From f48851598d5f59163a488fe85eff261705159534 Mon Sep 17 00:00:00 2001
From: Fernando Antivero <v-feanti@microsoft.com>
Date: Wed, 13 May 2026 13:31:00 -0300
Subject: [PATCH] update VM SKU and OS to modern Gen2 configuration

- Replace Standard_A4_v2 (Gen1-only) with Standard_D2s_v3 (Gen2-capable)
- VMSS (web tier): 2025-datacenter-core-smalldisk-g2 (Server Core for IIS)
- Mock on-prem VM: 2025-datacenter-smalldisk-g2 (full desktop for Bastion RDP)
- Smaller disk, faster boot, reduced attack surface on web tier

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../nestedtemplates/azure-network-azuredeploy.bicep      | 4 ++--
 .../nestedtemplates/azure-network-azuredeploy.json       | 4 ++--
 .../nestedtemplates/mock-onprem-azuredeploy.bicep        | 9 ++-------
 .../nestedtemplates/mock-onprem-azuredeploy.json         | 4 ++--
 4 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
index 78f68601..2fc0efe9 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
@@ -5,7 +5,7 @@ param adminPassword string
 
 @description('The count of Windows virtual machines to create.')
 param webServerInstanceCount int = 2
-param vmSize string = 'Standard_A4_v2'
+param vmSize string = 'Standard_D2s_v3'
 param configureSitetosite bool = true
 param hubNetwork object = {
   name: 'vnet-hub'
@@ -55,7 +55,7 @@ param location string = resourceGroup().location
 
 var logAnalyticsWorkspaceName = 'la-${uniqueString(subscription().subscriptionId, resourceGroup().id)}'
 var vmssName = 'vmss-web-server'
-var windowsOSVersion = '2016-Datacenter'
+var windowsOSVersion = '2025-datacenter-core-smalldisk-g2'
 
 resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2025-02-01' = {
   name: logAnalyticsWorkspaceName
diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
index 6da11b3f..552fb296 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
@@ -18,7 +18,7 @@
         },
         "vmSize": {
             "type": "string",
-            "defaultValue": "Standard_DS1_v2"
+            "defaultValue": "Standard_D2s_v3"
         },
         "configureSitetosite": {
             "type": "bool",
@@ -101,7 +101,7 @@
         "vmssName": "vmss-web-server",
         "peering-name-hub-to-spoke": "hub-to-spoke",
         "peering-name-spoke-to-hub": "spoke-to-hub",
-        "windowsOSVersion": "2022-datacenter-g2"
+        "windowsOSVersion": "2025-datacenter-core-smalldisk-g2"
     },
     "resources": [
         {
diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
index 7088762e..46939058 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
@@ -21,13 +21,13 @@ param bastionHost object = {
   publicIPAddressName: 'pip-bastion'
   nsgName: 'nsg-hub-bastion'
 }
-param vmSize string = 'Standard_A4_v2'
+param vmSize string = 'Standard_D2s_v3'
 param configureSitetosite bool = true
 param location string  = resourceGroup().location
 
 var nicNameWindowsName = 'nic-windows'
 var vmNameWindowsName = 'vm-windows'
-var windowsOSVersion = '2016-Datacenter'
+var windowsOSVersion = '2025-datacenter-smalldisk-g2'
 
 resource mocOnpremNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01' = {
   name: mocOnpremNetwork.name
@@ -283,11 +283,6 @@ resource windowsVM 'Microsoft.Compute/virtualMachines@2024-11-01' = {
       adminPassword: adminPassword
       windowsConfiguration: {
         enableAutomaticUpdates: true
-        patchSettings: {
-          //Machines should be configured to periodically check for missing system updates
-          assessmentMode: 'AutomaticByPlatform'
-          patchMode: 'AutomaticByPlatform'
-        }
       }
     }
     storageProfile: {
diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
index 6099673d..2c017308 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
@@ -38,7 +38,7 @@
         },
         "vmSize": {
             "type": "string",
-            "defaultValue": "Standard_DS1_v2"
+            "defaultValue": "Standard_D2s_v3"
         },
         "configureSitetosite": {
             "type": "bool",
@@ -51,7 +51,7 @@
     "variables": {
         "nicNameWindows": "nic-windows",
         "vmNameWindows": "vm-windows",
-        "windowsOSVersion": "2016-Datacenter"
+        "windowsOSVersion": "2025-datacenter-smalldisk-g2"
     },
     "resources": [
         {