Home/Toolchest

Azure Update Manager compliance workbook starter

Starter template for an Azure Workbook plus Resource Graph evidence pack that shows patch compliance, pending updates, unsupported coverage, and patch-group drift across Azure and Arc-enabled machines.

Good For

  • Monthly patch compliance reporting
  • CAB or maintenance-window evidence
  • Azure Arc and Azure VM fleet visibility
  • Patch-group drift review by tag, subscription, or resource group
  • Operator notes for exceptions and remediation follow-up

How to Use It

  1. Define workbook scope and audience: Set workbook parameters for Subscription, Resource Group, OS type, PatchGroup tag, and time range. Decide whether the workbook is operator-facing only or suitable for management consumption. Record expected fleet scope: Azure VMs only, Arc-enabled servers only, or both.
  2. Build the summary section: Create top tiles for Total machines in scope, Assessed recently, Machines with pending updates, Machines with no recent assessment, and Machines missing PatchGroup tag. Add a grid grouped by subscription and resource group showing total machines, compliant count, pending count, and stale assessment count. Include a note block that defines compliance logic used in the workbook.
  3. Add detailed evidence views: Create a machine detail grid with machine name, resource type, subscription, PatchGroup, assessment status, pending patch count, reboot indicator if available, and last assessment time. Add a breakdown by OS type and by patch classification where assessment data exists. Add a stale-data view listing machines without a recent assessment inside the agreed reporting window.
  4. Add drift and hygiene views: Create a tag hygiene section to list machines missing PatchGroup, Environment, or Owner tags. Add a drift view to show machines in the same app or resource group that have different PatchGroup values. Highlight Arc machines or subscriptions with no assessment records so onboarding gaps are visible.
  5. Attach operator notes and export outputs: Reserve a final text section for exceptions, approved deferrals, and actions assigned to platform or application owners. Export workbook screenshots or workbook JSON for change records if required. Save the Resource Graph query outputs as CSV evidence for ticket attachments.

Execution Modes

  • local

Inputs and Outputs

Inputs

  • Scope
  • Reporting window
  • Tag schema
  • Compliance definition

Outputs

  • verbose-console
  • operator-notes

Command Starter

Safe to run: read-only

az account show --output table
az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' or type =~ 'microsoft.hybridcompute/machines' | project id, name, type, subscriptionId, resourceGroup, location, tags" --first 1000 --output table
az graph query -q "PatchAssessmentResources | project machineName=tostring(properties.machineName), status=tostring(properties.status), osType=tostring(properties.osType), patchServiceUsed=tostring(properties.patchServiceUsed), lastModified=todatetime(properties.lastModifiedDateTime), pendingPatchCount=toint(properties.availablePatchCountByClassification.total)" --first 1000 --output table
az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' or type =~ 'microsoft.hybridcompute/machines' | extend patchGroup=tostring(tags['PatchGroup']), env=tostring(tags['Environment']), owner=tostring(tags['Owner']) | project name, type, subscriptionId, resourceGroup, location, patchGroup, env, owner" --first 1000 --output csv > patch-tag-review.csv

Validation

  • Workbook totals reconcile with the Resource Graph export for the same scope, time window, and machine population.
  • Machines missing recent assessments are called out separately from compliant machines so evidence gaps are visible.
  • PatchGroup, Environment, and Owner tag exceptions are visible in the workbook and match the exported drift or hygiene views.
  • A reviewer can trace every summary tile or chart back to a saved query, CSV export, or documented workbook section without guessing at the data source.

Reporting

  • Decision summary: total candidates reviewed, excluded, approved to disable, on hold, and unresolved.
  • Evidence summary: baseline CSV, candidate CSV, high-risk group membership exports, and corroborating source references attached to the ticket.
  • Approval summary: approver, approval date, planned disable date, rollback window, and escalation owner per account or batch.

Safety Notes

  • This is a reporting template; keep all queries read-only and avoid embedding remediation actions in the workbook.
  • Resource Graph and Update Manager schemas can vary by tenant and feature rollout; test queries in a non-production workbook before broad use.
  • Do not treat missing assessment data as proof of compliance; report it separately as an evidence gap.
  • If tags drive maintenance scheduling, validate tag sources with platform owners before using drift output for escalation.