Dex

๐Ÿ“ฑ Recipe ยท Intune & Device Management

Check Windows Patch Status and Update Compliance for an Intune-Managed Device

Verify whether a user's workstation has received the latest Windows security updates and is running a supported OS version

Complexity

Intermediate

Impact

patch-compliance + vulnerability-management + device-support + end-of-life-os

Context

Why This Matters

Why this recipe matters

When an end user asks "Is my computer patched?" or reports concerns about a recent Patch Tuesday release, IT admins need a fast, reliable way to verify the OS build, last check-in time, and compliance state of a specific Intune-managed device. This recipe walks through the full diagnostic path: identifying the device, reading its current OS build, cross-referencing that build against Microsoft's published Windows release information, and determining whether the device is up to date โ€” or, more critically, whether it's running a version that has reached End of Updates.

When to run this

  • A user asks whether their workstation received the latest Patch Tuesday update
  • You suspect a device is stuck on an unsupported OS version
  • You need to triage compliance failures related to the Minimum OS version setting
  • Monthly patch-compliance spot checks during vulnerability review

Expected Outcomes

What you'll have when you're done

  • The exact OS version and build number running on the target device
  • The device's last Intune check-in timestamp
  • Its Intune compliance state and any failing compliance settings
  • A clear determination: patched, behind on updates, or running an end-of-life OS
  • A concrete next-action recommendation (sync the device, deploy a feature update, or escalate for OS upgrade)

Risks & Considerations

Warnings and gotchas

  • The deviceConfigurationStates endpoint may return an empty array even when update policies are assigned. This happens when the device hasn't reported state back yet or when the tenant uses Windows Update for Business policies (which surface under a different endpoint).
  • Compliance state can be misleading. A device reporting compliant can still be running an unsupported OS if no Minimum OS version compliance rule exists. Always cross-check the raw osVersion against Microsoft's release data.
  • Build numbers alone don't prove patch level. You must compare against the Windows 11 release information page to know which KB a given build corresponds to.
  • Do not force a feature update on a device without checking app compatibility and user notification policies first.
  • Avoid sharing the user's UPN, device ID, or compliance output in tickets visible to non-IT staff โ€” this is considered device metadata under most data-handling policies.

Required Permissions

PermissionWhy It's Needed
DeviceManagementManagedDevices.Read.AllRead managed device inventory, OS version, and last sync timestamp
DeviceManagementConfiguration.Read.AllRead configuration and update policy states applied to the device
User.Read.AllResolve the user's UPN to find their assigned devices

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Check whether {user}'s workstation is patched for the most recent Patch Tuesday. Pull the device from Intune, report the OS build, last sync time, and compliance state, and tell me if it's current, behind, or running an end-of-life Windows version.
Try in Dex CoAdmin

For End Users

How an employee would ask Dex for help

Is my computer up to date with the latest Windows security updates?
Try in Dex Playground