MSEndpointMgr

Update Compliance – Checking client prerequisites

Background

Before you can begin to process Update Compliance data from your devices, you must first ensure that they meet the requirements to participate in the Update Compliance process. Update Compliance uses Windows client diagnostic data for all of its reporting. It collects data for update deployment progress, Windows Update for Business configuration data, and Delivery Optimization usage data. Collected data is sent to a customer-owned Azure Log Analytics workspace.

Sometimes we observe discrepancies with actual vs expected Log Analytics Data. This can often be because the client is failing to meet the prerequisites to collect or send its diagnostic data. The aim of this post is to help you identify the reason(s) why your devices may not be sending telemetry in the expected way.

TL;DR The Check-UpdateComplianceSettings.ps1 script in this post will check that the device meets the prerequisites to send diagnostic data to Update Compliance. The script is designed to be run as a Proactive Remediation from Intune and is based on a similar script Microsoft provides for Update Compliance health and remediation

The solution outlined in this post is aimed at Intune managed devices. Microsoft do provide a script and some other binaries to check and remediate Update Compliance issues on devices. The Microsoft solution works well but I don’t like to deviate from Configuration Profiles if I can help it. IMO, there are already many configuration options in Intune and adding a script with binaries to configure Update Compliance draws me too far away from a position I am comfortable with.

Client Prerequisites

Windows 10/11

Update Compliance works only with Windows 10 or Windows 11 – that should be pointed out straight away. If we were to expand on that point, only the Pro, Education and Enterprise SKUs are supported. A compatibility matrix can be found below

Windows 10Windows 11Windows ServerSurface HubIoTOther
Home
Professional✔️ ✔️
Education✔️ ✔️
Enterprise✔️ ✔️
Enterprise Multi-session✔️ ✔️
Supported OS for Update Compliance

Required Endpoints

The device must be able to contact certain endpoints for both authentication and sending of diagnostic data. It is important to make consideration for the following endpoints on your proxy or firewall

  • https://v10c.events.data.microsoft.com
  • https://v10.vortex-win.data.microsoft.com
  • https://settings-win.data.microsoft.com
  • http://adl.windows.com
  • https://watson.telemetry.microsoft.com
  • https://oca.telemetry.microsoft.com
  • https://login.live.com

Required Services

It is difficult to single out individual Windows services and dependencies but specific to Update Compliance, the following services are required to be present and healthy

  • wlidsvc (Microsoft Account Sign-in Assistant)
  • diagtrack (Connected User Experiences and Telemetry)

Required Policies

We can now use the Settings Catalog to configure all Update Compliance settings instead of Custom Configuration Profiles

Settings Catalog

Required Windows Configuration

Other information that is required to be present and healthy for the device to process and send diagnostics for Update Compliance

  • SQMID The Windows SQM (Software Quality Metrics) device identifier
  • UTC CSP The Win32CompatibilityAppraiser configuration service provider

Solution

Check-UpdateComplianceSettings.ps1 is a script designed to be deployed as a pre-remediation detection script using a Proactive Remediations in Endpoint Analytics.

The script must be run in the SYSTEM context

When creating the Proactive Remediation, ensure you select to run as 64-bit PowerShell

Run script in 64-bit PowerShell

The script will check the following conditions on the device

  • CheckSqmID
  • CheckCommercialId
  • CheckTelemetryOptIn
  • CheckConnectivityURL(s)
  • CheckUtcCsp
  • CheckDiagtrackDLLVersion
  • CheckDiagtrackService
  • CheckMSAService
  • CheckAllowDeviceNameInTelemetry
  • CheckAllowUpdateComplianceProcessing
  • CheckAllowWUfBCloudProcessing
  • CheckConfigureTelemetryOptInChangeNotification
  • CheckConfigureTelemetryOptInSettingsUx

If some conditions do not PASS the tests successfully a hard fail is recorded and the pre-remediation detection script will exit with a code of 1 (Fail) and the failure(s) will be listed in the pre-remediation detection output column

Failed test results are displayed

If all tests PASS successfully, OK will be listed in the pre-remediation detection output column

If all tests pass OK is displayed

Interactive Option

You can view more detailed information if you run the script interactively on a client. You may wish to do this while troubleshooting an issue.

The script needs to be run in 64 bit PowerShell and in the SYSTEM context. You can achieve this by using PSEXEC (64bit) included in PSTools from Sysinternals

psexec64 -s -i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Running 64bit PowerShell as SYSTEM

The script accepts 2 parameters

  • Detailed – This option outputs the results in a table
  • ExportJSON – This option outputs the results as a JSON.
No parameter passed
Detailed parameter passed
Export-JSON parameter passed

Next Steps

We intend to ingest the device Update Compliance health into Log Analytics so we can compare any Update Compliance reporting anomalies with the last successful OK health status of the device from the proactive remediation.

Proactive Remediations are very versatile. This solution doesn’t contain a remediation script but we can see how powerful it can be just to collect information for inventory and troubleshooting.

Reach out if you need help, Ben.

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Customer Engineer Lead at Patch My PC with over 2 decades of experience in driving adoption and technology change within the Enterprise.

2 comments

  • Hi Ben, awesome idea. Eager to try it out.

    Tried to implement, but when I want to add the detection script, I get the following error:
    Selected file ‘Check-UpdateComplianceSetting.ps1’ must be between 1 and 200000 bytes.

    The file I’ve downloaded is 417kb (417000bytes)

    Have you seen this before?

    Thks

    • Hey, thanks for the feedback 🙂

      The script is only 30kb, it sounds like you are saving file as from GitHub which is saving it as a html? Wild guess though.

      Try viewing the code as raw and copying to a new file or clone the repository using Github desktop and grabbing the file that way?

      Good luck 🙂

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.