Monitor update status of Windows 10 PCs with Microsoft’s free Update Compliance

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
• Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
• Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023

With Windows Update (for Business) and WSUS, Microsoft provides the necessary infrastructure to keep Windows computers up-to-date. However, if you want to find out whether all critical updates have been successfully installed or whether individual computers still have known vulnerabilities, the onboard tools are of little help.

WSUS with simple reporting

WSUS reporting allows you to see which updates are pending for which computers and whether the installation of patches has failed. However, this rudimentary tool does not provide a real overview of the risk situation.

As an alternative, Microsoft provides the cloud-based Update Compliance. It is a function of Log Analytics, which can evaluate various events on Windows and Linux clients. The license for the Windows 10 Professional, Education, and Enterprise editions includes the use of Update Compliance, so there are no additional costs.

One advantage of Update Compliance is that, in contrast to full log analytics, it does not require an agent on the target devices. Rather, the telemetry data that Windows 10 collects and transmits to Microsoft is sufficient.

Configuring cloud service

The first step is to set up the service in the cloud. To do this, search for Update Compliance in the Azure Marketplace and click the corresponding tile.

Update Compliance can be found by searching the Marketplace

You will then receive a description of the service and its functions. On this page, you can book it by clicking the Create button.

Information about Update Compliance on the Azure Portal. You can also set up the service there

You will then be asked to select a workspace for Log Analytics.

Selecting a Log Analytics workspace for Update Compliance

If you have not yet created one, which is usually the case, then you have the opportunity to do so on the spot. Enter its name in the form and select a subscription and a resource group. If necessary, you can also create a resource group right away.

Creating a new workspace for log analytic

Finally, select the location. The deployment may fail afterward if the location in question does not offer the Update Compliance service. This applies to Switzerland North, for example. Unfortunately, Microsoft offers you these locations in the drop-down menu anyway.

Configuring the clients

Once the service is successfully set up, configure the clients to transfer the required information to Log Analytics. As previously mentioned, the telemetry data is sufficient for this.

However, you still have to ensure that the corresponding setting is configured correctly, because it is possible to completely disable the transfer in the Enterprise Edition, for example. You also have to prevent users from changing this setting.

In addition, Update Compliance needs the names of the computers to perform meaningful analysis. Finally, you have to assign your own devices to the cloud service using a unique ID. This can be found under the Update Compliance Settings menu item.

The Commercial ID key is needed for the script as well as for the group policies

Script or GPO

To configure the abovementioned settings, Microsoft wants you to either execute a PowerShell script or to set up a Group Policy. The vendor's preferred option is the script because it is continually updated to reflect any changes in requirements and because it also checks for some prerequisites.

However, if you have a large number of computers, the script is more complex because it actually involves several files with mutual dependencies. A batch starts the PowerShell script with the help of psexec, which must run in the context of the system account.

Settings for the group policies

If you have not deactivated any Windows services that run by default after the system has been installed, you should be able to do so without the checks in the script. Therefore, in this case, you can opt for a GPO.

Required GPO settings for Update Compliance

The required settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds:

If there are computers with an OS other than Windows 10 in the OUs or domains to which you have linked the GPO, you should exclude them using this WMI filter:

select \* from Win32\_OperatingSystem where Version like "10.%" and ProductType="1"

Triggering transmission of required telemetry data

After the GPO has been executed on the target computers, it could still take some time for complete data to appear in Update Compliance. In order to save bandwidth, devicecensus.exe transmits the complete telemetry data only once a week.

Because of that, the script changes the value for Fullsync in the registry under

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Census

to 1, starts devicecensus.exe, and then sets it back to the value 0.

If you configure the clients via Group Policy, it is recommended to temporarily assign the value 1 to this key via Group Policy Preferences or a script to reduce the waiting time.

It usually takes at least two or three days before the first reports appear in the Update Compliance dashboard. Therefore, you should check immediately to see whether there is a problem with the data transfer to avoid losing time unnecessarily. The Diagnostic Data Viewer provides detailed information about the telemetry data sent.

The Diagnostic Data Viewer shows when data was transferred to Update Compliance and whether the key is included

It not only shows when which data was transmitted, but also whether the Commercial ID Key is included. This can be recognized in the JSON structure by the label enrolledTenantId.

Evaluating the update status

After the initial waiting period, the data for the configured computers appears in the Update Compliance dashboard. The diagrams are largely self-explanatory. The overview is divided into PCs that require immediate attention and separate areas for the status of security and feature updates as well as delivery optimization.

Overview of the update status of PCs with Windows 10 in Update Compliance

Additional detailed insights can be obtained via queries that can be executed in Log Analytics. Update Analytics contains a whole list of predefined queries that you can start immediately.

Predefined queries in Update Compliance

You can use them to explore a recently introduced data set to identify obstacles to feature updates ("safeguard holds") before you actually update the PCs.

Conclusion

Update Compliance provides administrators with essential information about the status of Windows 10 PCs. It helps to identify outdated OS installations and to close any resulting security gaps.

The cloud service is included in the license for the business editions of Windows 10, and installation is relatively simple, so that the barriers for its use are relatively low.

One of the disadvantages of Update Compliance is that it offers far from real-time analysis. Even the initial feeding of the tool with telemetry data takes a good three days, and after that, the status information shown is hours behind.

If you do not use endpoint management software or SIEM tools that provide insight into the update status of the computers, then you should consider using Update Compliance. This is especially true if the patches are obtained via Windows Update, which does not include any reporting.