Jul 16 2020 02:12 AM
Azure security center shows vm needing a patch, but Azure Update Management and local VM show it as installed.
What is the update frequency on the data in security center ? It's been installed for ~24h and still it shows as needed in recommendations.
the query in security center for showing which computer is affected is:
Update
| where UpdateState =~ "Needed" and iff(isnotnull(toint(Optional)), Optional == false, Optional == "false") == true and iff(isnotnull(toint(Approved)), Approved != false, Approved != "false") == true and UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b"
//| Removed subscription ID
| summarize AggregatedValue = dcount(SourceComputerId) by SourceComputerId, Computer
| limit 1000000000
the one in Update manager showing its installed is
Update
| where UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b" //added updateid for this update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID
| where Approved!=false and Computer=="server.domain.com" // removed affected servername
| render table