In Azure update when doing deployment cant find machines via tags

Shicara Smith 1 Reputation point
2022-09-20T14:13:32.997+00:00

Im trying to put my groups and schedules together. I have tagged my machines. Now these machines are primarily on-prem which updating has been working fine WHEN I select every computer separately. Now I want to schedule and do this by tag. It will not list any computers with tags.

Now these computers aren't in any resource group but rather servers in ARC....

Azure Update Manager
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
304 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 28,106 Reputation points Microsoft Employee
    2022-09-21T22:22:08.7+00:00

    The reason this is happening is because by design, the tag checks are done against Microsoft.Compute resource provider where servers in arc are under Microsoft.HybrideCompute/machines resource provider. A workaround is to create a data collector to pull ARC VM information based off their tags and ingest them into a linked log analytics workspace then create a dynamic computer group from that that table and target that group.

    Steps:

    • The script requires a Managed Identity with permission on the VM’s so it can get the tag values.
    • The below script code should be used as a PowerShell Script runbook.
    • You need to change the highlighted values below with information from your workspace.
    • After running the script, you will have a Table in the workspace in the example below I named it “VMResourceTags”
    • From this table what we need to do is query for the tag value, join the result with the heartbeat table, then create a dynamic group of that query:
    • The query would be something like the below: 
      //your tags will be a column in the table and the system will automatically replace any spaces with “_” and add “Tags_” at the start and “s” at the end.  
//in the VM the tag is “Update 1530” in the workspace it becomes “Tags_Update_1530_s”  
VMResourceTags_CL  
| where TimeGenerated > ago(12h)  
| where Tags_Update_1530_s == "True"  
| join Heartbeat on _ResourceId  
| distinct Computer
    • After running the query just save it as a function and select the computer group checkbox:
      243665-image.png
    • The last step would be to target this group in your schedule. 
      #NOTE - Disclaimer  
#Following programming examples is for illustration only, without warranty either expressed or implied,  
#Including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose.  
#This sample code assumes that you are familiar with the programming language being demonstrated and the tools  
#Used to create and debug procedures. This sample code is provided for the purpose of illustration only and is  
#Not intended to be used in a production environment.  
#Start of the script----------------------------------------------  
Connect-AzAccount -Identity  
   
$VMs = Get-AzResource -ResourceType "Microsoft.HybridCompute/machines"  
   
# Create the vm tag records to be ingested  
$json = ConvertTo-Json $VMs  
   
# Replace with your Workspace ID  
$CustomerId = ""    
   
# Replace with your Primary Key  
$SharedKey = ""  
   
# Specify the name of the record type that you'll be creating  
$LogType = "VMResourceTags"  
   
# Optional name of a field that includes the timestamp for the data. If the time field is not specified, Azure Monitor assumes the time is the message ingestion time  
$TimeStampField = ""  
   
# Create the function to create the authorization signature  
Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)  
{  
    $xHeaders = "x-ms-date:" + $date  
    $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource  
   
    $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)  
    $keyBytes = [Convert]::FromBase64String($sharedKey)  
   
    $sha256 = New-Object System.Security.Cryptography.HMACSHA256  
    $sha256.Key = $keyBytes  
    $calculatedHash = $sha256.ComputeHash($bytesToHash)  
    $encodedHash = [Convert]::ToBase64String($calculatedHash)  
    $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash  
    return $authorization  
}  
   
# Create the function to create and post the request  
Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)  
{  
    $method = "POST"  
    $contentType = "application/json"  
    $resource = "/api/logs"  
    $rfc1123date = [DateTime]::UtcNow.ToString("r")  
    $contentLength = $body.Length  
    $signature = Build-Signature `  
        -customerId $customerId `  
        -sharedKey $sharedKey `  
        -date $rfc1123date `  
        -contentLength $contentLength `  
        -method $method `  
        -contentType $contentType `  
        -resource $resource  
    $uri = https:// + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"  
   
    $headers = @{  
        "Authorization" = $signature;  
        "Log-Type" = $logType;  
        "x-ms-date" = $rfc1123date;  
        "time-generated-field" = $TimeStampField;  
    }  
   
    $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing #-debug  
    return $response.StatusCode  
   
}  
   
# Submit the data to the API endpoint  
Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $logType  
   
#End of the script------------------------------------------------
    0 comments
  2. Matt9300 31 Reputation points
    2022-10-18T09:42:04.253+00:00

    This is now fixed - I raised it as a technical issue with Microsoft

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.