From 71e40ab9c12a1d15882e2a847f739859c2a0f5a9 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 9 Sep 2020 10:29:39 -0500 Subject: [PATCH 1/5] Update manual config to include full census sync Incidents have been popping up wherein customers are experiencing issues with missing fields. This is partially due to Census not fully syncing those fields on every run, only once per week. The config script has always invoked a full Census sync. This is being added as it has been observed many customers simply manually configure devices for Update Compliance. --- .../update-compliance-configuration-manual.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index de0fe72583..97c7d7d78b 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -17,13 +17,14 @@ ms.topic: article # Manually Configuring Devices for Update Compliance -There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. +There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. 2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. +4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. ## Required policies @@ -75,3 +76,14 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic ## Required services Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. + + +## Run a full Census sync + +Census is a service that runs on a regular cadence on Windows machines. A number of key device attributes, like what OS Edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like OS Edition) is sent around once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless a full Census sync is initiated. The Update Compliance Configuration Script does this. + +A full Census sync is accomplished by adding a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. It is recommended that this registry value is enabled, Census is manually invoked, and then the registry value is disabled to allow Census to operate normally. The steps to accomplish this are below: + +1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to 1. +2. Run devicecensus.exe with administrator priviledges on every device. devicecensus.exe is located in the System32 folder. No additional parameters are required. +3. After devicecensus.exe has run, the FullSync value can be removed or set back to 0. From 8eac590c24c363ab78f9a0607df2972cbef1116c Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 9 Sep 2020 10:36:11 -0500 Subject: [PATCH 2/5] Update update-compliance-configuration-manual.md Grammar --- .../update/update-compliance-configuration-manual.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 97c7d7d78b..b332aeafee 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -85,5 +85,5 @@ Census is a service that runs on a regular cadence on Windows machines. A number A full Census sync is accomplished by adding a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. It is recommended that this registry value is enabled, Census is manually invoked, and then the registry value is disabled to allow Census to operate normally. The steps to accomplish this are below: 1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to 1. -2. Run devicecensus.exe with administrator priviledges on every device. devicecensus.exe is located in the System32 folder. No additional parameters are required. -3. After devicecensus.exe has run, the FullSync value can be removed or set back to 0. +2. Run devicecensus.exe with administrator privileges on every device. devicecensus.exe is located in the System32 folder. No additional run parameters are required. +3. After devicecensus.exe has run, the FullSync value can be removed or set to 0. From 76e516c71281951325988a9e9523d4162cc7b843 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Wed, 9 Sep 2020 08:42:35 -0700 Subject: [PATCH 3/5] Update update-compliance-configuration-manual.md Pencil edits. --- .../update/update-compliance-configuration-manual.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index b332aeafee..f66d415017 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -80,10 +80,10 @@ Many Windows and Microsoft services are required to ensure that not only the dev ## Run a full Census sync -Census is a service that runs on a regular cadence on Windows machines. A number of key device attributes, like what OS Edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like OS Edition) is sent around once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless a full Census sync is initiated. The Update Compliance Configuration Script does this. +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what opearting system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. -A full Census sync is accomplished by adding a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. It is recommended that this registry value is enabled, Census is manually invoked, and then the registry value is disabled to allow Census to operate normally. The steps to accomplish this are below: +A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: -1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to 1. -2. Run devicecensus.exe with administrator privileges on every device. devicecensus.exe is located in the System32 folder. No additional run parameters are required. -3. After devicecensus.exe has run, the FullSync value can be removed or set to 0. +1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. +2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. +3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. From 6916af04a01700021a9a82874eebf6881d5eb001 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 9 Sep 2020 10:50:50 -0500 Subject: [PATCH 4/5] Remove product removal blurbs It's been 6 months since they were removed. @jaimeo --- windows/deployment/update/update-compliance-monitor.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 92d589105d..58bd854855 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -17,11 +17,6 @@ ms.topic: article # Monitor Windows Updates with Update Compliance -> [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. -> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to for threats with [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) and [Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. - ## Introduction Update Compliance enables organizations to: From 747500935e078b408769a3a8d16ab521a7754758 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 9 Sep 2020 09:05:07 -0700 Subject: [PATCH 5/5] pencil edit --- .../deployment/update/update-compliance-configuration-manual.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index f66d415017..8aaf66d309 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -80,7 +80,7 @@ Many Windows and Microsoft services are required to ensure that not only the dev ## Run a full Census sync -Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what opearting system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: