Use OMS to create alerts for missing security or other updates

Summary: Learn how to use the Microsoft Operations Management Suite (OMS) alerting feature to generate alerts due to missing security or other updates in this article by Ed Wilson.

This post is the third post in a multi-part series of blog posts about OMS alerting. To fully understand this post, you should read the entire series in order.

Here are the posts in the series:

  1. OMS alerting is now generally available
  2. Learn how to get started using OMS alert management
  3. Use OMS to create alerts for missing security and other updates
  4. Set up an Operations Management Suite alert that detects suspicious executables
  5. Use the OMS log search feature to report on custom OMS alerts

Good morning everyone, Ed Wilson here, and today I want to talk about how to use Microsoft Operations Management Suite (OMS) to trigger alerts based on missing security updates or other updates.

First off, get a good query

The easiest way to get a good query that reports missing security updates and other updates that are absent from my systems is to use the System Update Assessment solution.

NOTE: If the System Update Assessment solution is missing from your OMS installation, you can add it in via Overview > Settings > Solutions gallery.

After I am in the System Update Assessment solution overview page, I can see immediately the numbers of missing critical or security updates as well as computers that have critical or security updates that have been missing for more than 30 days. In addition, there is a report for the total numbers of missing updates. The Updates overview page is shown here:

Screenshot of the OMS Updates overview page.

Select the security and update alert that I want to configure

All I basically have to do is decide what type of alert I need to configure. That will determine the type of query that I run. I want to be alerted to all resources that report missing critical updates or missing security updates – regardless of how long they have been missing or the number of missing updates. So, I choose the Critical or Security Updates report. This search page is shown here:

Screenshot of the query for the Critical or Security Updates report on the search page.

The query that is behind this search is shown here:

Type:Update (Classification:"Security Updates" OR Classification:"Critical Updates") AND UpdateState=Needed AND Optional=false AND Approved!=false | measure count() by Computer

From this page, I select the Alert icon on the toolbar under the Search heading. The following page is shown here:

Screenshot of options to set an alert rule.

The cool thing is that the search query automatically fills in -- and thus I can avoid copy / paste / edit errors.

I now need to assign an alert name, set the time window, set the threshold, and specify the email actions. I decide to keep the 15-minute time window, but I change the threshold to greater than zero. I then set the throttle alerts to 120 minutes, and I fill in my email address and subject. This appears in the figure here:

Screenshot of a alert that has options selected.

After I’m happy, I click Save to save the new alert notification for missing security and other critical updates.

Later on, I will hook up a runbook and automatically remediate the missing updates.

That is all I have for you today. If you would like to get a free Microsoft Operations Management Suite (#MSOMS) subscription so that you can test out the new alerting features, you can do so from here. You can also get a free subscription for Microsoft Azure as well by selecting this link.

Join me tomorrow when I’ll talk some more about alerting.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team