In Azure update when doing deployment cant find machines via tags

Question

Im trying to put my groups and schedules together. I have tagged my machines. Now these machines are primarily on-prem which updating has been working fine WHEN I select every computer separately. Now I want to schedule and do this by tag. It will not list any computers with tags.

Now these computers aren't in any resource group but rather servers in ARC....

Answer 1

The reason this is happening is because by design, the tag checks are done against Microsoft.Compute resource provider where servers in arc are under Microsoft.HybrideCompute/machines resource provider. A workaround is to create a data collector to pull ARC VM information based off their tags and ingest them into a linked log analytics workspace then create a dynamic computer group from that that table and target that group.

Steps:

• The script requires a Managed Identity with permission on the VM’s so it can get the tag values.
• The below script code should be used as a PowerShell Script runbook.
• You need to change the highlighted values below with information from your workspace.
• After running the script, you will have a Table in the workspace in the example below I named it “VMResourceTags”
• From this table what we need to do is query for the tag value, join the result with the heartbeat table, then create a dynamic group of that query:
• The query would be something like the below:

  //your tags will be a column in the table and the system will automatically replace any spaces with “_” and add “Tags_” at the start and “s” at the end.  
  //in the VM the tag is “Update 1530” in the workspace it becomes “Tags_Update_1530_s”  
  VMResourceTags_CL  
  | where TimeGenerated > ago(12h)  
  | where Tags_Update_1530_s == "True"  
  | join Heartbeat on _ResourceId  
  | distinct Computer  
  

• After running the query just save it as a function and select the computer group checkbox:
  
• The last step would be to target this group in your schedule.

  #NOTE - Disclaimer  
  #Following programming examples is for illustration only, without warranty either expressed or implied,  
  #Including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose.  
  #This sample code assumes that you are familiar with the programming language being demonstrated and the tools  
  #Used to create and debug procedures. This sample code is provided for the purpose of illustration only and is  
  #Not intended to be used in a production environment.  
  #Start of the script----------------------------------------------  
  Connect-AzAccount -Identity  
     
  $VMs = Get-AzResource -ResourceType "Microsoft.HybridCompute/machines"  
     
  # Create the vm tag records to be ingested  
  $json = ConvertTo-Json $VMs  
     
  # Replace with your Workspace ID  
  $CustomerId = ""    
     
  # Replace with your Primary Key  
  $SharedKey = ""  
     
  # Specify the name of the record type that you'll be creating  
  $LogType = "VMResourceTags"  
     
  # Optional name of a field that includes the timestamp for the data. If the time field is not specified, Azure Monitor assumes the time is the message ingestion time  
  $TimeStampField = ""  
     
  # Create the function to create the authorization signature  
  Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)  
  {  
      $xHeaders = "x-ms-date:" + $date  
      $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource  
     
      $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)  
      $keyBytes = [Convert]::FromBase64String($sharedKey)  
     
      $sha256 = New-Object System.Security.Cryptography.HMACSHA256  
      $sha256.Key = $keyBytes  
      $calculatedHash = $sha256.ComputeHash($bytesToHash)  
      $encodedHash = [Convert]::ToBase64String($calculatedHash)  
      $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash  
      return $authorization  
  }  
     
  # Create the function to create and post the request  
  Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)  
  {  
      $method = "POST"  
      $contentType = "application/json"  
      $resource = "/api/logs"  
      $rfc1123date = [DateTime]::UtcNow.ToString("r")  
      $contentLength = $body.Length  
      $signature = Build-Signature `  
          -customerId $customerId `  
          -sharedKey $sharedKey `  
          -date $rfc1123date `  
          -contentLength $contentLength `  
          -method $method `  
          -contentType $contentType `  
          -resource $resource  
      $uri = https:// + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"  
     
      $headers = @{  
          "Authorization" = $signature;  
          "Log-Type" = $logType;  
          "x-ms-date" = $rfc1123date;  
          "time-generated-field" = $TimeStampField;  
      }  
     
      $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing #-debug  
      return $response.StatusCode  
     
  }  
     
  # Submit the data to the API endpoint  
  Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $logType  
     
  #End of the script------------------------------------------------  
  

Answer 2

This is now fixed - I raised it as a technical issue with Microsoft