From 86918fe98d80d37b67f5637657747cc9ee783e1e Mon Sep 17 00:00:00 2001 From: Andy Kwong Date: Tue, 24 Feb 2026 13:25:30 -0800 Subject: [PATCH 1/2] add TSG for Azure Local 2601 --- TSG/Update/AZLUpate2601.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 TSG/Update/AZLUpate2601.md diff --git a/TSG/Update/AZLUpate2601.md b/TSG/Update/AZLUpate2601.md new file mode 100644 index 0000000..5b5759f --- /dev/null +++ b/TSG/Update/AZLUpate2601.md @@ -0,0 +1,37 @@ +Azure Local Update Failed when updating from earlier preview versions (Local Identity Deployment, or ADLess Deployment) to 2601 with Error: "Access is denied" + +#Symptoms +An Update action plan fails with an AgentLifecycleManager error message "Access is denied" during update action plan. +``` +Connecting to remote server v-Host1 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. +at New-AgentUpdateTriggerOnNode, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Roles\AgentLifecycleManager\AgentLifecycleManagerUtils.psm1: line 345 +at Update, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Classes\AgentLifecycleManager\AgentLifecycleManager.psm1: line 505 +at UpdateRuntimeAgents, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Classes\AgentLifecycleManager\AgentLifecycleManager.psm1: line 158 +at , C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\content\ECEWinService\InvokeInterfaceInternal.psm1: line 165 +at Invoke-EceInterfaceInternal, C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\content\ECEWinService\InvokeInterfaceInternal.psm1: line 160 +at , : line 50 +``` +#Cause +User provided local admin credentials are removed in ECE Store to avoid the situation needing to keep stored credential in-sync, given this is a customer owned local admin account. The update process has a step still trying to access this credential from the ECE Store instead of the input parameters from the update process with local admin credentials for day-N operations. + +#Mitigation +This issue is addressed in 2602, if customers can wait and update from earlier version to 2602+. This issue will be resolved. + +If customer already started the update to 2601 and would like to complete the update, follow the following steps to add the local admin credential into the ECE Service Secret store after the update failed. After the credential update, the update can be resumed. This credential should be an active local user credential in "Administrators" Group for every node in the cluster. + +First check where the Orchestrator Service is and move it to the node you currently login. If you are already on the same node running the service, skip this step. +``` +Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" +Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup -Name +``` + +This is the command to update the credential and then move the cluster again to refresh the store: +``` +Set-ECEServiceSecret -ContainerName DomainAdmin -Credential (get-Credential) +Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup +``` + +Once the credential update completed, the update can be resumed from Azure portal (or manually on the node with the following command). +``` +Get-SolutionUpdate | where State -eq InstallationFailed | Start-SolutionUpdate +``` From 755db1c1b2d29a369e858f0539096e8818d39420 Mon Sep 17 00:00:00 2001 From: Andy Kwong Date: Wed, 25 Mar 2026 11:55:12 -0700 Subject: [PATCH 2/2] Update from PR feedback --- .../{AZLUpate2601.md => AZLUpdate2601.md} | 28 +++++++++++-------- TSG/Update/README.md | 3 +- 2 files changed, 19 insertions(+), 12 deletions(-) rename TSG/Update/{AZLUpate2601.md => AZLUpdate2601.md} (76%) diff --git a/TSG/Update/AZLUpate2601.md b/TSG/Update/AZLUpdate2601.md similarity index 76% rename from TSG/Update/AZLUpate2601.md rename to TSG/Update/AZLUpdate2601.md index 5b5759f..495afd2 100644 --- a/TSG/Update/AZLUpate2601.md +++ b/TSG/Update/AZLUpdate2601.md @@ -1,8 +1,8 @@ Azure Local Update Failed when updating from earlier preview versions (Local Identity Deployment, or ADLess Deployment) to 2601 with Error: "Access is denied" -#Symptoms +# Symptoms An Update action plan fails with an AgentLifecycleManager error message "Access is denied" during update action plan. -``` +```text Connecting to remote server v-Host1 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. at New-AgentUpdateTriggerOnNode, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Roles\AgentLifecycleManager\AgentLifecycleManagerUtils.psm1: line 345 at Update, C:\NugetStore\Microsoft.AzureStack.Infrastructure.Orchestration.AgentLifecycleManagerRole.1.25.0.2114\content\Powershell\Classes\AgentLifecycleManager\AgentLifecycleManager.psm1: line 505 @@ -11,27 +11,33 @@ at , C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\conte at Invoke-EceInterfaceInternal, C:\Agents\Microsoft.AzureStack.Solution.ECEWinService.10.2510.0.1134\content\ECEWinService\InvokeInterfaceInternal.psm1: line 160 at , : line 50 ``` -#Cause +# Cause User provided local admin credentials are removed in ECE Store to avoid the situation needing to keep stored credential in-sync, given this is a customer owned local admin account. The update process has a step still trying to access this credential from the ECE Store instead of the input parameters from the update process with local admin credentials for day-N operations. -#Mitigation +# Mitigation This issue is addressed in 2602, if customers can wait and update from earlier version to 2602+. This issue will be resolved. If customer already started the update to 2601 and would like to complete the update, follow the following steps to add the local admin credential into the ECE Service Secret store after the update failed. After the credential update, the update can be resumed. This credential should be an active local user credential in "Administrators" Group for every node in the cluster. -First check where the Orchestrator Service is and move it to the node you currently login. If you are already on the same node running the service, skip this step. -``` +Prerequisite: First check where the Orchestrator Service is and move it to the node you currently login. If you are already on the same node running the service, skip this step. +```powershell +# Check if Orchestrator Group Exists and what node it is running at Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" -Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup -Name -``` -This is the command to update the credential and then move the cluster again to refresh the store: +# Check where you are running +Hostname + +# Move the cluster group to +Move-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" -Name (Hostname) ``` + +Update Credential: This is the command to update the credential and then move the cluster to refresh the credential from store: +```powershell Set-ECEServiceSecret -ContainerName DomainAdmin -Credential (get-Credential) Get-ClusterGroup -Name "Azure Stack HCI Orchestrator Service Cluster Group" | Move-ClusterGroup ``` -Once the credential update completed, the update can be resumed from Azure portal (or manually on the node with the following command). -``` +Resume Solution Update: Once the credential update completed, the update can be resumed from Azure portal (or manually on the node with the following command). +```powershell Get-SolutionUpdate | where State -eq InstallationFailed | Start-SolutionUpdate ``` diff --git a/TSG/Update/README.md b/TSG/Update/README.md index 406d90f..a05d567 100644 --- a/TSG/Update/README.md +++ b/TSG/Update/README.md @@ -30,4 +30,5 @@ * [Troubleshooting MSI Does Not Have Access to Subscription](../EnvironmentValidator/Troubleshooting-MSI-Does-Not-Have-Access-To-Subscription.md) * [2510 Update fails at CauPostVersionCheck](./CauPostVersionCheck-2510-23H2.md) * [Update preparation fails with 'Could not find part of the path' after 24H2 upgrade](./Update-preparation-fails-Could-not-find-part-of-the-file-path.md) -* [2509 | Update Service terminated repeatedly by ALM due to high memory usage](./Update-Service-terminated-repeatedly-by-ALM.md) \ No newline at end of file +* [2509 | Update Service terminated repeatedly by ALM due to high memory usage](./Update-Service-terminated-repeatedly-by-ALM.md) +* [2601 | Solution Update failed with error message "Access is denied" ] (./AZLUpdate2601.md) \ No newline at end of file