Turn on the VM with Updates pending using Powershell

Abrar Adil S 216

I have a PowerShell script that runs in an Automation Account to check for updates. To maintain compliance, I use the Azure Update Manager daily. However, when the Azure Update Manager runs during non-business hours, some VMs with pending updates are turned off.

I need a PowerShell script or command to get a list of VMs with pending updates, so I can turn on only those specific VMs from an Automation Account right before the Azure Update Manager schedule. This way, I can avoid turning on all servers, which would increase infrastructure costs.

1 answer

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-06-21T09:44:27.8466667+00:00

Hi,

In order to scan for missing updates the machine needs to be running. There is no way that machines are turned off and you can scan for updates.

Update 1:

You can find some sample queries of how to get available updates in the official documentation. Keep in mind that the data is available for the past 30 days. If the machine was not started for more than 30 days the data will not be available. Information how to run resource graph queries with PowerShell.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Abrar Adil S 216 Reputation points

2024-06-21T09:47:35.9733333+00:00

Agreed, we can't scan for updates when the Machine has been turned off,

Can we get the Machine details if a machine is turned off and a Update is Pending?

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-06-21T09:59:41.2033333+00:00

You can find some sample queries of how to get available updates in the official documentation. Keep in mind that the data is available for the past 30 days. If the machine was not started for more than 30 days the data will not be available. Information how to run resource graph queries with PowerShell.

Abrar Adil S 216 Reputation points

2024-06-21T10:05:29.4233333+00:00

The resource graph explorer has a inbuilt query which provides the list of Machines with Updates pending.
Correct me if I am wrong, but we can't use the output of one query as an input to another query to start those Machines, or is there any other way of turning on those Machines from the output we have received.

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-06-21T10:14:51.12+00:00

I am not sure exactly what you mean. When you run the query via PowerShell cmdlet you get some results. You can process those results however you want and feed it as input for other commands like Start-AzVm.

Abrar Adil S 216 Reputation points

2024-06-24T05:00:53.8833333+00:00

$tenantId = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Connect-AzAccount -TenantId $tenantId

# Get all subscriptions

$subscriptions = Get-AzSubscription

$query = @"

// List available OS updates for all your machines grouped by update category

// Returns a list of pending OS for your machines

//

// The query uses 'project' to show the listed properties in the results. You can add or remove properties.

//

// Click the "Run query" command above to execute the query and see results.

patchassessmentresources

| where type !has 'softwarepatches'

| extend prop = parse_json(properties)

| extend lastTime = properties.lastModifiedDateTime

| extend updateRollupCount = prop.availablePatchCountByClassification.updateRollup, featurePackCount = prop.availablePatchCountByClassification.featurePack, servicePackCount = prop.availablePatchCountByClassification.servicePack, definitionCount = prop.availablePatchCountByClassification.definition, securityCount = prop.availablePatchCountByClassification.security, criticalCount = prop.availablePatchCountByClassification.critical, updatesCount = prop.availablePatchCountByClassification.updates, toolsCount = prop.availablePatchCountByClassification.tools, otherCount = prop.availablePatchCountByClassification.other, OS = prop.osType

| project lastTime, id, OS, updateRollupCount, featurePackCount, servicePackCount, definitionCount, securityCount, criticalCount, updatesCount, toolsCount, otherCount

"@

# Function to start VM

function Start-And-Wait-For-Shutdown {

param (

[string]$resourceGroupName,

[string]$vmName

)

# Start the VM

try {

Start-AzVM -ResourceGroupName $resourceGroupName -Name $vmName

Write-Host "Started VM: $vmName in Resource Group: $resourceGroupName"

# Wait for 3 hours (10800 seconds)

Start-Sleep -Seconds 10800

# Shut down the VM

Stop-AzVM -ResourceGroupName $resourceGroupName -Name $vmName -Force

Write-Host "Stopped VM: $vmName in Resource Group: $resourceGroupName after 3 hours"

}

catch {

Write-Host "Error starting VM: $vmName in Resource Group: $resourceGroupName. Error: $_"

}

}

# Search in All subscriptions

foreach ($subscription in $subscriptions) {

# Set the current subscription context

Set-AzContext -SubscriptionId $subscription.Id

$vmList = Search-AzGraph -Query $query

$vmIds = $vmList | Select-Object -ExpandProperty id

foreach ($vmId in $vmIds) {

# Extract the resource group and VM name from the VM ID

$vmIdParts = $vmId -split '/'

$resourceGroupName = $vmIdParts[4]

$vmName = $vmIdParts[8]

# Get the VM status

$vm = Get-AzVM -ResourceGroupName $resourceGroupName -Name $vmName -Status

$vmStatus = $vm.Statuses | Where-Object { $_.Code -like 'PowerState/*' } | Select-Object -ExpandProperty Code

if ($vmStatus -eq 'PowerState/running') {

Write-Host "VM: $vmName in Resource Group: $resourceGroupName is already running, skipping..."

} else {

Start-And-Wait-For-Shutdown -resourceGroupName $resourceGroupName -vmName $vmName

}

}

}

I am using this script as suggested, but however the script is not turning on the VM with Updates Pending its shows as the VM in the resource group has started but its failing to start, @Stanislav Zhelyazkov can you please help me here.
Sign in to comment

Share via

Turn on the VM with Updates pending using Powershell

1 answer