Achieve better patch compliance with Update Connectivity data

AWS

Owner
FPCH Owner
Joined
Nov 19, 2003
Messages
11,233
Location
Florida U.S.A.
Windows 10
Chrome 90.0.4430.93
Microsoft has invested significant effort into understanding why Windows devices are not always fully up to date. One of the most impactful things we explored was how much time a device needs to be powered on and connected to Windows Update to be able to successfully install quality and feature updates. What we found is that devices that don’t meet a certain amount of connected time are very unlikely to successfully update. Specifically, data shows that devices need a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably update. This allows for a successful download and background installations that are able to restart or resume once a device is active and connected.

We call this measurement Update Connectivity: the time (in hours) that a device is powered on and also connected to Microsoft services such as Windows Update. This data can enable you to:

  • Better understand which devices simply don’t have enough connected time to successfully update.
  • Examine how to treat those devices in reporting and success measurements.
  • Consider how to evaluate the security risk these rarely connected devices actually pose to your environment.

For an indication how impactful Update Connectivity is, let's look at the portion of Windows 10 devices that are not on a current update and do not meet the minimum connectivity requirements.

  • Approximately 50% of devices that are not on a serviced build of Windows 10 do not meet the minimum Update Connectivity measurement
  • Approximately 25% of Windows 10 devices that are on a serviced build, but have security updates are more than 60 days out of date have less than the minimum Update Connectivity.

Clearly, insufficient Update Connectivity is a significant cause of devices not being current. So how can you utilize this data to better help your organization?

How Update Connectivity impacts update management


You can work to ensure that more devices across your organization meet the minimum Update Connectivity measurement by communicating with device owners, encouraging them to leave their devices plugged in and connected—instead of powering them off overnight—so that updates can download and install properly. Impress upon them the importance of keeping their devices connected so their devices can stay protected and they can stay productive.

Another consideration is power management. Some power settings and related policies put a device into a deep sleep or hibernation too quickly, which can prevent updates from occurring outside active hours. The Optimizing Windows Update Adoption provides recommended power settings that are a good balance of power savings while also enabling devices to keep up to date with the latest security updates. If you are using Group Policy Objects to manage policies, you can use the settings in the Windows security baselines, available as part of the Security Compliance Toolkit, to configure power settings.

You might also want to consider filtering out devices that do not have the minimum Update Connectivity from your success metrics. The reasoning is that those devices are not currently "update healthy" and changing policies or targeting them with more updates will not get them to update until they meet the minimum Update Connectivity measurement required for update success.

When thinking about the security impact of devices with insufficient Update Connectivity, a question to consider is do these devices pose less security risk because they have a very low level of connectivity? Every organization will, of course, have different business requirements and levels of risk tolerance, but Update Connectivity can be a useful tool in determining just how much risk these devices introduce and what actions, if any, should be taken to improve update compliance.

When troubleshooting update issues, we have found it is best to select devices that have sufficient Update Connectivity. If a device has insufficient Update Connectivity, then investigating other update issues is complicated because the low Update Connectivity can create new issues that go away once there’s enough connectivity.

Where to find Update Connectivity data


You can currently see which devices have Insufficient Update Connectivity in Microsoft Intune. To find devices with an update policy not meeting the minimum Update Connectivity requirements navigate to Devices > Monitor and select either the Feature update failures or Windows Expedited update failures report.

large?v=v2&px=999.pngA failure report filtered to the Insufficient Update Connectivity alert, which shows devices with Insufficient Update Connectivity.

The Insufficient Update Connectivity alert is also available in the Summary report in Intune. Navigate to Reports > Windows updates, then select the Reports tab, and select Windows Expedited update report. Devices with Insufficient Update Connectivity can be found using the Alert type column, as shown below.

large?v=v2&px=999.pngHow devices with Insufficient Update Connectivity show up in the Windows Expedited update report in Intune

Update Connectivity data is provided on a per-device basis and only measures how much time a device is active and has connectivity to Microsoft Windows Update services. This data is not correlated to user activity or behaviors, as a device can easily be in use, but not connected to the Internet.

To summarize, Update Connectivity is a powerful way to understand why certain devices are not updating successfully and to evaluate how you measure deployment success by more accurately counting devices that meet the minimum requirements to update. Have questions or feedback? Drop a comment below or join us for Windows Office Hours every third Thursday here on the Windows Tech Community.

Continue reading...
 
Back
Top