Get The List of Installed Patches on Azure VMs

Updated—20/03/2025—Microsoft announced that the new Azure Update Manager is now generally available (GA). This service will replace the old Azure Update Management service discussed in this article as part of an Azure Automation Account. Please refer to the following guide on monitoring patch installation resources in Azure Update Manager.

Azure virtual machines (VMs) compute instances can run on demand. You can use them just like servers deployed on-premises, deploying operating systems and applications, or containerized workloads. Operating system updates for Azure VMs are one of the core elements of a zero-day vulnerability and the overall Azure security strategy.

In this article, we will show you how to get the list of installed patches on Azure VMs using Azure Update Management in KQL query and Log Analytics.

Introduction

As you probably know, when we start provisioning resources in any public cloud provider, we need to always think about the types of resources we have and the shared responsibility model.

For infrastructure as service (IaaS) virtual machines, we are responsible for things like the OS, their runtime, the middleware, application, and data. When we think about the OS, this includes securing and hardening the OS, but also obviously patching it. And that’s kind of a huge part of it.

You probably already have a patching solution on-premises like System Center Configuration Manager (SCCM), you could bring that to the cloud if that’s working for you today, you could just use your existing investments if you want. But there is also a cloud-native technology in Azure called “Update Management“, and that’s what we want to focus on in this article.

The Azure Update Management service is generally available (GA) and is included as part of an Azure Automation Account. Update management allows you to manage updates and patches for your machines (Windows and Linux). With Update management, you can quickly assess the status of available updates, schedule installation of required updates, and review deployment results to verify updates that apply successfully. This is possible whether your machines are Azure VMs, hosted by other cloud providers, or on-premises.

Once Azure Update Management is implemented, we wanted to improve an audit query we are running every month because doing things manually over and over again is not efficient.

This article describes the steps needed to automate and get the list of installed patches on Azure VMs using Azure Update Management, KQL query, and Azure Logic App.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Resource Group (RG).

3) At least one supported operating system (x64) is deployed in the desired RG. Please check the following table lists for the supported operating systems for update assessments and patching.

• A quick start guide for creating a Windows virtual machine or Linux virtual machine.

4) Azure Update Management configured. Please check the following step-by-step guide to get started.

List of Installed OS Patches with KQL

As you probably know, in addition to the details that are provided during Update Management deployment, we can search the logs stored in the Log Analytics workspace. And for how long do you plan to keep the logs in the Log Analytics workspace, determines the data retention to go back in time, and audit the update for your servers. 31 days of retention is included with the pricing plan (free). If you want longer retention (up to 2 years), it will incur additional charges.

To search the logs from your Automation account, select Update management and open the Log Analytics workspace associated with your deployment as shown in the figure below.

As you can see, we have 5 tables under Update Management that we can query against that represents updates by a machine. Update Management collects records for Windows and Linux VMs and the data types that appear in log search results.

To query update management logs, please check the official documentation.

As part of our automated workflow procedure, we need to automatically determine last month’s installed patches for all Azure virtual machines that are getting patched using Azure Update Management. We have a monthly schedule that patches our Windows and Linux servers and we need to audit them on monthly basis.

For this to work, we first need to determine last month’s number by getting the current month and subtracting 1 from the number.

We create a variable called lastMonthNumber and subtract 1 from the current date.

let lastmonthNumber = getmonth(datetime(now)) - 1;

This will work for all of the months, except for January. Because on January, getmonth() will return 1 and we cannot switch it to 12 by subtracting 1.

In our example, we need to keep the logs for 2 years for compliance and audit reasons. If you are keeping the data for less than a year, then you disregard this issue.

Now to go beyond and use the year, we need the help of the iff() function. So if lastMonthNumber == 0 it means we are currently in January, we need to change it to 12 and point to December instead. Here is the iff() function to check against the lastMonthNumber and put the result in a new variable called lastmonth:

let lastmonth = iff(lastmonthNumber == 0, 12, lastmonthNumber);

Now for the year, we get the current year as of today and subtract 1 if lastmonth is 12, if not, then we don’t subtract and set it to 0.

let year = getyear(datetime(now)) - iff(lastmonth == 12, 1, 0);

Now we have all the information that we need to set the start date startDate and the end date endDate variables:

let startDate = make_datetime(year, lastmonth, 01);
let endDate = endofmonth(startDate);

Finally, we can start using them against TimeGenerated in our case to sort the patches based on the previous month, as follows:

UpdateRunProgress
| where TimeGenerated between(startDate .. endDate)

By having all the variables set dynamically, we can now build our entire KQL query and summarize the OS patches as follows:

// KQL List of Installed OS Patches on Azure VMs
// Automatic date calculation to get previous month
let lastmonthNumber = getmonth(datetime(now)) - 1;
let lastmonth = iff(lastmonthNumber == 0, 12, lastmonthNumber);
let year = getyear(datetime(now)) - iff(lastmonth == 12, 1, 0);
let startDate = make_datetime(year, lastmonth, 01);
let endDate = endofmonth(startDate);
UpdateRunProgress
| where TimeGenerated between(startDate .. endDate)
| project TimeGenerated, Server=Resource, UpdateGroup=UpdateRunName, ResourceGroup, InstalledUpdate=Title, InstallationStatus, KBNumber=KBID
| summarize InstalledUpdate=make_set(InstalledUpdate) by Server, bin(TimeGenerated, 1d), KBNumber

And here is the results when you run the query. We got the TimeGenerated, Server Name, the KBNumber ID, and the InstalledUpdate details.

Run KQL in Azure Logic App

The final part is to schedule the query to e-mail us the results on a monthly basis.

To automate this process, we will create a Logic App to run the KQL query on a monthly basis and send the results.

Take the following steps to create a Logic App workflow:

1) Sign in to the Azure portal with your Azure account.

2) In the Azure search box, enter logic apps, and select Logic apps.

3) On the Logic apps page, select Add.

4) On the Create Logic App pane, on the Basics tab, provide the following basic information about your logic app:

• Subscription
• Resource Group
• Logic App name

5) Before you continue making selections, under Plan type, make sure to select Consumption so that you view only the settings that apply to the Consumption plan-based logic app type. A consumption plan is best for entry-level and you pay only as much as your workflow runs.

6) Continue by setting the desired Azure region and set NO to Enable log analytics.

7) When you’re done, your settings look similar to the following image.

8) When you’re ready, select Review + Create.

9) On the validation page that appears, confirm all the information that you provided, and select Create.

10) After you successfully deploy your logic app, select Go to the resource. Or, find and select your logic app resource by typing the name in the Azure search box.

11) Scroll down past the video and the section named Start with a common trigger.

12) Under Templates, select Blank Logic App.

13) This example uses a Recurrence trigger, based on a schedule. Under the designer search box, select All. In the designer search box, enter recurrence. From the Triggers list, select the Recurrence trigger (schedule) as shown in the figure below.

14) On the Recurrence step, set the desired internal and frequency (once a day, once an hour, once a week, once a month, etc.). In this example, we need to audit on a monthly basis as shown in the figure below. Click + New Step.

15) Under the designer search box, select All. In the designer search box, enter Azure Monitor Logs. From the Actions list, select the Run query and list results as shown in the figure below. Then select Sign in to create a connection to Azure Monitor Logs.

16) Next, select the desired Subscription, Resource Group, Resource Type (Log Analytics Workspace), and Resource Name where the Azure Log Analytics workspace is deployed.

Next, enter the KQL query that we described in the previous step.

// KQL List of Installed OS Patches on Azure VMs
// Automatic date calculation to get previous month
let lastmonthNumber = getmonth(datetime(now)) - 1;
let lastmonth = iff(lastmonthNumber == 0, 12, lastmonthNumber);
let year = getyear(datetime(now)) - iff(lastmonth == 12, 1, 0);
let startDate = make_datetime(year, lastmonth, 01);
let endDate = endofmonth(startDate);
UpdateRunProgress
| where TimeGenerated between(startDate .. endDate)
| project TimeGenerated, Server=Resource, UpdateGroup=UpdateRunName, ResourceGroup, InstalledUpdate=Title, InstallationStatus, KBNumber=KBID
| summarize InstalledUpdate=make_set(InstalledUpdate) by Server, bin(TimeGenerated, 1d), KBNumber

Last but not least, set the Time Range (Set in query), and the Chart Type (Html Table) as shown in the figure below.

17) Click + New Step for the final step. Under the designer search box, select All. In the designer search box, enter Office 365. From the Actions list, select the Send an email (V2) as shown in the figure below. Then select Sign in to create a connection to Office 365 Outlook.

18) Then, set the Body to Attachment Content as shown in the figure below, and then enter the desired Subject and who should receive this report.

On the designer toolbar, select Save to save your logic app, which instantly goes live in the Azure portal.

19) Finally, you could test the logic app by selecting the Run Trigger as shown in the figure below to make sure it’s working as expected.

And here is the final report right in your inbox! we have blur-boxed the Server value for obvious reasons.

That’s there you have it. Happy Azure VM Patch Auditing!

Summary

In this article, we showed you how to automatically get the list of installed patches on all Azure and non-Azure VMs for the previous month using Update Management backed by Azure automation account and log analytics in KQL and Azure Logic App.

By having this workflow in place, you can make sure that your organization’s compliance policy and auditing needs are met.

With Update Management, you enable consistent control and compliance of your virtual machines. This service is included with Azure virtual machines and Azure Arc machines. You only pay for logs stored in Log Analytics. The Azure Update Management solution is completely free even for on-premises or other clouds, there is no cost for this apart from log analytics workspace data.

The Update Management service requires a Log Analytics workspace and an Automation account. You can use your existing workspace and account or let the solution configure the nearest workspace and account for you to use.

> For more information about Azure update management, check the official documentation.

We hope this guide is useful as you patch and update your Azure VMs to protect your organization’s valuable workloads.

> Learn more about hardening Azure VMs – 5 Critical Best Practices.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-