cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Patch status wrong

PatrikHansson
Brass Contributor

‎Jul 16 2020 02:12 AM

‎Jul 16 2020 02:12 AM

Patch status wrong

Azure security center shows vm needing a patch, but Azure Update Management and local VM show it as installed.
What is the update frequency on the data in security center ? It's been installed for ~24h and still it shows as needed in recommendations.

 

the query in security center for showing which computer is affected is:

Update
| where UpdateState =~ "Needed" and iff(isnotnull(toint(Optional)), Optional == false, Optional == "false") == true and iff(isnotnull(toint(Approved)), Approved != false, Approved != "false") == true and UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b"
//| Removed subscription ID
| summarize AggregatedValue = dcount(SourceComputerId) by SourceComputerId, Computer
| limit 1000000000

the one in Update manager showing its installed is

Update
| where UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b" //added updateid for this update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID
| where Approved!=false and Computer=="server.domain.com" // removed affected servername 
| render table

 

638 Views
0 Likes
0 Replies
Reply
0 Replies