Merge pull request #218344 from deeikele/deeikele/audit-ci

prmerger-automator[bot] · web-flow · commit 2227b2a7c4b4 · 2022-11-15T21:50:44.000Z
Audit and observe compute instance os version preview
diff --git a/articles/machine-learning/concept-vulnerability-management.md b/articles/machine-learning/concept-vulnerability-management.md
@@ -72,7 +72,7 @@ It's a shared responsibility between you and Microsoft to ensure that your envir
 
 ### Compute instance
 
-Compute instances get the latest VM images at the time of provisioning. Microsoft releases new VM images on a monthly basis. Once a compute instance is deployed, it does not get actively updated. To keep current with the latest software updates and security patches, you could:
+Compute instances get the latest VM images at the time of provisioning. Microsoft releases new VM images on a monthly basis. Once a compute instance is deployed, it does not get actively updated. You could [query an instance's operating system version](how-to-create-manage-compute-instance.md#audit-and-observe-compute-instance-version-preview). To keep current with the latest software updates and security patches, you could:
 
 1. Recreate a compute instance to get the latest OS image (recommended)
 
@@ -147,4 +147,4 @@ For code-based training experiences, you control which Azure Machine Learning en
 * [Azure Machine Learning Base Images Repository](https://github.com/Azure/AzureML-Containers)
 * [Data Science Virtual Machine release notes](./data-science-virtual-machine/release-notes.md)
 * [AzureML Python SDK Release Notes](./azure-machine-learning-release-notes.md)
-* [Machine learning enterprise security](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-enterprise-security)
+* [Machine learning enterprise security](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-enterprise-security)
diff --git a/articles/machine-learning/how-to-create-manage-compute-instance.md b/articles/machine-learning/how-to-create-manage-compute-instance.md
@@ -726,6 +726,72 @@ To create a compute instance, you'll need permissions for the following actions:
 * *Microsoft.MachineLearningServices/workspaces/computes/write*
 * *Microsoft.MachineLearningServices/workspaces/checkComputeNameAvailability/action*
 
+### Audit and observe compute instance version (preview)
+
+Once a compute instance is deployed, it does not get automatically updated. Microsoft [releases](azure-machine-learning-ci-image-release-notes.md) new VM images on a monthly basis. To understand options for keeping recent with the latest version, see [vulnerability management](concept-vulnerability-management.md#compute-instance). 
+
+To keep track of whether a compute instance's operating system version is current, you could query an instance's version using the Studio UI, CLI and SDK.
+
+# [Python SDK](#tab/python)
+
+[!INCLUDE [sdk v2](../../includes/machine-learning-sdk-v2.md)]
+
+```python
+from azure.ai.ml.entities import ComputeInstance, AmlCompute
+
+# Display operating system version
+instance = ml_client.compute.get("myci")
+print instance.os_image_metadata
+```
+
+For more information on the classes, methods, and parameters used in this example, see the following reference documents:
+
+* [`AmlCompute` class](/python/api/azure-ai-ml/azure.ai.ml.entities.amlcompute)
+* [`ComputeInstance` class](/python/api/azure-ai-ml/azure.ai.ml.entities.computeinstance)
+
+# [Azure CLI](#tab/azure-cli)
+
+[!INCLUDE [cli v2](../../includes/machine-learning-cli-v2.md)]
+
+```azurecli
+az ml compute show --name "myci"
+```
+
+# [Studio](#tab/azure-studio)
+
+In your workspace in Azure Machine Learning studio, select Compute, then select compute instance on the top. Select a compute instance's compute name to see its properties including the current operating system. When a more recent instance OS version is, use the creation wizard to create a new instance. Enable 'audit and observe compute instance os version' under the previews management panel to see these preview properties.
+
+---
+
+Administrators can use [Azure Policy](./../governance/policy/overview.md) definitions to audit instances that are running on outdated operating system versions across workspaces and subscriptions. The following is a sample policy:
+
+```json
+{
+    "mode": "All",
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MachineLearningServices/workspaces/computes"
+          },
+          {
+            "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType",
+            "equals": "ComputeInstance"
+          },
+          {
+            "field": "Microsoft.MachineLearningServices/workspaces/computes/osImageMetadata.isLatestOsImageVersion",
+            "equals": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "Audit"
+      }
+    }
+}    
+```
+
 ## Next steps
 
 * [Access the compute instance terminal](how-to-access-terminal.md)
