Monitoring Windows Updates Using Update Compliance

Today’s post is about a Microsoft tool which is completely free and a great way of tracking Windows updates across the estate. Did I mention it’s free?

If you want to read up more about it, here is the Microsoft official page. For this post, I will cover the deployment and configuration of it.

Before I start, it’s worth noting that if you already have Desktop Analytics deployed, you need to use the same Resource Group and Log Analytics Workspace.

First up, keep things neat and create a resource group in Azure

Now, create a Log Analytics Workspace inside the resource group. Don’t worry about any mention of data charges, they are free for this purpose

Once that is built, go to the Marketplace and find Update Compliance

There aren’t any configuration items at this point so go ahead and create it

Point it at your new Log Analytics Workspace (or Desktop Analytics if you use that already)

When completed, click Go to resource group

In the new resource, click on the Solution (WaaSUpdateInsights)

Now click on Update Compliance and copy the Commercial Id Key

Now we need to configure a Profile in Endpoint Manager to point the devices to the Log Analytics Workspace via a Custom OMA-URI policy

For the rows, the details can all be found here (I’ll include below as well to save having to cross-navigate)

Set the Commercial ID:

OMA-URI

./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID

Set the diagnostic level (minimum of 1, but feel free to increase)

./Vendor/MSFT/Policy/Config/System/AllowTelemetry

Disable opt-in to stop users changing the setting

./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx

We need to Allow device names or nothing will show

./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData

And the final row is newly added, but essential to allow Update Compliance Processing

./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing

Once the data starts coming through, navigate to the Log Analytics Workspace and click on Workplace Summary

Once the data has processed, you will see data about the devices, which have issues and what the issues may be

The Overview blade.

Plus pretty graphs to share with management:

The Security Update Status report.

I always try and deploy this for anyone using Intune, it isn’t complicated to deploy, costs nothing and can save a lot of time reporting on updates

Posted in AzureIntune