- Few innovations, uncertain future: Is Windows Server 2022 worth an upgrade? - Mon, Dec 6 2021
- Move Windows recovery partition using GParted - Wed, Dec 1 2021
- Configure Secured Core in Windows Server 2022: HVCI, DMA protection, System Guard, and VBS - Mon, Nov 22 2021
With Windows Update (for Business) and WSUS, Microsoft provides the necessary infrastructure to keep Windows computers up-to-date. However, if you want to find out whether all critical updates have been successfully installed or whether individual computers still have known vulnerabilities, the onboard tools are of little help.
WSUS with simple reporting ^
WSUS reporting allows you to see which updates are pending for which computers and whether the installation of patches has failed. However, this rudimentary tool does not provide a real overview of the risk situation.
As an alternative, Microsoft provides the cloud-based Update Compliance. It is a function of Log Analytics, which can evaluate various events on Windows and Linux clients. The license for the Windows 10 Professional, Education, and Enterprise editions includes the use of Update Compliance, so there are no additional costs.
One advantage of Update Compliance is that, in contrast to full log analytics, it does not require an agent on the target devices. Rather, the telemetry data that Windows 10 collects and transmits to Microsoft is sufficient.
Configuring cloud service ^
The first step is to set up the service in the cloud. To do this, search for Update Compliance in the Azure Marketplace and click the corresponding tile.
You will then receive a description of the service and its functions. On this page, you can book it by clicking the Create button.
You will then be asked to select a workspace for Log Analytics.
If you have not yet created one, which is usually the case, then you have the opportunity to do so on the spot. Enter its name in the form and select a subscription and a resource group. If necessary, you can also create a resource group right away.
Finally, select the location. The deployment may fail afterward if the location in question does not offer the Update Compliance service. This applies to Switzerland North, for example. Unfortunately, Microsoft offers you these locations in the drop-down menu anyway.
Configuring the clients ^
Once the service is successfully set up, configure the clients to transfer the required information to Log Analytics. As previously mentioned, the telemetry data is sufficient for this.
However, you still have to ensure that the corresponding setting is configured correctly, because it is possible to completely disable the transfer in the Enterprise Edition, for example. You also have to prevent users from changing this setting.
In addition, Update Compliance needs the names of the computers to perform meaningful analysis. Finally, you have to assign your own devices to the cloud service using a unique ID. This can be found under the Update Compliance Settings menu item.
Script or GPO ^
To configure the abovementioned settings, Microsoft wants you to either execute a PowerShell script or to set up a Group Policy. The vendor's preferred option is the script because it is continually updated to reflect any changes in requirements and because it also checks for some prerequisites.
However, if you have a large number of computers, the script is more complex because it actually involves several files with mutual dependencies. A batch starts the PowerShell script with the help of psexec, which must run in the context of the system account.
Settings for the group policies ^
If you have not deactivated any Windows services that run by default after the system has been installed, you should be able to do so without the checks in the script. Therefore, in this case, you can opt for a GPO.
The required settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds:
|Allow telemetry||1- required|
|Allow transmission of device name in Windows diagnostic data||Enabled|
|Configure the user interface of the telemetry opt-in setting||Disable the telemetry opt-in settings|
|Configure organization ID||Commercial ID key from the Azure portal|
If there are computers with an OS other than Windows 10 in the OUs or domains to which you have linked the GPO, you should exclude them using this WMI filter:
select \* from Win32\_OperatingSystem where Version like "10.%" and ProductType="1"
Triggering transmission of required telemetry data ^
After the GPO has been executed on the target computers, it could still take some time for complete data to appear in Update Compliance. In order to save bandwidth, devicecensus.exe transmits the complete telemetry data only once a week.
Because of that, the script changes the value for Fullsync in the registry under
to 1, starts devicecensus.exe, and then sets it back to the value 0.
If you configure the clients via Group Policy, it is recommended to temporarily assign the value 1 to this key via Group Policy Preferences or a script to reduce the waiting time.
It usually takes at least two or three days before the first reports appear in the Update Compliance dashboard. Therefore, you should check immediately to see whether there is a problem with the data transfer to avoid losing time unnecessarily. The Diagnostic Data Viewer provides detailed information about the telemetry data sent.
It not only shows when which data was transmitted, but also whether the Commercial ID Key is included. This can be recognized in the JSON structure by the label enrolledTenantId.
Evaluating the update status ^
After the initial waiting period, the data for the configured computers appears in the Update Compliance dashboard. The diagrams are largely self-explanatory. The overview is divided into PCs that require immediate attention and separate areas for the status of security and feature updates as well as delivery optimization.
Additional detailed insights can be obtained via queries that can be executed in Log Analytics. Update Analytics contains a whole list of predefined queries that you can start immediately.
You can use them to explore a recently introduced data set to identify obstacles to feature updates ("safeguard holds") before you actually update the PCs.
Update Compliance provides administrators with essential information about the status of Windows 10 PCs. It helps to identify outdated OS installations and to close any resulting security gaps.
The cloud service is included in the license for the business editions of Windows 10, and installation is relatively simple, so that the barriers for its use are relatively low.
One of the disadvantages of Update Compliance is that it offers far from real-time analysis. Even the initial feeding of the tool with telemetry data takes a good three days, and after that, the status information shown is hours behind.
Subscribe to 4sysops newsletter!
If you do not use endpoint management software or SIEM tools that provide insight into the update status of the computers, then you should consider using Update Compliance. This is especially true if the patches are obtained via Windows Update, which does not include any reporting.