initial import of Charles' versions

2025-06-15 18:33:43 +00:00 · 2019-10-07 11:19:34 -07:00
parent 96794b7b0a
commit 0e61a44881
7 changed files with 285 additions and 237 deletions
--- a/windows/deployment/update/images/UC_commercialID.png
+++ b/windows/deployment/update/images/UC_commercialID.png
--- a/windows/deployment/update/images/UC_commercialID_GP.png
+++ b/windows/deployment/update/images/UC_commercialID_GP.png
--- a/windows/deployment/update/images/UC_telemetrylevel.png
+++ b/windows/deployment/update/images/UC_telemetrylevel.png
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@ -17,14 +17,8 @@ ms.topic: article
 ---

 # Delivery Optimization in Update Compliance
-The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
-
 ![DO status](images/UC_workspace_DO_status.png)
-
-> [!IMPORTANT]
-> There is a known issue with the way device configuration is displayed for Delivery Optimization. Some devices running Windows 10, versions 1809 or 1903 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance.
->
->**This issue is now fixed by installing the 2019-07 cumulative update appropriate for the device.**
+The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.

 ## Delivery Optimization Status
 
@ -35,10 +29,8 @@ The Delivery Optimization Status section includes three blades:
 - The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers).

 
-
- 
 ## Device Configuration blade
-Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md) for recommendations for different scenarios or [Delivery Optimization reference](waas-delivery-optimization-reference.md#download-mode) for complete details of this setting.
+Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md#download-mode).
 
 ## Content Distribution (%) blade
 The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).
@ -52,4 +44,3 @@ The download sources that could be included are:
 - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
 - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
 - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. 
-
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@ -8,30 +8,30 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ---

 # Get started with Update Compliance
-# Get started with Update Compliance
+This topic explains the steps necessary to configure your environment for Update Compliance.

 Steps are provided in sections that follow the recommended setup process:

 1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites).
 2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
-2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
-3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics).
+3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance).
+4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights.

 ## Update Compliance prerequisites
 Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
 1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. 
 2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them.
 3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. 
-3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. 
-4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section.

 ## Add Update Compliance to your Azure subscription
 Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
@ -50,7 +50,7 @@ Update Compliance is offered as a solution which is linked to a new or existing
 ![Update Compliance solution creation](images/UC_01_marketplace_create.png)

 4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. 
-4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. 
+   - [Desktop Analytics](TODO: Add Desktop Analytics reference: https://docs.microsoft.com/en-us/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. 
   - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
       - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
       - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
@ -67,9 +67,63 @@ Update Compliance is offered as a solution which is linked to a new or existing

 ![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png)

-
-## Enroll devices in Windows Analytics
-Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment:
-1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar).
+## Enroll devices in Update Compliance
+Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment:

-
+### Deploy your Commercial ID to devices
+A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment.
+
+To find your Commercial ID within Azure: 
+1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. 
+2. From there, select the Update Compliance Settings page on the navbar. 
+3. Your Commercial ID is available in the settings page.
+
+![Update Compliance Settings page](images/UC_commercialID.png)
+
+>**Important**
+>
+>Regenerate your Commercial ID only if your Original ID key can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices.
+
+#### Deploying Commercial ID using Group Policy
+Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**. 
+
+![Commercial ID Group Policy location](images/UC_commercialID_GP.png)
+
+#### Deploying Commercial ID using MDM
+Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp). 
+
+### Ensure endpoints are whitelisted
+To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. 
+
+| **Endpoint**  | **Function**  |
+|---------------------------------------------------------|-----------|
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
+| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
+| `https://oca.telemetry.microsoft.com`  | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
+| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
+
+### Set diagnostic data levels
+Update Compliance requries that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
+
+#### Configuring Telemetry level using Group Policy
+You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function.
+
+![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png)
+
+#### Configuring Telemetry level using MDM
+Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
+
+### Enabling Device Name in telemetry
+Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. 
+
+#### Allow Device Name in Telemetry with Group Policy
+Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. 
+
+#### Allow Device Name in Telemetry with MDM
+Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). 
+
+>[!NOTE]
+>After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. 
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@ -8,8 +8,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
@ -17,16 +18,18 @@ ms.topic: article

 # Monitor Windows Updates with Update Compliance

+>[!IMPORTANT]
+>Update Compliance is moving out of Windows Analytics. Windows Analytics is being retired, but Update Compliance will continue to be supported. For more information, see the [Update Compliance FAQ](windows-analytics-get-started.md).
+
 ## Introduction

 Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to:

-
+* Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions.
 * View a report of device and update issues related to compliance that need attention.
-* View a report of device and update issues related to compliance that need attention.
 * Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md).

-
+Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).

 Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal).

@ -37,16 +40,16 @@ See the following topics in this guide for detailed information about configurin

 ## Update Compliance architecture

-
+The Update Compliance architecture and data flow follows this process:

-
-1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
-2. Diagnostic data is analyzed by the Update Compliance Data Service.<BR>
-3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.<BR>
+1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+2. Diagnostic data is analyzed by the Update Compliance Data Service.
+3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
+4. Diagnostic data is available in the Update Compliance solution.


 >[!NOTE]
->[!NOTE]
+>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).



--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@ -8,8 +8,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
-author: greg-lindsay
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
@ -32,7 +33,7 @@ After Update Compliance has successfully been [added to your Azure subscription]

 ![Update Compliance tile no data](images/UC_tile_assessing.png)

-
+When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:

 ![Update Compliance tile with data](images/UC_tile_filled.png)

@ -59,16 +60,15 @@ The following is a breakdown of the different sections available in Update Compl
 * [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates.
 * [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. 
 * [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment.
-* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment.
 * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.


 ## Update Compliance data latency
 Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The  process that follows is as follows:

-
+Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate at which each type of data is sent from the device and how long it takes to be ready for Update Compliance varies, roughly outlined below.

-
+| Data Type | Data upload rate from device | Data Latency |
 |--|--|--|
 |WaaSUpdateStatus | Once per day |4 hours |
 |WaaSInsiderStatus| Once per day |4 hours |
@ -78,7 +78,7 @@ Update Compliance is refreshed every 12 hours. This means that every 12 hours al
 |WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
 |WUDOStatus|Once per day|12 hours |

-
+This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). 

 ## Using Log Analytics