Lately I have been helping many people with moving their update workloads from Configuration Manager and WSUS to Windows Update for Business. The one thing I get the most questions about with the move to Windows Update for Business is how to monitor update compliance. The computers are now pointing to the internet for updates, and as a result, no longer report update compliance information to Configuration Manager or WSUS. The answer to this is the Update Compliance solution in Azure Log Analytics.
Update Compliance is a free solution that can be added to a log analytics workspace. Once it is configured, computers can be configured to report update compliance information to the solution. For information about configuring Update Compliance see the Microsoft Docs.
Update Compliance is pretty good out of the box. It returns back useful information about the status of updates, delivery optimization, Windows Defender, and more. However, I have been getting many questions about how to view more detailed or specific information in Update Compliance. Many of the default views either show too little or too much information.
The way to dig into this data and get more specific information is to utilize the Logs node of the log analytics workspace. This node allows for the creation of custom queries that can surface specific data. More information about analyzing log data in Azure can be found Here.
In this post I have included examples of many queries I have found to be useful for analyzing Update Compliance data.
A few notes about the queries
-
- When the queries are run, no computer names are returned or the computer name is returned as a # sign
- This can be a sign that devices have not been allowed to include their device names as part of the data sent to the log analytics workspace. This setting can be configured either through group policy or Policy CSP (Intune).
- The group policy location for the setting is
- Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow device name to be sent in Windows diagnostic data
- The Policy CSP location for the setting is
- The group policy location for the setting is
- When the queries are run, no computer names are returned or the computer name is returned as a # sign
-
- In these examples, the time range to search is being set to 30 days in the queries by TimeGenerated > ago(30d). This can be removed and the time range can be set in the GUI, or this value can be modified.
-
- Some of these examples search for a specific computer name or set values like DeploymentStatus and UpdateCategory. Note that the values in these queries are case sensitive. So if a result is not being displayed as expected, check the case.
-
- Some of these example queries contain filters for UpdateCategory and DeploymentStatus. These are the available values for these filters. Remember that these values are case sensitive.
- UpdateCategory
- Quality
- Feature
- DeploymentStatus
- Update completed
- In progress
- Progress stalled
- Failed
- Unknown
- UpdateCategory
- Some of these example queries contain filters for UpdateCategory and DeploymentStatus. These are the available values for these filters. Remember that these values are case sensitive.
Update Installation Status Queries
List Operating System Information – All Computers
WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(OSVersion, OSArchitecture, OSEdition) by Computer
List Operating System Information – Specific Computer
WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(OSVersion, OSArchitecture, OSEdition) by Computer
List Feature and Quality Update Status – All Computers
WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(OSFeatureUpdateStatus, OSQualityUpdateStatus) by Computer
List Feature and Quality Update Status – Specific Computer
WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(OSFeatureUpdateStatus, OSQualityUpdateStatus) by Computer
List Updates in a Specific State – All Computers
WaaSDeploymentStatus
| where UpdateCategory == "Quality" and DeploymentStatus == "Failed" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus, DetailedStatus, DetailedStatusLevel) by Computer
List Updates in a Specific State – Specific Computer
WaaSDeploymentStatus
| where Computer == "COMPUTERNAME" and UpdateCategory == "Quality" and DeploymentStatus == "Failed" and TimeGenerated > ago(30d)
| summarize arg_max(Computer, DeploymentStatus, DetailedStatus, DetailedStatusLevel) by ReleaseName
List Specific Update in a Specific State – All Computers
WaaSDeploymentStatus
| where ReleaseName startswith "KB4487017" and DeploymentStatus == "Update completed" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer
List Specific Update Status – All Computers
WaaSDeploymentStatus
| where ReleaseName startswith "KB4487017" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer
List Specific Update Status – Specific Computer
WaaSDeploymentStatus
| where Computer == "COMPUTERNAME" and ReleaseName startswith "KB4487017" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer
Windows Update for Business Configuration Status Queries
List Feature and Quality Update Deferral Settings – All Computers
WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(QualityDeferralDays, FeatureDeferralDays) by Computer
List Feature and Quality Update Deferral Settings – Specific Computer
WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(QualityDeferralDays, FeatureDeferralDays) by Computer
List Feature and Quality Update Pause Status – All Computers
WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(QualityPauseState, QualityPauseDays, FeaturePauseState, FeaturePauseDays) by Computer
List Feature and Quality Update Pause Status – Specific Computer
WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(QualityPauseState, QualityPauseDays, FeaturePauseState, FeaturePauseDays) by Computer
Delivery Optimization Configuration Status Queries
List Download Mode – All Computers
WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(DownloadMode, ContentDownloadMode) by Computer
List Download Mode – Specific Computer
WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(DownloadMode, ContentDownloadMode) by Computer
List Download Sources – All Computers
WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(BytesFromCDN, BytesFromPeers, BytesFromGroupPeers, BytesFromIntPeers) by Computer
List Download Sources – Specific Computer
WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(BytesFromCDN, BytesFromPeers, BytesFromGroupPeers, BytesFromIntPeers) by Computer
List Computer Location – All Computers
WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(City, Country, ISP) by Computer
List Computer Location – Specific Computer
WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(City, Country, ISP) by Computer
Windows Defender Status Queries
General Defender Information – All Computers
WDAVStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(UpdateStatus, LastDefinitionUpdateTime, DefinitionVersion, ProtectionState, LastScan) by Computer
General Defender Information – Specific Computer
WDAVStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(UpdateStatus, LastDefinitionUpdateTime, DefinitionVersion, ProtectionState, LastScan) by Computer
These queries return data that I have found useful. However, this is just the tip of the iceberg when it comes to data that can be surfaced through queries in Azure Log Analytics.