Share via

Azure Update Manager query

Ashish Javiya 1 Reputation point
2021-03-11T10:19:36.083+00:00

In recently we had an issue - where we have setup few scheduled task to do patching of the server for critical and important update using update manager. it failed and we missed to get any information - which caused us many issues. Hence we have decided to build the dashboard to help us to over all status. I have 2 question : 1) Query needs : Server name, Subscription, Owner, Last time when it was patched (may be using Jobs/Scheduler), critical updates pending, longest critical update pending. 2) Is KUSTO query gives you result limited to that subscription ? How can be build the log analytics report on over all resources.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,162 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 18,211 Reputation points
    2021-03-11T12:01:16.363+00:00

    @Ashish Javiya Welcome to Microsoft Q & A Community Forum. Here is query which lists out the information like ComputerId, Computer Name , missedCriticalUpdatesCount , missingSecurityUpdatesCount, missingOtherUpdatesCount, lastAssessedTime. If in case, you want to limit the records to specific subscription , you can just add "where subscriptionId= "<<provide subscription id>>" to the query. 

    Heartbeat  
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)  
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId   
| where Solutions has "updates"  
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""  
| join kind=leftouter  
(  
    Update  
    | where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat  
    | where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)  
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId  
    | where Solutions has "updates"  
    | distinct SourceComputerId))  
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Product, Computer, ComputerEnvironment) by SourceComputerId, Product, ProductArch  
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed"), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed"), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed"), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId  
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)  
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)  
)  
on SourceComputerId  
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2)  
| union(Heartbeat  
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)  
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId  
| where Solutions has "updates"  
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""  
| join kind=leftouter  
(  
    Update  
    | where TimeGenerated>ago(14h) and OSType!="Linux" and SourceComputerId in ((Heartbeat  
    | where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)  
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId  
    | where Solutions has "updates"  
    | distinct SourceComputerId))  
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, Optional, Approved, Computer, ComputerEnvironment) by Computer, SourceComputerId, UpdateID  
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed" and Approved!=false), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed" and Approved!=false), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed" and Optional==false and Approved!=false), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId  
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)  
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)  
)  
on SourceComputerId  
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2) )  
| order by ComplianceOrder asc, missingCriticalUpdatesCount desc, missingSecurityUpdatesCount desc, missingOtherUpdatesCount desc, displayName asc   
| project-away ComplianceOrder