Configure Update Compliance Patch Management Reports using Intune and Log Analytics

Let’s configure Update Compliance patch management reports using Intune and Log Analytics. Update Compliance is not part of the MEM Intune solution. This is an additional service provided by Windows Team. This reporting solution helps to get patch compliance reports for Intune managed devices.

The Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. The Update Compliance service provides users a holistic view of Windows 10 or Windows 11 update compliance, update deployment, and failure troubleshooting.

Update Compliance helps to monitor security, quality, and feature updates for Intune managed Windows 10 or Windows 11 PCs. This also helps to get the troubleshooting data from Windows PCs. The Delivery Optimization related data helps organizations to know more about bandwidth saving etc.

Patch My PC

There are five (5) types of Update Compliance data types are available. Those are five (5) different types of data collected as part of Windows as a Service (WaaS) and Windows update (WU) service. You can also get the details of Windows Update Delivery Optimization from Windows 10 and Windows 11 PCs. Sometimes you will see one additional data type, and that is WDAVStatus (Desktop Analytics).

WaaS Update Status
WaaS Insider Status
WaaS Deployment Status
WU DO Aggregated Status
WU DO Status

Update Compliance Prerequisites

Let’s have a quick look at the prerequisites for the Update Compliance setup. You will need to have appropriate access to Azure Subscription to create a Log Analytics workspace and connect the Update compliance service with the log analytics workspace. Also, you should have appropriate access permissions for Intune policy creation and deployment.

1E Nomad
  • Windows 10 or Windows 11 Professional, Education, and Enterprise editions. It also supports Windows 10 or Windows 11 Multi-Session edition.
  • Supports General Availability and LTSC channels. Windows Insider channels are not fully supported.
  • Diagnostic data should be set to the Required level.
  • Firewall and Proxy Communication should be opened to contact specific endpoints for Update Compliance.
    • https://v10c.events.data.microsoft.com
    • https://v10.vortex-win.data.microsoft.com
    • https://settings-win.data.microsoft.com
    • http://adl.windows.com
    • https://watson.telemetry.microsoft.com
    • https://oca.telemetry.microsoft.com
    • https://login.live.com

Connect – Setup Configure Update Compliance with Azure Subscription and Log Analytics

It’s now time to set up and configure Update Compliance. You will need to follow the steps mentioned below to complete the Update Compliance reporting servicing for Windows as a Service solution. Log in to the Azure portal with appropriate permissions.

  • Launch https://azuremarketplace.microsoft.com/en-US/marketplace/apps/microsoft.waasupdateinsights?tab=overview
  • Click on the Get it Now and Click on the Continue button from the new page.
Connect - Setup Update Compliance with Azure Subscription and Log Analytics
Connect – Setup Update Compliance with Azure Subscription and Log Analytics

If you already have a Log Analytics workspace, you can select the following options to create the Update Compliance solution. Click on Review + Create now to complete the creation process of Update Compliance Solution.

NOTE! – To create a new log analytics workspace, go to Marketplace > Log Analytics Workspace > Create. See documentation at: https://aka.ms/AAbkhwa

Configure Update Compliance with Azure Subscription and Log Analytics
Connect Configure Update Compliance with Azure Subscription and Log Analytics

Get the Commercial ID for WaaSUpdate Insights

You can get a commercial ID key from the WaaSUpdate Insights -> Update Compliance Settings page. This ID is used when creating Intune policy to collect the data from Intune managed Windows 10 or Windows 11 PCs.

  • Navigate to the Resource Group where you have created Log Analytics Workspace.
  • Search with WaaSUpdateInsights and click on WaasUpdateInsight resource.
  • Click on Update Compliance Settings to collect the Commercial ID.
  • Copy the Commercial ID somewhere safe because you will need this at later stage.
Get the Commercial ID for WaaSUpdate Insights
Get the Commercial ID for WaaSUpdate Insights – Configure Update Compliance Patch Management Reports using Intune and Log Analytics.

Intune Update Compliance Data Collection Policy

You will need to create a settings catalog Intune policy to deploy Update Compliance related policies to Windows 10 or Windows 11 devices. There are five policies that you will need to deploy. However, only three policies are available in Intune Settings catalog.

You will need to create a custom policy to cover the rest of the 2 policies. You can learn more about creating settings catalog policies from the below post.

AllowDeviceNameInDiagnosticData
AllowTelemetry
CommercialID

Intune Update Compliance Data Collection Policy
Intune Update Compliance Data Collection Policy – Configure Update Compliance

The following are the two custom policies that are created to collect the telemetry data from Windows 10 or Windows 11 PCs. You can refer to Customize Windows 11 Start Menu Layout Settings post to know more about the custom policy creation process.

Name: Configure Telemetry OptIn Settings Ux
Description: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx
Data type: Integer
Value: 1 (Disable)

Add a setting to Allow Update Compliance processing; this policy is required for Update Compliance:

Name: Allow Update Compliance Processing
Description: Opts device data into Update Compliance processing. Required to see data.
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing
Data type: Integer
Value: 16

Intune Update Compliance Data Collection Policy
Intune Update Compliance Data Collection Policy – Configure Update Compliance for Windows Update using Intune and Log Analytics

Deploy these policies to all Windows devices that you want to collect Update compliance data.

Update Compliance Reports Data Latency

You will have some time to relax now because the update compliance service will take around 48-72 hours to populate the data once collected from Windows 10 or Windows 11 devices. This 48-72 hour is the first time data appear after you added Update Compliance and appropriately configured it on your devices.

Data TypeData upload rate from the deviceData Latency
WaaSUpdateStatusOnce per day4 hours
WaaSInsiderStatusOnce per day4 hours
WDAVStatus??
WaaSDeploymentStatusEvery update event (Download, install, etc.)24-36 hours
WUDOAggregatedStatusOn update event, aggregated over time24-36 hours
WUDOStatusOnce per day12 hours
Update Compliance Reports Data Latency

Update Compliance Reports

You can open up the Log analytics workspace created in the above section and navigate to the Logs page to check the reports coming from Update Compliance. You can create different kinds of dashboards with the Update Compliance data.

 Update Compliance Reports
Update Compliance Reports – Configure Update Compliance

From the Tables list, you would be able to find the Update Compliance tables. It took time to create the Update Compliance table. So you will need to wait until Update Compliance data to get processed. Until that time, you might not see this table under the logs page.

There are 6 tables available for Update Compliance data. You can check the table details below.

WaaSDeploymentStatus
WaaSInsiderStatus
WaaSUpdateStatus
WDAVStatus
WUDOAggregatedStatus
WUDOStatus

 Update Compliance Reports
Configure Update Compliance Patch Management Reports using Intune and Log Analytics

Once data is populated, you can query any of the tables to get more details about the update compliance or patching of Intune managed Windows devices.

 Update Compliance Reports
Configure Update Compliance Patch Management Reports using Intune and Log Analytics

Resources

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.