can wait and update from earlier version to 2602+. This issue will be resolved.

If customer already started the update to 2601 and would like to complete the update, follow the following steps to add the local admin credential into the ECE Service Secret store after the update failed. After the credential update, the update can be resumed. This credential should be an active local user credential in "Administrators" Group for every node in the cluster.

First check where the Orchestrator Service is and move it to the node you currently login. If you are already on the same node running the service, skip this step.
```
Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group"
Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup -Name <Hostname of your current node>
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Move-ClusterGroup -Name parameter specifies the cluster group name, not the destination node. Since the cluster group is already piped in via Get-ClusterGroup, the correct parameter to specify the destination node is -Node. As seen in other TSGs (e.g., TSG/Update/Update-Hangs-after-Secret-Rotation.md line 215: Move-ClusterGroup -Name $Name -Node $targetNode), -Node is the parameter for the target node. This should be -Node <Hostname of your current node> instead of -Name <Hostname of your current node>.

Running this command as written would fail or produce unexpected behavior in a production environment.

Suggested change
Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup -Name <Hostname of your current node>
Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup -Node <Hostname of your current node>

Copilot uses AI. Check for mistakes.
```
Comment on lines +23 to +26
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code blocks should include a language identifier (e.g., ```powershell) for proper syntax highlighting and consistency with other TSGs in this directory (see TSG/Update/Get-SolutionUpdate-GatewayTimeout.md, TSG/Update/Update-preparation-fails-Could-not-find-part-of-the-file-path.md). The Troubleshoot-Template.md also specifies: "Any code block should be wrapped in triple backticks with language identifier." This applies to lines 5, 23, 29, and 35.

Copilot generated this review using guidance from repository custom instructions.

This is the command to update the credential and then move the cluster again to refresh the store:
```
Set-ECEServiceSecret -ContainerName DomainAdmin -Credential (get-Credential)
Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup
```

Once the credential update completed, the update can be resumed from Azure portal (or manually on the node with the following command).
```
Get-SolutionUpdate | where State -eq InstallationFailed | Start-SolutionUpdate
```