Get started with Update Compliance
- Windows 10
- Windows 11
This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
- Ensure you can meet the requirements to use Update Compliance.
- Add Update Compliance to your Azure subscription.
- Configure devices to send data to Update Compliance.
After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the enrollment section. Before or as devices appear, you can learn how to Use Update Compliance to monitor Windows Updates and Delivery Optimization.
Update Compliance prerequisites
Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet US Government community compliance (GCC) requirements. For a list of GCC offerings for Microsoft products and services, see the Microsoft Trust Center. Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
- Compatible operating systems and editions: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as Windows 10 Enterprise multi-session. Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
- Compatible Windows client servicing channels: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance counts Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
- Diagnostic data requirements: Update Compliance requires devices to send diagnostic data at Required level (previously Basic). Some queries in Update Compliance require devices to send diagnostic data at Optional level (previously Full) for Windows 11 devices or Enhanced level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see Diagnostics, feedback, and privacy in Windows.
- Data transmission requirements: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at Configuring Devices for Update Compliance manually.
- Showing device names in Update Compliance: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in Configuring Devices for Update Compliance.
- Azure AD device join: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
Add Update Compliance to your Azure subscription
Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing Azure Log Analytics workspace within your Azure subscription. Note that, for the following steps, you must have either an Owner or Contributor Azure role as a minimum in order to add the solution.
To configure this, follow these steps:
- Go to the Update Compliance page in the Azure Marketplace. You might need to login to your Azure subscription to access this.
- Select Get it now.
- Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a Compatible Log Analytics region from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
- After your workspace is configured and selected, select Create. You'll receive a notification when the solution has been successfully created.
Once the solution is in place, you can leverage one of the following Azure roles with Update Compliance:
To edit and write queries we recommend the Log Analytics Contributor role.
To read and only view data we recommend the Log Analytics Reader role.
|Compatible Log Analytics regions|
|East US 2|
|North Central US|
|South Africa North|
|South Central US|
|West Central US|
|West US 2|
It is not currently supported to programmatically enroll to Update Compliance via the Azure CLI or otherwise. You must manually add Update Compliance to your Azure subscription.
Get your CommercialID
A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
To find your CommercialID within Azure:
- Navigate to the Solutions tab for your workspace, and then select the WaaSUpdateInsights solution.
- From there, select the Update Compliance Settings page on the navbar.
- Your CommercialID is available in the settings page.
Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.
Enroll devices in Update Compliance
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
- Check the policies, services, and other device enrollment requirements in Manually configuring devices for Update Compliance.
- If you use Microsoft Endpoint Manager, you can follow the enrollment process documented at Configuring devices for Update Compliance in Microsoft Endpoint Manager.
- Finally, you should run the Update Compliance Configuration Script on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
Update Compliance and Desktop Analytics
If you use or plan to use Desktop Analytics, you must use the same Log Analytics workspace for both solutions.
Submit and view feedback for