In this post I will show you how to configure Update Compliance reports for Intune Patch Management. Once Update Compliance is configured as part of Azure configuration, we are able to monitor the detailed patching results in a granular form.

What is Update Compliance

Update Compliance is a Windows service hosted in Azure, and when clients are configured to send diagnostic data, it provides detailed info related to patches in form of tables, reports and graphs. Update Compliance is available through Azure Marketplace and can also be installed through Azure > Solutions. A valid Azure subscription is required for this. Through Update Compliance you can:

  • Monitor the quality update, security update and features updates for Windows 10 / Windows 11
  • You can view a report for device and update issues related to compliance.
  • You can also view reports related to Delivery Optimization to see and verify how much bandwidth you are using, how much bandwidth is used to cloud (ie. http) vs how much downloaded from peers.

Prerequisites for Update Compliance

  • Compatible Operating System: Windows 10 or 11 with Professional, Education and Enterprise editions are the supported one.
  • Compatible Servicing Channel: General Availability Channel and Long-term Servicing Channel (LTSC) are the supported channels.
  • Diagnostic data requirements: Data diagnostic data should be enabled on clients for Update Compliance to get the data. Diagnostic data should be set at Required level. Though for more advance details, you may need to configure Optional level or Enhanced level.
  • Other configure requirements: There are few other requirements such as Data transmission requirements and showing device names in Update compliance.

We will later discuss upon the settings required to configure Diagnostic data requirements and other configurations.


Add Configure Update Compliance

Let’s proceed with add Update compliance. This can be done in 2 ways:

  1. Add Update Compliance through Azure Marketplace. Click on Get It Now, it will create this app in Azure.
Azure Marketplace Update Compliance

This will take you to Azure Portal with Create Update Compliance Solution page, provide Subscription, Resource Group and Azure Log Analytics Workspace (If you haven’t created Log Analytics Workspace, created it before proceeding with Update Compliance configuration)

Create Update Compliance Solution
  • Another way is to login to Azure Portal, search for Solutions app and click on it.
Azure Solutions

Click on Create, which will open Marketplace blade.

Update Compliance

Rest of the process is same as what we saw in previous point

Note down Commercial ID details

Once the solution is created, it will generate the name as WaaSUpdateInsights

Update Compliance Commercial id

You can go to Azure Portal > Solutions > WaaSUpdateInsights and click on Update Compliance Settings, you will be able to see Commercial Id Key, make a note of it which will be required as part of configuration.

Configure devices to send data for Update Compliance

We require to enroll the devices in Update Compliance. For this we need to configure devices to send diagnostic data and other configuration. This configuration can be done either be done through Intune Configuration Profiles or through Group Policy. We can follow any one of the methods which best suits you.

  1. Configure Device using Intune

We will configure the policies using Mobile Device Management (MDM) configuration.

Following settings are required:

  • Provider/ProviderID/CommercialID
  • System/AllowTelemetry
  • System/ConfigureTelemetryOptInSettingsUx
  • System/AllowDeviceNameInDiagnosticData
  • System/AllowUpdateComplianceProcessing

Login to MEM Portal and navigate to Home > Devices > Windows > Configuration profiles > Create profile.

Configuration profiles

On Create a profile page:

Specify Platform as Windows 10 and later.
Profile type: Templates
Template name: Custom

Intune Custom Templates

Under OMA-URI Settings, click on Add and proceed with 5 settings:

OMA-URI Settings

Name: Commercial ID
OMA-URI: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
Data type: String
Value: (Specify Commercial ID as discussed previously under Note down Commercial ID details)

Name: Allow Telemetry
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowTelemetry
Data type: Integer
Value: 1

Name: Disable Telemetry opt-in interface
OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx
Data type: Integer
Value: 1

Name: Allow device name in Diagnostic Data
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData
Data type: Integer
Value: 1

Name: Allow Update Compliance Processing
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing
Data type: Integer
Value: 16

Configuration settings

Once the configuration Profile is created, deploy it to existing group.

  • Configure device using Group Policy

We can configure the same settings through Group policy as well. Login to server and launch Group Policy Management editor (gpmc.msc). Create or modify a policy and navigate to Computer Configuration>Administrative Templates>Windows Components > Data Collection and Preview Builds

  • Configure the Commercial ID: Enabled. Specify commercial id.
  • Allow Telemetry: 1- Basic or Allow Diagnostic Data (for Windows 11 or Windows Server 2022)
  • Configure telemetry opt-in setting user interface or Configure diagnostic data opt-in settings user interface (for Windows 11 or Windows Server 2022): 1 – Disable diagnostic data opt-in Settings
  • Allow device name to be sent in Windows diagnostic data: Enabled
  • Allow Update Compliance processing: 16 – Enabled
Data Collection and Preview Builds

Once the configuration is done and applied on devices, you might not see the results immediately. It may take somewhere around 72 hours. It took a while for me, before 3 days, I wasn’t able to see any data.

When you go to Azure portal > Solutions > WaaSUpdatInsights > Summary, you will see :

Performing Assessment No devices have been detected. Note that it can take up to 24 hours for configured devices to appear and may take longer if they are not currently connected to internet.

Update Compliance Performing Assessment

While waiting for approx. 72 days, I saw the data – you may click on the image to get more details.

Other way to reach this location is to navigate through WaaSUpdateInsights > Log Analytics Workspace > Logs > Update Compliance

Under Compliance, we can see following table:

UCClient
UCClientReadinessStatus
UCClientUpdateStatus
UCDeviceAlert
UCServiceUpdateStatus
UCUpdateAlert
WaaSDeploymentStatus
WaaSUpdateStatus
WUDOAggregatedStatus
WUDOStatus

Logs Update Compliance

Going to WaaSUpdateInsights and clicking on Summary, we can see lots of details:

WaaSUpdateInsights

Security Update Status

Click on any table to explore more about table and the query running in the background:

WaaSDeploymentStatus | where UpdateClassification == "Security"  and OSVersion == "20H2"
WaaSDeploymentStatus

These are KQL queries, if you explore it, you might be able to get lots of custom reports based upon your requirement.

Feature Update Status

Feature Update Status WaaSUpdateInsights

There are Delivery Optimization Status also available if it is deployed.

Delivery Optimization Status

Conclusion

Update Compliance reports provides rich interface and in-depth reporting related to patches, feature updates and delivery optimization. If you know KQL queries, you can create query of your own  which will be very helpful to explore the data.

Important Links:

Monitor Windows Updates and Microsoft Defender AV with Update Compliance – Windows Deployment | Microsoft Docs

Get started with Update Compliance – Windows Deployment | Microsoft Docs

https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual

Using Update Compliance – Windows Deployment | Microsoft Docs