Azure Update Management - log analytics report

Nigel Vella 1 Reputation point

I have a setup where, every week the Virtual Machines are updated using a deployment schedule.
The Deployment Schedule also includes a Post and Pre-scripts to start any VMs that are found shut-down and once updated, it puts them back to shut-down.

Everything works fine and the updates where also installed OK.

My problem is that post updates, I'm utilizing a script to export data which shows the critical and security updates for audit reports, however, VMs that are continuously running are reporting fine, whereas VMs that are shutdown after the post script, report data of when the VM is started.

This is the script I'm using:

| join kind=fullouter (UpdateSummary) on ResourceId  
| where TimeGenerated1 >= ago(48h)  
| summarize arg_max(TimeGenerated1, CriticalUpdatesMissing, SecurityUpdatesMissing) by Computer, ResourceGroup  

Below is what I'm encountering.
The update didn't last long, is there any time required for the VM's to be running, in order to fetch latest update data on the log analytics?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,941 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,166 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 21,076 Reputation points

    Hi @Nigel Vella ,

    Welcome to Microsoft Q&A! Thanks for posting the question.

    I understand that you are trying to view the updated information LogAnalytics after the updates were installed on selected machines. Based on the reported behavior that - the updates are reported fine for continuously running machine AND the fact that for stopped VMs the updates are displayed based on the time when they were started, the following information and reference should help:

    1. On a Windows machine, the compliance scan is run every 12 hours by default. For a Linux machine, the compliance scan is performed every hour by default.

    2. If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes. (A reboot/start of VM would initiate start of all the services on the VM, therefore you seem to be getting the information from after the start of VM)

    refer: About Update Management

    Based on this information, I would suggest adding one more logic to the Postscript to restart "Log Analytics Agent" service after the update installation and schedule shutdown after about 15 minutes. That should help get updated data sooner.

    Please let me know if you have any questions.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.