Update Compliance prerequisites

(Applies to: Windows 11 & Windows 10)

Important

  • This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
  • Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet US Government community compliance (GCC) requirements. For a list of GCC offerings for Microsoft products and services, see the Microsoft Trust Center. Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.

Update Compliance prerequisites

Before you begin the process of adding Update Compliance to your Azure subscription, ensure you meet the prerequisites.

Azure and Azure Active Directory

  • An Azure subscription with Azure Active Directory
  • You must have either an Owner or Contributor Azure role as a minimum in order to add the Update Compliance solution.
  • Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
  • Devices that are Workplace joined only (Azure AD registered) aren't supported with Update Compliance.

Operating systems and editions

Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.

Windows client servicing channels

Update Compliance supports Windows client devices on the following channels:

  • General Availability Channel
  • Update Compliance counts Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.

Diagnostic data requirements

At minimum, Update Compliance requires devices to send diagnostic data at Required level (previously Basic). Some queries in Update Compliance require devices to send diagnostic data at the following levels:

  • Optional level (previously Full) for Windows 11 devices

  • Enhanced level for Windows 10 devices

    Note

    Device names don't appear in Update Compliance unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:

    • CSP: System/AllowDeviceNameInDiagnosticData
    • Group Policy: Allow device name to be sent in Windows diagnostic data under Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds

For more information about what's included in different diagnostic levels, see Diagnostics, feedback, and privacy in Windows.

Data transmission requirements

Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:

Endpoint Function
https://v10c.events.data.microsoft.com Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Update Compliance.
https://v10.vortex-win.data.microsoft.com Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier.
https://settings-win.data.microsoft.com Required for Windows Update functionality.
https://adl.windows.com Required for Windows Update functionality.
https://watson.telemetry.microsoft.com Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur.
https://oca.telemetry.microsoft.com Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes.
https://login.live.com This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc).

Note

Enrolling into Update Compliance from the Azure CLI or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.

Microsoft 365 admin center permissions (currently optional)

When you use the Microsoft admin center software updates (preview) page with Update Compliance, the following permissions are also needed:

Log Analytics prerequisites

Log Analytics permissions

Log Analytics regions

Update Compliance can use a Log Analytics workspace in the following regions:

Compatible Log Analytics regions
Australia Central
Australia East
Australia Southeast
Brazil South
Canada Central
Central India
Central US
East Asia
East US
East US 2
Eastus2euap(canary)
France Central
Japan East
Korea Central
North Central US
North Europe
South Africa North
South Central US
Southeast Asia
Switzerland North
Switzerland West
UK West
UK south
West Central US
West Europe
West US
West US 2

Next steps