Monitor update status of Windows 10 PCs with Microsoft's free Update Compliance

The prompt installation of updates is one of the most important measures to ensure the security of PCs. Windows does not contain tools that give the admin a detailed overview of the patch status of all computers in the network. However, the Azure-based Update Compliance can accomplish this task.

With Windows Update (for Business) and WSUS, Microsoft provides the necessary infrastructure to keep Windows computers up-to-date. However, if you want to find out whether all critical updates have been successfully installed or whether individual computers still have known vulnerabilities, the onboard tools are of little help.

WSUS with simple reporting ^

WSUS reporting allows you to see which updates are pending for which computers and whether the installation of patches has failed. However, this rudimentary tool does not provide a real overview of the risk situation.

As an alternative, Microsoft provides the cloud-based Update Compliance. It is a function of Log Analytics, which can evaluate various events on Windows and Linux clients. The license for the Windows 10 Professional, Education, and Enterprise editions includes the use of Update Compliance, so there are no additional costs.

One advantage of Update Compliance is that, in contrast to full log analytics, it does not require an agent on the target devices. Rather, the telemetry data that Windows 10 collects and transmits to Microsoft is sufficient.

Configuring cloud service ^

The first step is to set up the service in the cloud. To do this, search for Update Compliance in the Azure Marketplace and click the corresponding tile.

Update Compliance can be found by searching the Marketplace

Update Compliance can be found by searching the Marketplace

You will then receive a description of the service and its functions. On this page, you can book it by clicking the Create button.

Information about Update Compliance on the Azure Portal. You can also set up the service there

Information about Update Compliance on the Azure Portal. You can also set up the service there

You will then be asked to select a workspace for Log Analytics.

Selecting a Log Analytics workspace for Update Compliance

Selecting a Log Analytics workspace for Update Compliance

If you have not yet created one, which is usually the case, then you have the opportunity to do so on the spot. Enter its name in the form and select a subscription and a resource group. If necessary, you can also create a resource group right away.

Creating a new workspace for log analytic

Creating a new workspace for log analytic

Finally, select the location. The deployment may fail afterward if the location in question does not offer the Update Compliance service. This applies to Switzerland North, for example. Unfortunately, Microsoft offers you these locations in the drop-down menu anyway.

Configuring the clients ^

Once the service is successfully set up, configure the clients to transfer the required information to Log Analytics. As previously mentioned, the telemetry data is sufficient for this.

However, you still have to ensure that the corresponding setting is configured correctly, because it is possible to completely disable the transfer in the Enterprise Edition, for example. You also have to prevent users from changing this setting.

In addition, Update Compliance needs the names of the computers to perform meaningful analysis. Finally, you have to assign your own devices to the cloud service using a unique ID. This can be found under the Update Compliance Settings menu item.

The Commercial ID key is needed for the script as well as for the group policies

The Commercial ID key is needed for the script as well as for the group policies

Script or GPO ^

To configure the abovementioned settings, Microsoft wants you to either execute a PowerShell script or to set up a Group Policy. The vendor's preferred option is the script because it is continually updated to reflect any changes in requirements and because it also checks for some prerequisites.

However, if you have a large number of computers, the script is more complex because it actually involves several files with mutual dependencies. A batch starts the PowerShell script with the help of psexec, which must run in the context of the system account.

Settings for the group policies ^

If you have not deactivated any Windows services that run by default after the system has been installed, you should be able to do so without the checks in the script. Therefore, in this case, you can opt for a GPO.

Required GPO settings for Update Compliance

Required GPO settings for Update Compliance

The required settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds:

SettingValue
Allow telemetry 1- required
Allow transmission of device name in Windows diagnostic data Enabled
Configure the user interface of the telemetry opt-in settingDisable the telemetry opt-in settings
Configure organization IDCommercial ID key from the Azure portal

If there are computers with an OS other than Windows 10 in the OUs or domains to which you have linked the GPO, you should exclude them using this WMI filter:

Triggering transmission of required telemetry data ^

After the GPO has been executed on the target computers, it could still take some time for complete data to appear in Update Compliance. In order to save bandwidth, devicecensus.exe transmits the complete telemetry data only once a week.

Because of that, the script changes the value for Fullsync in the registry under

to 1, starts devicecensus.exe, and then sets it back to the value 0.

If you configure the clients via Group Policy, it is recommended to temporarily assign the value 1 to this key via Group Policy Preferences or a script to reduce the waiting time.

It usually takes at least two or three days before the first reports appear in the Update Compliance dashboard. Therefore, you should check immediately to see whether there is a problem with the data transfer to avoid losing time unnecessarily. The Diagnostic Data Viewer provides detailed information about the telemetry data sent.

The Diagnostic Data Viewer shows when data was transferred to Update Compliance and whether the key is included

The Diagnostic Data Viewer shows when data was transferred to Update Compliance and whether the key is included

It not only shows when which data was transmitted, but also whether the Commercial ID Key is included. This can be recognized in the JSON structure by the label enrolledTenantId.

Evaluating the update status ^

After the initial waiting period, the data for the configured computers appears in the Update Compliance dashboard. The diagrams are largely self-explanatory. The overview is divided into PCs that require immediate attention and separate areas for the status of security and feature updates as well as delivery optimization.

Overview of the update status of PCs with Windows 10 in Update Compliance

Overview of the update status of PCs with Windows 10 in Update Compliance

Additional detailed insights can be obtained via queries that can be executed in Log Analytics. Update Analytics contains a whole list of predefined queries that you can start immediately.

Predefined queries in Update Compliance

Predefined queries in Update Compliance

You can use them to explore a recently introduced data set to identify obstacles to feature updates ("safeguard holds") before you actually update the PCs.

Conclusion ^

Update Compliance provides administrators with essential information about the status of Windows 10 PCs. It helps to identify outdated OS installations and to close any resulting security gaps.

The cloud service is included in the license for the business editions of Windows 10, and installation is relatively simple, so that the barriers for its use are relatively low.

One of the disadvantages of Update Compliance is that it offers far from real-time analysis. Even the initial feeding of the tool with telemetry data takes a good three days, and after that, the status information shown is hours behind.

If you do not use endpoint management software or SIEM tools that provide insight into the update status of the computers, then you should consider using Update Compliance. This is especially true if the patches are obtained via Windows Update, which does not include any reporting.

2+
avatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

1 Comment
  1. Ingmar Koecher 2 weeks ago

    If you are (already) monitoring your workstations with our monitoring solution EventSentry, then you can also use the validation scripts feature to identify all hosts that do not have the latest Windows patches installed (and as such, require updates to be installed).

    New EventSentry installation have this check enabled by default, but setting it up manually only takes a few minutes.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account