Get started with Update Compliance

This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.

  1. Ensure you can meet the requirements to use Update Compliance.
  2. Add Update Compliance to your Azure subscription.
  3. Configure devices to send data to Update Compliance.

After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to Use Update Compliance to monitor Windows Updates and Delivery Optimization.

Update Compliance prerequisites

Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:

  1. Compatible Operating Systems and Editions: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as Windows 10 Enterprise multi-session. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
  2. Compatible Windows 10 Servicing Channels: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance counts Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
  3. Diagnostic data requirements: Update Compliance requires devices be configured to send diagnostic data at Required level (previously Basic). To learn more about what's included in different diagnostic levels, see Diagnostics, feedback, and privacy in Windows 10.
  4. Data transmission requirements: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at Configuring Devices for Update Compliance manually.
  5. Showing Device Names in Update Compliance: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in Configuring Devices for Update Compliance.

Add Update Compliance to your Azure subscription

Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing Azure Log Analytics workspace within your Azure subscription. To configure this, follow these steps:

  1. Go to the Update Compliance page in the Azure Marketplace. You may need to login to your Azure subscription to access this.
  2. Select Get it now.
  3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data.
  4. After your workspace is configured and selected, select Create. You will receive a notification when the solution has been successfully created.

Note

It is not currently supported to programmatically enroll to Update Compliance via the Azure CLI or otherwise. You must manually add Update Compliance to your Azure subscription.

Get your CommercialID

A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.

To find your CommercialID within Azure:

  1. Navigate to the Solutions tab for your workspace, and then select the WaaSUpdateInsights solution.
  2. From there, select the Update Compliance Settings page on the navbar.
  3. Your CommercialID is available in the settings page.

Important

Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.

Enroll devices in Update Compliance

Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.

Note

After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.

Configure devices using the Update Compliance Configuration Script

The recommended way to configure devices to send data to Update Compliance is using the Update Compliance Configuration Script. The script configures required policies via Group Policy. The script comes with two versions:

  • Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting.
  • Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance.

To download the script and learn what you need to configure and how to troubleshoot errors, see Configuring Devices using the Update Compliance Configuration Script.

Configure devices manually

It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the Update Compliance Configuration Script. To learn more about configuring devices manually, see Manually Configuring Devices for Update Compliance.