You can read more about it in the docs at Windows update settings for Intune.
Update Ring Reporting
In the MEM admin center portal, you can quickly get the deployment status for all update rings for all devices and users from the Devices | Overview page. Scroll all the way over to the right on the top menu bar and you’ll see Software update status. Click that and you’ll be presented by an overview of all things software update rings. Here, you’ll get the bird’s eye view of how your update rings are progressing. How many devices have succeeded, errored, failed, or are pending. It’s an overview for all your devices on any update ring. If you want to get a little deeper, you can check on individual device status for a particular update ring. You can do that under Devices -> Monitor-> Per update ring deployment status-> <update ring>:
Update Compliance
Update Compliance is a free Azure service that allows you to monitor Windows 10 update rollouts based on what WUfB is hearing from the Windows telemetry being sent by your devices. It’s another cross-service integration that runs in parallel to everything you’re doing with Intune. Intune doesn’t manage Update Compliance, but you do need to tell your devices to talk to it and that’s where Intune comes in.Before going further, make sure that the devices you want to monitor meet the Update Compliance prerequisites!
Get Update Compliance
To get started using Update Compliance, you’re going to need to add it to your Azure subscription. It’s available in the Azure Marketplace and easy to set up. Just click GET IT NOW, log in with your Azure subscription (if prompted), and then just go with the flow as the service is added to your subscription.
You are not charged for update data stored or accessed from Update Compliance workspaces.While you’re in the Azure portal, go to the Log Analytics Workspace you just selected or created (Azure -> Log Analytics workspaces-> <your workspace>). Under General on the left-side, select Solutions and then click on WaaSUpdateInsights (<your workspace name>). Once there, select Update Compliance Settings under Settings. Now, grab that Commercial Id Key, you’re going to need that:
Configure and Enroll Devices
With CommercialID in hand, you’re ready to go to the MEM admin center portal and start putting your keyboard to work making a custom OMA-URI device configuration profile to enable Update Compliance settings. You’re going to need a total of four custom policy settings to configure devices to play nice with Update Compliance:- Provider/MS DM Server/CommercialID. This identifies the device as one of yours when it talks to WUfB. See the option to Regenerate the ID Key in that screen shot above? If you do that, you’ll basically wipe all update compliance data for your organization, and you’ll have to redeploy the CommercialID setting to all your devices to start over from scratch.
- System/AllowTelemetry. What level of diagnostics data do you want to send to Microsoft?
- System/ConfigureTelemetryOptInSettingsUx. This policy setting prevents users from changing the telemetry level you just set with the above policy (Update Compliance requires a minimum level of Basic).
- System/AllowDeviceNameInDiagnosticData. This setting tells devices it’s OK to send their computer name along with their telemetry. You’re after device-level data, so it makes sense you’d need to know the device name. At least it does to me.
Yes, there is an Update Compliance Configuration Script available if you want to use GPOs to configure these settings. There’s no requirement to use Intune to do this “manually”, but it’s how I do it and considering you’ve stuck with me so far, I’m going to guess that’s what you want to do too.Head over to the MEM admin center and create the device configuration profile: MEM admin center > Devices > Configuration profiles > + Create Profile. Select Windows 10 and later as the platform and Custom as the profile type. Give the profile a nice name and description and then click Next to get to the good stuff on the Configuration settings tab. Click Add to start adding rows of custom policy settings. You’ll need to add four rows with each containing information for: name, description, a case-sensitive OMA-URI path (watch out for trailing spaces!), a data type, and of course, the value you want to set. Add those rows like so (I’ll leave the names and descriptions up to you): Commercial ID
| OMA-URI path | ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID |
| Data type | String |
| Value | <Your commercial ID> |
| OMA-URI path | ./Vendor/MSFT/Policy/Config/System/AllowTelemetry |
| Data type | Integer |
| Value | 1 |
| OMA-URI path | ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx |
| Data type | Integer |
| Value | 1 |
| OMA-URI path | ./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData |
| Data type | Integer |
| Value | 1 |
If you’re curious about what’s going on here, go read my earlier blog post about how to create custom OMA-URI policies.Deploy the device configuration profile to your Windows 10 devices and then keep an eye on the configuration profile overview screen to be sure the policy gets applied successfully. You should also now see something like this as you peruse individual device status’.
Update Compliance in Action
Now that you’ve set up Update Compliance and used Intune to configure your Windows 10 devices to send compliance data to the log analytics workspace, the exciting part begins. Go to the Update Compliance workspace summary at Azure portal > Log Analytics workspaces > <Your workspace> and then click Workspace summary under General.
By selecting a row of data, you can drill-down into the update compliance data for more information. For example, let’s click on Failed under Update issues above so we can see what’s going on. A Log Analytics query opens and there’s the data you’re looking for. Looks like we had four Windows 10, 2004 devices fail to install KB4566782 (the cumulative monthly roll-up for August 2020) due to lack of disk space:In addition to the data displayed in this section, you can also download the Setup Diagnostic Tool. That tool is handy if you need to troubleshoot why a Windows 10 upgrade was unsuccessful. Kind of out of scope for this blog post, but figured I’d let you know.
Sometimes there’s a lot more going on behind the scenes than the default reports show you. That DeploymentError column isn’t there by default. To see it, just click on Columns and select it. I also moved the ReleaseName column over a few spaces so it’d be in the screen shot.Finally, all the way to the right is a great list of example queries to run against the Update Compliance data stored in your Log Analytics workspace. I talked a little bit about how this works in Using Log Analytics with Intune, but if you’re even slightly familiar with Kusto Query Language (KQL), you’ll be able to deep dive into your data within a few minutes.
The Best of Both Worlds
There’s a lot of data in Update Compliance, but maybe you personally only care about a few specific reporting points. Something simple like my earlier example of a report that shows which devices are missing this month’s update roll-up. You can easily create workbooks like that in the Log Analytics workspace, and you can also create them from within the MEM admin center portal. Go to MEM admin center > Reports > Workbooks and create a new workbook. Change the source Log Analytics workspace to the one you’re using for Update Compliance and query away.
Save the report and it’ll always be there for you right in the MEM admin center.
You’ve seen my blog; want to follow me on Twitter too? @JeffGilb
