Let’s configure Update Compliance patch management reports using Intune and Log Analytics. Update Compliance is not part of the MEM Intune solution. This is an additional service provided by Windows Team. This reporting solution helps to get patch compliance reports for Intune managed devices.
The Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. The Update Compliance service provides users a holistic view of Windows 10 or Windows 11 update compliance, update deployment, and failure troubleshooting.
Update Compliance helps to monitor security, quality, and feature updates for Intune managed Windows 10 or Windows 11 PCs. This also helps to get the troubleshooting data from Windows PCs. The Delivery Optimization related data helps organizations to know more about bandwidth saving etc.
There are five (5) types of Update Compliance data types available. Those are five (5) different types of data collected as part of Windows as a Service (WaaS) and Windows Update (WU) services. You can also get more details from the List of Intune Devices With Patch Deployment Status and Country Details Using KQL Queries.
WaaS Update Status
WaaS Insider Status
WaaS Deployment Status
WU DO Aggregated Status
WU DO Status
Update Compliance Prerequisites
Let’s have a quick look at the prerequisites for the Update Compliance setup. You will need to have appropriate access to Azure Subscription to create a Log Analytics workspace and connect the Update compliance service with the log analytics workspace. Also, you should have appropriate access permissions for Intune policy creation and deployment.
- Windows 10 or Windows 11 Professional, Education, and Enterprise editions. It also supports Windows 10 or Windows 11 Multi-Session edition.
- Supports General Availability and LTSC channels. Windows Insider channels are not fully supported.
- Diagnostic data should be set to the Required level.
- Firewall and Proxy Communication should be opened to contact specific endpoints for Update Compliance.
Connect – Setup Configure Update Compliance with Azure Subscription and Log Analytics
It’s now time to set up and configure Update Compliance. You will need to follow the steps mentioned below to complete the Update Compliance reporting servicing for Windows as a Service solution. Log in to the Azure portal with appropriate permissions.
- Launch https://azuremarketplace.microsoft.com/en-US/marketplace/apps/microsoft.waasupdateinsights?tab=overview
- Click on the Get it Now and Click on the Continue button from the new page.
If you already have a Log Analytics workspace, you can select the following options to create the Update Compliance solution. Click on Review + Create now to complete the creation process of Update Compliance Solution.
NOTE! – To create a new log analytics workspace, go to Marketplace > Log Analytics Workspace > Create. See documentation at: https://aka.ms/AAbkhwa
Get the Commercial ID for WaaSUpdate Insights
You can get a commercial ID key from the WaaSUpdate Insights -> Update Compliance Settings page. This ID is used when creating Intune policy to collect the data from Intune managed Windows 10 or Windows 11 PCs.
- Navigate to the Resource Group where you have created Log Analytics Workspace.
- Search with WaaSUpdateInsights and click on WaasUpdateInsight resource.
- Click on Update Compliance Settings to collect the Commercial ID.
- Copy the Commercial ID somewhere safe because you will need this at later stage.
Intune Update Compliance Data Collection Policy
You will need to create a settings catalog Intune policy to deploy Update Compliance related policies to Windows 10 or Windows 11 devices. There are five policies that you will need to deploy. However, only three policies are available in Intune Settings catalog.
You will need to create a custom policy to cover the rest of the 2 policies. You can learn more about creating settings catalog policies from the below post.
- How to Create Intune Settings Catalog Policy
- You can use the following 3 keywords to find the appropriate policies from the Settings catalog.
The following are the two custom policies that are created to collect the telemetry data from Windows 10 or Windows 11 PCs. You can refer to Customize Windows 11 Start Menu Layout Settings post to know more about the custom policy creation process.
Name: Configure Telemetry OptIn Settings Ux
Description: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
Data type: Integer
Value: 1 (Disable)
Add a setting to Allow Update Compliance processing; this policy is required for Update Compliance:
Name: Allow Update Compliance Processing
Description: Opts device data into Update Compliance processing. Required to see data.
Data type: Integer
Deploy these policies to all Windows devices that you want to collect Update compliance data.
Update Compliance Reports Data Latency
You will have some time to relax now because the update compliance service will take around 48-72 hours to populate the data once collected from Windows 10 or Windows 11 devices. This 48-72 hour is the first time data appear after you added Update Compliance and appropriately configured it on your devices.
|Data Type||Data upload rate from the device||Data Latency|
|WaaSUpdateStatus||Once per day||4 hours|
|WaaSInsiderStatus||Once per day||4 hours|
|WaaSDeploymentStatus||Every update event (Download, install, etc.)||24-36 hours|
|WUDOAggregatedStatus||On update event, aggregated over time||24-36 hours|
|WUDOStatus||Once per day||12 hours|
Update Compliance Reports
You can open up the Log Analytics workspace created in the above section and navigate to the Logs page to check the reports coming from Update Compliance. You can create different kinds of dashboards with the Update Compliance data.
From the Tables list, you would be able to find the Update Compliance tables. It took time to create the Update Compliance table. So you will need to wait until Update Compliance data to get processed. Until that time, you might not see this table under the logs page.
There are 6 tables available for Update Compliance data. You can check the table details below.
Once data is populated, you can query any of the tables to get more details about the update compliance or patching of Intune managed Windows devices.
- Intune Device Compliance Reports | Endpoint Manager
- Azure Active Directory sign-in activity reports – preview
- Antivirus Agent Status Intune Report | Endpoint Manager
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…