error updating to 2603

Hi Bryan,

Thanks for sharing the details this is a known pain point and the error message gives us a pretty clear starting point.

What you're seeing:

Type 'UpdateSecuredCore' of Role 'AzureStackOSConfig' raised an exception: [UpdateSecuredCore] UpdateSecuredCore failed with exception: The parameter is incorrect — Command Arguments

This failure happens during the "Update AzureStack SecuredCore per host" task, which is part of the OSConfig-based Secured-Core enforcement that runs during the 2603 solution update. The root cause is typically one of the following:

1.A conflicting security configuration source

If the SecuredCore settings on the host are also being managed by a second tool (Group Policy, MDM, Microsoft Configuration Manager, or another OSConfig scenario), OSConfig detects a parameter conflict during drift control and throws this error. Microsoft explicitly calls this out: "If you're currently configuring the same settings with two different methods, one being OSConfig, conflicts are expected... you must remove one of the sources if the parameters are different."

https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure

2. Windows Defender ASR rule blocking the update

The attack surface reduction rule "Block Process Creations originating from PSExec & WMI commands" set to Block mode can cause AzureStackOSConfig roles to fail mid-update. Microsoft has a dedicated TSG for this:

https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Update/Solution-Update-CAU-Run-fails-due-to-Windows-Defender-blocking-WMI-commands.md

3.Secure Boot / UEFI update side-effect (specific to 2603)

2603 introduced a new Secure Boot UEFI 2023 Update that runs as part of the solution update. Failures in non-standard hardware or firmware states can surface as SecuredCore parameter errors. Microsoft's TSG for this:

https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Security/TSG-Azure-Local-UEFI-2023-Secure-Boot-Update.md

Suggested steps to try:

1. Check for conflicting policy sources

On each affected host, run:

Get-OSConfigDesiredConfiguration -Scenario SecuredCore

Look for any settings that show a conflict between the desired and current state. If you have GPO or MDM policies touching the same settings, temporarily disable them and re-run.

2. Check for the Defender ASR rule

On the affected host, open Event Viewer and look for Microsoft-Windows-Windows Defender event ID 1121 with rule ID D1E49AAC-8F56-4280-B9BA-993A6D77406C. If found, set the rule to Audit mode:

Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Setting ASRBlockProcessCreationFromPSExecAndWMICommands -Value "2"

3. Check the OSConfig logs for the specific parameter

On each node, navigate to:

D:\CloudContent\MASLogs\ASSecurityOSConfigLogs\ (or C:\CloudContent... depending on your environment)

Open the latest ASOSConfig_SetASOSConfigDocInternal_*.log to see exactly which parameter is being rejected.

4. Resume the update via PowerShell

Once you've addressed the root cause, connect to the cluster and resume:

Start-SolutionUpdate -Id <update-id>

Full guidance: https://learn.microsoft.com/en-us/azure/azure-local/update/update-troubleshooting-23h2

5. If the issue doesn't match any of the above

Microsoft's own note on the Secure Boot TSG applies here too: "We have seen non-successful cases that do not belong to the known cases mentioned above. Microsoft is actively monitoring... If your case does not match, please contact Microsoft Support."

Useful references:

• Azure Local 2603 Known Issues: https://learn.microsoft.com/en-us/azure/azure-local/known-issues?view=azloc-2603

• Troubleshoot Solution Updates (23H2): https://learn.microsoft.com/en-us/azure/azure-local/update/update-troubleshooting-23h2?view=azloc-2603

• OSConfig Security Baselines: https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure

• Azure Local Supportability GitHub (all TSGs): https://github.com/Azure/AzureLocal-Supportability

Thanks,
Manish.

The error indicates that the Secured Core update step in the Azure Stack Hub 2603 update run failed inside the AzureStackOSConfig role with a generic “The parameter is incorrect” exception. This is a failure inside the update engine and typically needs to be handled by resuming the update and, if it recurs, engaging Azure Stack support.

From the available guidance:

1. The Azure Stack Hub update engine supports resuming a failed update run from where it stopped. Use the privileged endpoint (PEP) to resume the update:
   • Connect to the privileged endpoint on an ERCS VM.
   • Run:

          Invoke-Command -Session $pepSession -ScriptBlock { Resume-AzureStackUpdate }
     

   • This resumes the failed update operation rather than restarting from scratch.
2. Transient communication issues with the privileged endpoint or ECE service are expected during updates. If the resume command or update run fails due to connection issues, wait a few minutes and try again or create a new PEP session to another ERCS VM and re-run Resume-AzureStackUpdate.
3. If repeated resumes fail at the same UpdateSecuredCore step with the same error, collect logs from the update run and open a support case with Microsoft, as Secured Core/OSConfig failures during Azure Stack Hub updates generally require vendor investigation.
4. Do not attempt to manually change Secure Boot or Secured Core firmware settings on Azure Stack Hub scale unit nodes outside of documented Azure Stack procedures, as this can put the environment into an unsupported state.

References:

• Monitor updates in Azure Stack Hub using the privileged endpoint
• Start-AzureStack
• Secure Boot certificate updates guidance for IT professionals and organizations