Update Compliance Log Analytics Queries

Lately I have been helping many people with moving their update workloads from Configuration Manager and WSUS to Windows Update for Business. The one thing I get the most questions about with the move to Windows Update for Business is how to monitor update compliance. The computers are now pointing to the internet for updates, and as a result, no longer report update compliance information to Configuration Manager or WSUS. The answer to this is the Update Compliance solution in Azure Log Analytics.

Update Compliance is a free solution that can be added to a log analytics workspace. Once it is configured, computers can be configured to report update compliance information to the solution. For information about configuring Update Compliance see the Microsoft Docs.

Update Compliance is pretty good out of the box. It returns back useful information about the status of updates, delivery optimization, Windows Defender, and more. However, I have been getting many questions about how to view more detailed or specific information in Update Compliance. Many of the default views either show too little or too much information.

The way to dig into this data and get more specific information is to utilize the Logs node of the log analytics workspace. This node allows for the creation of custom queries that can surface specific data. More information about analyzing log data in Azure can be found Here.

In this post I have included examples of many queries I have found to be useful for analyzing Update Compliance data.

A few notes about the queries

    • When the queries are run, no computer names are returned or the computer name is returned as a # sign
      • This can be a sign that devices have not been allowed to include their device names as part of the data sent to the log analytics workspace. This setting can be configured either through group policy or Policy CSP (Intune).
        • The group policy location for the setting is
          • Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow device name to be sent in Windows diagnostic data
        • The Policy CSP location for the setting is
    • In these examples, the time range to search is being set to 30 days in the queries by TimeGenerated > ago(30d). This can be removed and the time range can be set in the GUI, or this value can be modified.
    • Some of these examples search for a specific computer name or set values like DeploymentStatus and UpdateCategory. Note that the values in these queries are case sensitive. So if a result is not being displayed as expected, check the case.
    • Some of these example queries contain filters for UpdateCategory and DeploymentStatus. These are the available values for these filters. Remember that these values are case sensitive.
      • UpdateCategory
        • Quality
        • Feature
      • DeploymentStatus
        • Update completed
        • In progress
        • Progress stalled
        • Failed
        • Unknown

Update Installation Status Queries

List Operating System Information – All Computers

WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(OSVersion, OSArchitecture, OSEdition) by Computer

List Operating System Information – Specific Computer

WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(OSVersion, OSArchitecture, OSEdition) by Computer

List Feature and Quality Update Status – All Computers

WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(OSFeatureUpdateStatus, OSQualityUpdateStatus) by Computer

List Feature and Quality Update Status – Specific Computer


WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(OSFeatureUpdateStatus, OSQualityUpdateStatus) by Computer

List Updates in a Specific State – All Computers

WaaSDeploymentStatus
| where UpdateCategory == "Quality" and DeploymentStatus == "Failed" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus, DetailedStatus, DetailedStatusLevel) by Computer

List Updates in a Specific State – Specific Computer

WaaSDeploymentStatus
| where Computer == "COMPUTERNAME" and UpdateCategory == "Quality" and DeploymentStatus == "Failed" and TimeGenerated > ago(30d)
| summarize arg_max(Computer, DeploymentStatus, DetailedStatus, DetailedStatusLevel) by ReleaseName

List Specific Update in a Specific State – All Computers

WaaSDeploymentStatus
| where ReleaseName startswith "KB4487017" and DeploymentStatus == "Update completed" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer

List Specific Update Status – All Computers

WaaSDeploymentStatus
| where ReleaseName startswith "KB4487017" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer

List Specific Update Status – Specific Computer

WaaSDeploymentStatus
| where Computer == "COMPUTERNAME" and ReleaseName startswith "KB4487017" and TimeGenerated > ago(30d)
| summarize arg_max(ReleaseName, DeploymentStatus) by Computer

 

Windows Update for Business Configuration Status Queries

List Feature and Quality Update Deferral Settings – All Computers

WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(QualityDeferralDays, FeatureDeferralDays) by Computer

List Feature and Quality Update Deferral Settings – Specific Computer

WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(QualityDeferralDays, FeatureDeferralDays) by Computer

List Feature and Quality Update Pause Status – All Computers

WaaSUpdateStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(QualityPauseState, QualityPauseDays, FeaturePauseState, FeaturePauseDays) by Computer

List Feature and Quality Update Pause Status – Specific Computer

WaaSUpdateStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(QualityPauseState, QualityPauseDays, FeaturePauseState, FeaturePauseDays) by Computer

 

Delivery Optimization Configuration Status Queries

List Download Mode – All Computers

WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(DownloadMode, ContentDownloadMode) by Computer

List Download Mode – Specific Computer

WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(DownloadMode, ContentDownloadMode) by Computer

List Download Sources – All Computers

WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(BytesFromCDN, BytesFromPeers, BytesFromGroupPeers, BytesFromIntPeers) by Computer

List Download Sources – Specific Computer

WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(BytesFromCDN, BytesFromPeers, BytesFromGroupPeers, BytesFromIntPeers) by Computer

List Computer Location – All Computers

WUDOStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(City, Country, ISP) by Computer

List Computer Location – Specific Computer

WUDOStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(City, Country, ISP) by Computer

 

Windows Defender Status Queries

General Defender Information – All Computers

WDAVStatus
| where TimeGenerated > ago(30d)
| summarize arg_max(UpdateStatus, LastDefinitionUpdateTime, DefinitionVersion, ProtectionState, LastScan) by Computer

General Defender Information – Specific Computer

WDAVStatus
| where Computer == "COMPUTERNAME" and TimeGenerated > ago(30d)
| summarize arg_max(UpdateStatus, LastDefinitionUpdateTime, DefinitionVersion, ProtectionState, LastScan) by Computer

 

These queries return data that I have found useful. However, this is just the tip of the iceberg when it comes to data that can be surfaced through queries in Azure Log Analytics.