During AMAs and Office Hours, we often receive questions about reporting. Today's post outlines cloud-based Windows 10 update monitoring and reporting solutions available to you through Microsoft Intune and Update Compliance.
Over the past year, organizations worldwide have seen a drastic shift to remote and hybrid workforces. This shift drives new and increasingly important requirements around monitoring and reporting for Windows 10 devices, regardless of whether they are at home or in the office. The need to ensure devices remain secure, up to date, and running smoothly has not changed with shifts in device location.
Utilizing a combination of built-in reporting capabilities and custom solutions can help ensure that you can meet the reporting needs of your business, regardless of the current geographical structure of your workforce. We'll also help you use Azure Monitor Workbooks with Update Compliance data to build custom experiences to get more from your data.
Using Intune to control and monitor Windows 10 updates
Microsoft Intune is Microsoft’s cloud-based mobile device management (MDM) offering. Microsoft Intune integrates with the Windows Update for Business deployment service to offer a new type of policy: the feature update policy. This policy allows device managers to specify a Windows 10 release version that should be offered to devices under management. This new functionality provides prescriptive control to device managers and complements the existing Windows update rings, which allow for specification of an update cadence rather than approving specific content. Complementing this feature update policy is a new set of reporting capabilities designed to give insight into how feature updates are deploying across the organization.
Feature update and feature update failure reporting
The feature update and feature update failures reports provide organizational and operational level insight into the update status of devices being managed using feature update policies. After configuring an Intune data collection policy, these reports display useful insights on a per-device basis as to their status for deploying the given feature update. For example, when a device is downloading a specific update, it needs to restart to apply the update or it has update issues that need attention (update issues contain descriptions of the issue and recommended actions to remediate them).
Depending on which approach your organization has taken for managing Windows 10 updates, you have different reporting capabilities available. The following chart outlines each approach and associated reporting capabilities with Windows 10 update rings versus Windows 10 feature update policies. These policies are complementary to one another, meaning they can be used together for complete Windows Update control on the client, as well as in the cloud.
The Windows 10 feature update policy and accompanying feature update reports are just the beginning of a suite of new cloud update management and reporting capabilities for Intune: we will be expanding to cumulative updates (Windows 10 quality/security updates) and more content types in the future. We look forward to you trying out these new capabilities and providing feedback!
Now, we want to shift gears and mention a service complementary to Intune: Update Compliance.
Windows 10 monitoring and reporting with Update Compliance.
Update Compliance is a service available in Azure that uses the Windows diagnostic data your devices send to Microsoft to create reports that give information about a device’s Windows 10 update compliance. All data powering the reports is available in Azure Monitor Logs, enabling additional querying, alerting, and the ability to make custom reports in Power BI, Excel, or Azure Monitor Workbooks. The key benefit of this service is that it’s standalone and can be used in conjunction with any service you use to manage or monitor Windows 10 devices and updates. For example, it works with devices enrolled to Configuration Manager and Intune, as well as third-party update management solutions. Another key benefit is that it does not require an agent running on machines; it only requires that devices send diagnostic data to Microsoft and the deployment of a Commercial ID – an identifier Microsoft uses to establish device “ownership” to an organization to maintain data appropriately.
The key features of Update Compliance are the following:
- A Needs attention! section for summarizing update and device issues in your organization, like when devices are on End of Service or have failed to install an update at some point in the process. It also gives information about devices under Safeguard holds. Errors include information like error code, a description of the error, and recommended actions.
- A Security Update Status section showing which devices are on the latest security updates, and a detailed deployment status (Success, In progress, Failed) for the latest two security updates across all devices.
- A Feature Update Status section showing which devices are on the latest feature update, with a similar detailed deployment status as the Security Updates section.
- A Delivery Optimization in Update Compliance section for devices using Delivery Optimization, a peer-to-peer Windows Update download solution to reduce bandwidth usage for Windows Updates. It includes a summary of the device’s Delivery Optimization configuration, as well as how much bandwidth has been saved across different Windows Update content types (feature update, quality update, drivers, apps, etc.) over the past 28 days.
Finally, Update Compliance provides significant value considering the fact its data resides in Azure Monitor Logs. Beyond the ability to make custom alerts based on query results, export data to Power BI or CSV (or query via API), and write custom queries in the Kusto Query Language to dive deep into your data, you can also create entirely new and customizable, sharable experiences with Azure Monitor Workbooks.
Update Compliance with Azure Monitor Workbooks
Workbooks provide a flexible canvas for data analysis and rich visual reports within the Azure portal. They allow you to tap into multiple Azure data sources and combine them into unified interactive experiences.
We recently released a new Workbook Template that uses Update Compliance data to show safeguard holds in your Update Compliance device population. Workbook Templates serve as curated reports that are designed for flexible reuse by multiple users and teams. Templates can be saved as an individual resource in Azure or shared. They can be customized or used out-of-the-box.
Thanks to Azure Workbooks, the safeguard holds template is powerful, useful, and easy to create! Best of all, you, too, can make powerful Workbooks with Update Compliance data. If you’d like to learn how to make Workbooks yourself, visit https://aka.ms/WindowsAtIgnite and look up our session on Windows 10 update monitoring and reporting. It includes a comprehensive demo that starts from zero and shows you how to create a Security Update Velocity (adoption-over-time) view in Workbooks.
Now, let’s jump into how to access and use the safeguard holds template.
Navigating to the safeguard holds template
- Navigate to the Update Compliance solution by going to your Log Analytics workspaces, selecting the Log Analytics workspace where your Update Compliance data resides. Ensure the appropriate Subscription is selected.
- Once in the Workspace, navigate to Solutions and click WaaSUpdateInsights (the solution for Update Compliance).
- You will now be in the Solution’s context. From here, click Workbooks on the side navigation panel.
- You are now in the Update Compliance’s Workbooks gallery. You can see recently modified workbooks, create a new one under Quick start, and view Public Templates. The WaaSUpdateInsights template houses the Safeguard Holds template.
|
Note: The WaaSUpdateInsights (Update Compliance) Workbooks Gallery will only show Workbooks that were modified or created within the context of the Update Compliance solution, whereas the broader Workbooks Gallery will show Workbooks in any context (which you have permissions to access). Workbooks created here also assume the solution’s Log Analytics subscription and workspace. For example, if you create a Workbook from the Workbooks Gallery, you must add parameters within each step(s), defining the subscription and Log Analytics workspace to use.
The feature to have Solution-specific Workbooks is going away in June, so we recommend using the Workbooks Gallery to create Workbooks. |
Using the safeguard holds template
Safeguard holds temporarily prevent a device with a known issue in a new update from being offered that update. When the issue is verified as fixed, the update is made available to the device through Windows Update. The goal of safeguard holds is to ensure a smooth and safe update experience for every device. However, when deploying large-scale updates with a specific goal in mind for adoption, safeguard holds can hinder update velocity.
The safeguard holds template is intended to be used to quickly identify safeguard holds across your organization with the Safeguard Hold distribution tab. It provides instructions within the template on identifying what safeguard hold identifiers resolve to (as in, a specific compatibility issue with an app, driver, etc.). This information can be used to determine whether to opt devices out of safeguard holds, which will enable devices to take an update it is currently being held back from.
If you decide to opt devices out of a certain safeguard hold, you can find the list of devices with the given safeguard hold identifier in the safeguard hold device view tab, pictured below.
In this tab, you can input a safeguard hold ID and retrieve a list of devices under that safeguard hold ID. Note that devices may be under more than one safeguard hold, and the safeguard hold opt-out is device-wide, meaning they are opted-out of all safeguard holds when performing the opt-out.
You can export this list to Power BI or CSV by using the icons to the right of the device list, where you can take further action.
The safeguard holds template is the beginning of a new future for Update Compliance. Update Compliance will begin leveraging Workbooks more and more in the future with Microsoft-offered Workbook templates, and we hope that with this presentation, you start experimenting with Workbooks to build your own custom experiences.
Conclusion
We reviewed a set of new Windows 10 feature update management and reporting features in Intune, with cloud-based Windows Update control and granular end-to-end update deployment reporting. These features are a set of new ways to control and monitor devices that will expand to other content types beyond feature updates over time. We also reviewed Update Compliance and how the data powering Update Compliance can be used to create Workbooks, showing the new safeguard holds template as an example for what you can create.
We encourage you to try out both the new features in Intune as well as Workbooks with Update Compliance, and hope you look forward to us expanding in these areas in the future. If you would like to learn a little more about each of these areas and see a demo about building a Workbook out of Update Compliance data, view this video: