News

Update Compliance Service To Require Azure Active Directory in October

• By Kurt Mackie
• 05/03/2022

Microsoft is changing how its Update Compliance service works with Window 10 or Windows 11 PCs, and gave notice that it will be requiring the use of the Azure Active Directory service before year's end, per a Tuesday announcement.

Update Compliance is a service that shows details about the status of Windows feature and quality updates. Organizations wanting to continue to use the Update Compliance service will be required to use the cloud-based Azure AD service in some form (either directly or in "hybrid" form with local Active Directory) before Oct. 15, 2022, Microsoft warned.

Oct. 15 Deadline
The Update Compliance service has a dependency on the requirements of the "Windows diagnostic data processor configuration," which need to be met before Oct. 15.

Here's Microsoft's stipulation to that effect:

To use the Windows diagnostic data processor configuration, targeted devices must be Azure Active Directory (Azure AD) joined or hybrid Azure AD joined. As a result, beginning October 15, 2022, devices that are neither joined nor hybrid joined to Azure AD will no longer appear in Update Compliance. All Windows diagnostic data processor prerequisites must be met to continue using the service after that date.

Update Compliance gets its data collection permissions via the Windows diagnostic data processor configuration, which was commercially released last year and described in this Microsoft announcement. The Windows diagnostic data processor configuration apparently is there to support the European Union's General Data Protection Regulation legal stipulations on the collection of data by organizations.

Exactly why Azure AD use is going to be required to meet the requirements of the Windows diagnostic data processor configuration wasn't explained.

Microsoft Retiring CommercialID
An additional change is planned for Jan. 2023 with the replacement of the CommercialID with Azure AD tenant ID.

Microsoft's announcement didn't explain why the CommercialID is getting replaced. Organizations actually have to ensure that their CommercialID is properly configured to use Update Compliance, even though the CommercialID is going to be replaced.

Here's Microsoft's statement on ensuring CommercialID is properly configured to use the Update Compliance service:

Joining Azure AD and ensuring that your CommercialID is properly configured are two independent steps that can be taken in any order. As of October 15th, both steps will need to be taken to use or continue using Update Compliance. These steps can be taken in any order prior to October 15th and further guidance will be released in the coming months.

The CommercialID is used by Microsoft's Log Analytics service to identify an organization's devices. Log Analytics is the service that displays details from the data collected by the Update Compliance service. Log Analytics shows reports on the devices that need attention, as well as the bandwidth that's used for updating devices.

Microsoft illustrated the Azure AD requirement for Update Compliance, plus its replacement plans for CommercialID, in the following diagram:

Workplace Join Warning
Organizations that used Microsoft's venerable Workplace Join feature with devices won't meet these new requirements for Update Compliance on Oct. 15.

"Note: Workplace Join does not meet the requirements for Update Compliance after October 15, 2022," Microsoft's announcement stated.

The announcement didn't include any further advice for organizations that may have used Workplace Join.