Home/Toolchest

Azure Update Manager compliance workbook starter

Starter template for an Azure Workbook plus Resource Graph evidence pack that shows patch compliance, pending updates, unsupported coverage, and patch-group drift across Azure and Arc-enabled machines.

Good For

  • Monthly patch compliance reporting
  • CAB or maintenance-window evidence
  • Azure Arc and Azure VM fleet visibility
  • Patch-group drift review by tag, subscription, or resource group
  • Operator notes for exceptions and remediation follow-up

How to Use It

  1. Define workbook scope and audience: Set workbook parameters for Subscription, Resource Group, OS type, PatchGroup tag, and time range. Decide whether the workbook is operator-facing only or suitable for management consumption. Record expected fleet scope: Azure VMs only, Arc-enabled servers only, or both.
  2. Build the summary section: Create top tiles for Total machines in scope, Assessed recently, Machines with pending updates, Machines with no recent assessment, and Machines missing PatchGroup tag. Add a grid grouped by subscription and resource group showing total machines, compliant count, pending count, and stale assessment count. Include a note block that defines compliance logic used in the workbook.
  3. Add detailed evidence views: Create a machine detail grid with machine name, resource type, subscription, PatchGroup, assessment status, pending patch count, reboot indicator if available, and last assessment time. Add a breakdown by OS type and by patch classification where assessment data exists. Add a stale-data view listing machines without a recent assessment inside the agreed reporting window.
  4. Add drift and hygiene views: Create a tag hygiene section to list machines missing PatchGroup, Environment, or Owner tags. Add a drift view to show machines in the same app or resource group that have different PatchGroup values. Highlight Arc machines or subscriptions with no assessment records so onboarding gaps are visible.
  5. Attach operator notes and export outputs: Reserve a final text section for exceptions, approved deferrals, and actions assigned to platform or application owners. Export workbook screenshots or workbook JSON for change records if required. Save the Resource Graph query outputs as CSV evidence for ticket attachments.

Execution Modes

  • local

Inputs and Outputs

Inputs

  • Scope
  • Reporting window
  • Tag schema
  • Compliance definition

Outputs

  • verbose-console
  • csv
  • operator-notes

Command Starter

Safe to run: read-only

# Confirm Azure CLI scope before running Resource Graph queries.
az account show --output table

# Fleet scope: Azure VMs plus Arc-enabled machines.
az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' or type =~ 'microsoft.hybridcompute/machines' | project id, name, type, subscriptionId, resourceGroup, location, tags" --first 1000 --output table

# Patch assessment evidence. Confirm tenant schema before production use.
az graph query -q "PatchAssessmentResources | project machineName=tostring(properties.machineName), status=tostring(properties.status), osType=tostring(properties.osType), patchServiceUsed=tostring(properties.patchServiceUsed), lastModified=todatetime(properties.lastModifiedDateTime), pendingPatchCount=toint(properties.availablePatchCountByClassification.total)" --first 1000 --output table

# Tag review export for workbook hygiene and drift checks.
az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' or type =~ 'microsoft.hybridcompute/machines' | extend patchGroup=tostring(tags['PatchGroup']), env=tostring(tags['Environment']), owner=tostring(tags['Owner']) | project name, type, subscriptionId, resourceGroup, location, patchGroup, env, owner" --first 1000 --output csv > patch-tag-review.csv

Validation

  • Workbook totals reconcile with the Resource Graph export for the same scope, time window, and machine population.
  • Machines missing recent assessments are called out separately from compliant machines so evidence gaps are visible.
  • PatchGroup, Environment, and Owner tag exceptions are visible in the workbook and match the exported drift or hygiene views.
  • A reviewer can trace every summary tile or chart back to a saved query, CSV export, or documented workbook section without guessing at the data source.

Reporting

  • Fleet summary: total machines in scope, assessed recently, machines with pending updates, machines with missing or stale assessment data, and machines missing required patching tags.
  • Compliance summary: counts by patch group, environment, operating system, subscription, and resource group.
  • Evidence summary: saved Resource Graph outputs, workbook JSON/version notes, CSV exports, and exception notes attached to the change or monthly review record.
  • Management summary: compliance percentage, evidence gaps, top drift categories, and owner follow-up items.

Safety Notes

  • This is a reporting template; keep all queries read-only and avoid embedding remediation actions in the workbook.
  • Resource Graph and Azure Update Manager schemas can vary by tenant and feature rollout; test queries in a non-production workbook before broad use.
  • Do not treat missing assessment data as proof of compliance; report it separately as an evidence gap.
  • Assessment and installation history retention are limited. Design workbook time windows and export processes around Microsoft's current retention behavior, not around an assumption of unlimited lookback.
  • If tags drive maintenance scheduling, validate tag sources with platform owners before using drift output for escalation.