Get started with Update Compliance

Applies to

  • Windows 10
  • Windows 11

Important

A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing". If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the Update Compliance Configuration Script if you configure your devices through Group Policy, or refer to Manually configuring devices for Update Compliance for details on manually configuring the new policy for both Group Policy and MDM.

Devices must have this policy configured by January 31, 2022, to remain enrolled in Update Compliance. Devices without this policy configured, including Windows 10 releases prior to version 1809 which do not support this policy, will stop appearing in Update Compliance reports after this date.

This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.

  1. Ensure you can meet the requirements to use Update Compliance.
  2. Add Update Compliance to your Azure subscription.
  3. Configure devices to send data to Update Compliance.

After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the enrollment section. Before or as devices appear, you can learn how to Use Update Compliance to monitor Windows Updates and Delivery Optimization.

Update Compliance prerequisites

Important

Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet US Government community compliance (GCC) requirements. For a list of GCC offerings for Microsoft products and services, see the Microsoft Trust Center. Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.

Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:

  • Compatible operating systems and editions: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as Windows 10 Enterprise multi-session. Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
  • Compatible Windows client servicing channels: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance counts Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
  • Diagnostic data requirements: Update Compliance requires devices to send diagnostic data at Required level (previously Basic). Some queries in Update Compliance require devices to send diagnostic data at Optional level (previously Full) for Windows 11 devices or Enhanced level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see Diagnostics, feedback, and privacy in Windows.
  • Data transmission requirements: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at Configuring Devices for Update Compliance manually.
  • Showing device names in Update Compliance: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in Configuring Devices for Update Compliance.

Add Update Compliance to your Azure subscription

Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing Azure Log Analytics workspace within your Azure subscription. To configure this, follow these steps:

  1. Go to the Update Compliance page in the Azure Marketplace. You might need to login to your Azure subscription to access this.
  2. Select Get it now.
  3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a Compatible Log Analytics region from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
  4. After your workspace is configured and selected, select Create. You'll receive a notification when the solution has been successfully created.
Compatible Log Analytics regions
Australia Central
Australia East
Australia Southeast
Brazil South
Canada Central
Central India
Central US
East Asia
East US
East US 2
Eastus2euap(canary)
France Central
Japan East
Korea Central
North Central US
North Europe
South Africa North
South Central US
Southeast Asia
Switzerland North
Switzerland West
UK West
UK south
West Central US
West Europe
West US
West US 2

Note

It is not currently supported to programmatically enroll to Update Compliance via the Azure CLI or otherwise. You must manually add Update Compliance to your Azure subscription.

Get your CommercialID

A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.

To find your CommercialID within Azure:

  1. Navigate to the Solutions tab for your workspace, and then select the WaaSUpdateInsights solution.
  2. From there, select the Update Compliance Settings page on the navbar.
  3. Your CommercialID is available in the settings page.

Important

Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.

Enroll devices in Update Compliance

Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:

  1. Check the policies, services, and other device enrollment requirements in Manually configuring devices for Update Compliance.
  2. If you use Microsoft Endpoint Manager, you can follow the enrollment process documented at Configuring devices for Update Compliance in Microsoft Endpoint Manager.
  3. Finally, you should run the Update Compliance Configuration Script on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.

After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.

Update Compliance and Desktop Analytics

If you use or plan to use Desktop Analytics, you must use the same Log Analytics workspace for both solutions.