deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add client config

Browse Source
This commit is contained in:
Meghan Stewart 2022-04-29 08:59:13 -07:00
parent 8f6960e0c0
commit c742bea47b
6 changed files with 271 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/deployment/TOC.yml
View File

@ -194,11 +194,11 @@
- name: Enable the Update Compliance solution - name: Enable the Update Compliance solution
href: update/update-compliance-v2-enable.md href: update/update-compliance-v2-enable.md
- name: Configure clients with a script - name: Configure clients with a script
href: update/update-compliance-configuration-script.md href: update/update-compliance-v2-configuration-script.md
- name: Configure clients manually - name: Configure clients manually
href: update/update-compliance-configuration-manual.md href: update/update-compliance-v2-configuration-manual.md
- name: Configure clients with Microsoft Endpoint Manager - name: Configure clients with Microsoft Endpoint Manager
href: update/update-compliance-configuration-mem.md href: update/update-compliance-v2-configuration-mem.md
- name: Use Update Compliance (preview) - name: Use Update Compliance (preview)
items: items:
- name: Use Update Compliance - name: Use Update Compliance

85
windows/deployment/update/update-compliance-v2-configuration-manual.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Manually configuring devices for Update Compliance (preview)
ms.reviewer:
manager: dougeby
description: Manually configuring devices for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
---
# Manually Configuring Devices for Update Compliance (preview)
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
> [!Important]
> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
> - As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints.
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
## Required policies
Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
- **Policy** corresponds to the location and name of the policy.
- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
### Mobile Device Management policies
Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
| Policy | Data type | Value | Function |
|--------------------------|-|-|------------------------------------------------------------|
|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
### Group policies
All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
| Policy | Value | Function |
|---------------------------|-|-----------------------------------------------------------|
|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. |
|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
## Required endpoints
To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
| `http://adl.windows.com` | Required for Windows Update functionality. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
## Required services
Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.

80
windows/deployment/update/update-compliance-v2-configuration-mem.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
ms.reviewer:
manager: dougeby
description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
---
# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
> [!Important]
> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
> - As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
## Create a configuration profile
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
2. On the **Configuration profiles** view, select **Create a profile**.
3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
4. For **Template name**, select **Custom**, and then press **Create**.
5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
2. Add a setting for **Commercial ID** with the following values:
- **Name**: Commercial ID
- **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
- **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
- **Data type**: String
- **Value**: *Set this to your Commercial ID*
2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
- **Data type**: Integer
- **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
- **Name**: Disable Telemetry opt-in interface
- **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
- **Data type**: Integer
- **Value**: 1
4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
- **Name**: Allow device name in Diagnostic Data
- **Description**: Allows device name in Diagnostic Data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- **Data type**: Integer
- **Value**: 1
5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
- **Name**: Allow Update Compliance Processing
- **Description**: Opts device data into Update Compliance processing. Required to see data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- **Data type**: Integer
- **Value**: 16
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
8. Review and select **Create**.
## Deploy the configuration script
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.

98
windows/deployment/update/update-compliance-v2-configuration-script.md Normal file
View File

@ -0,0 +1,98 @@
---
title: Update Compliance (preview) Configuration Script
ms.reviewer:
manager: dougeby
description: Downloading and using the Update Compliance (preview) Configuration Script
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
---
# Configuring devices through the Update Compliance (preview) Configuration Script
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
> [!Important]
> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
> - A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
> [!NOTE]
> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How this script is organized
This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
- In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration.
- In **Deployment** mode (`runMode=Deployment`), the script will run quietly.
## How to use this script
Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
2. Set `commercialIDValue` to your Commercial ID.
3. Run the script.
4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
5. If there are issues, gather the logs and provide them to Support.
## Script errors
|Error |Description |
|---------|---------|
| 27 | Not system account. |
| 37 | Unexpected exception when collecting logs|
| 1 | General unexpected error|
| 6 | Invalid CommercialID|
| 48 | CommercialID is not a GUID|
| 8 | Couldn't create registry key path to setup CommercialID|
| 9 | Couldn't write CommercialID at registry key path|
| 53 | There are conflicting CommercialID values.|
| 11 | Unexpected result when setting up CommercialID.|
| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD|
| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.|
| 64 | AllowTelemetry is not of the correct type REG_DWORD.|
| 99 | Device is not Windows 10.|
| 40 | Unexpected exception when checking and setting telemetry.|
| 12 | CheckVortexConnectivity failed, check Log output for more information.|
| 12 | Unexpected failure when running CheckVortexConnectivity.|
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 67 | Unexpected failure when verifying UTC CSP.|
| 41 | Unable to impersonate logged-on user.|
| 42 | Unexpected exception when attempting to impersonate logged-on user.|
| 43 | Unexpected exception when attempting to impersonate logged-on user.|
| 16 | Reboot is pending on device, restart device and restart script.|
| 17 | Unexpected exception in CheckRebootRequired.|
| 44 | Error when running CheckDiagTrack service.|
| 45 | DiagTrack.dll not found.|
| 50 | DiagTrack service not running.|
| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
| 55 | Failed to create new registry path for SetDeviceNameOptIn|
| 56 | Failed to create property for SetDeviceNameOptIn at registry path|
| 57 | Failed to update value for SetDeviceNameOptIn|
| 58 | Unexpected exception in SetrDeviceNameOptIn|
| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.|
| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
| 61 | Unexpected exception when attempting to clean up OneSettings.|
| 52 | Could not find Census.exe|
| 51 | Unexpected exception when attempting to run Census.exe|
| 34 | Unexpected exception when attempting to check Proxy settings.|
| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
| 35 | Unexpected exception when checking User Proxy.|
| 91 | Failed to create new registry path for EnableAllowUCProcessing|
| 92 | Failed to create property for EnableAllowUCProcessing at registry path|
| 93 | Failed to update value for EnableAllowUCProcessing|
| 94 | Unexpected exception in EnableAllowUCProcessing|

2
windows/deployment/update/update-compliance-v2-enable.md
View File

@ -15,6 +15,8 @@ date: 05/07/2022
--- ---
# Enable Update Compliance # Enable Update Compliance
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
> [!Important] > [!Important]
> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. > This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.

3
windows/deployment/update/update-compliance-v2-use.md
View File

@ -15,6 +15,8 @@ date: 05/07/2022
--- ---
# Use Update Compliance (preview) # Use Update Compliance (preview)
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
> [!Important] > [!Important]
> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. > This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
@ -33,6 +35,7 @@ In this article you'll learn how to use Update Compliance to monitor Windows upd
## Update Compliance data latency ## Update Compliance data latency
Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.