Veri-Tech
Support/Products/Veri-Patch

Veri-Patch

Enterprise

Veri-Patch provides end-to-end Windows feature update management — from prerequisite validation and telemetry setup through compatibility scanning, update policy configuration, and automated Entra device group sync. It centralizes compatibility results across your fleet on a consistent, recurring schedule — something not possible natively in Intune. All write operations use zero-trust Administrative Unit scoping.

4-stepWorkflow
AU-scopedGroup sync
WindowsPlatforms
EnterpriseMin tier

How Veri-Patch Works

Step-by-step walkthrough from start to finish

1

Verify Prerequisites

Run the prerequisite checker to validate WUfB licensing, telemetry configuration, and Intune enrollment. A guided telemetry setup wizard walks you through diagnostic data levels with regional privacy guidance for GDPR, CCPA, and other frameworks.

2

Configure Update Policies

View and manage your Windows Update policies — feature update rings, quality update profiles, and expedited updates. Veri-Patch shows live policy data from your tenant with KB links, CVE details, and deployment status.

3

Run Compatibility Scan

Scan your Intune-managed device fleet for Windows feature update compatibility. The readiness report shows per-device status — ready, blocked (app holds, driver holds, safeguard holds), or unknown — with shareable HTML report snapshots.

4

Reports & Automation

Schedule recurring scans, export device lists as CSV (Entra bulk import or detailed), sync compatible and incompatible devices to Entra security groups automatically, and browse report history. Device group sync uses Administrative Unit scoping for zero-trust access.

Data Handling

What data is collected, processed, stored, and what is never accessed

Data collected during scans

  • Device names, Intune device IDs, and Entra object IDs from your managed fleet
  • Windows OS version, build numbers, and hardware compatibility data per device
  • Windows Update for Business readiness and compatibility assessment data
  • Update policy configuration (feature rings, quality profiles, expedited updates)
  • Device telemetry configuration level

How data is processed

  • Devices are classified as ready or blocked for the target feature update
  • Compatibility holds are categorized: app blocks, driver blocks, safeguard holds
  • Device lists are filtered and formatted for Entra group sync and CSV export
  • HTML compatibility report snapshots are generated for sharing

What is stored after scanning

  • Compatibility reports with per-device status in Azure Blob Storage
  • HTML report snapshots for download and sharing
  • Scan schedules and group sync configuration in Azure Table Storage
  • Audit events for all write operations (policy creation, group sync)

Data Veri-Patch never accesses

  • User personal data, email, files, or browsing history on devices
  • Application usage data or installed non-driver software details
  • BitLocker recovery keys or encryption status
  • Device location data or GPS coordinates
  • Network traffic or connectivity logs
  • Entra groups outside the designated Administrative Unit

Permissions

Every Graph API permission used, when it's requested, and why

Permission Model

Veri-Patch uses read-only app permissions for scanning. Write operations (policy creation, telemetry setup) use just-in-time delegated consent — the admin grants access for a specific action and the token is not stored. Device group sync uses Administrative Unit (AU) scoped roles — Veri-Patch can only manage groups inside the AU you designate, not any other group in your tenant.

DeviceManagementManagedDevices.Read.All
Read
Always

Read managed device inventory, OS versions, and hardware data

DeviceManagementConfiguration.Read.All
Read
Always

Read WUfB configuration, update policies, and compatibility data

DeviceManagementConfiguration.ReadWrite.All
Write
JIT only

Create update policies and telemetry profiles

Groups Administrator (AU-scoped)
Write
After AU setup

Add/remove devices from AU-scoped security groups

Safety Controls

  • Scans are read-only — no device modifications during scanning
  • Write operations require explicit just-in-time admin consent
  • Device group sync is scoped via Administrative Units — no tenant-wide group access
  • All group membership changes are logged in the audit trail
  • Recurring scan schedules and auto-sync can be disabled at any time
  • All data encrypted at rest (AES-256) and in transit (TLS 1.2+)

Capabilities

Guided prerequisite validation with telemetry setup wizard and regional privacy guidance
Live update policy viewer — feature rings, quality updates, expedited patches with KB/CVE details
Feature update compatibility scanning with per-device readiness classification
Shareable HTML compatibility report snapshots
Recurring scan scheduling (daily, weekly, monthly) with email notifications
Device export as Entra bulk import CSV or detailed CSV with filtering
Automated device group sync — compatible and incompatible devices synced to AU-scoped Entra groups
Administrative Unit setup wizard with one-click PowerShell script generation
Included with Enterprise and MSP plans

Frequently Asked Questions

Does Veri-Patch make changes to my tenant?
Scans are completely read-only. Write operations like creating update policies or syncing device groups require explicit admin consent. Group sync is scoped to an Administrative Unit containing only the two groups you designate — Veri-Patch cannot modify any other groups in your tenant.
What is Administrative Unit (AU) scoping?
An Administrative Unit is a Microsoft Entra security boundary that restricts what an app can manage. You create an AU, add two security groups to it, and assign Veri-Patch a scoped role. Even if the app token were compromised, it could only touch those two groups — not any other resource in your tenant.
How does automated device group sync work?
After each compatibility scan (manual or scheduled), Veri-Patch updates two Entra security groups: one for compatible devices and one for incompatible devices. These groups can then be used as assignment targets for Windows Update policies in Intune. You can run this manually or enable auto-sync after scheduled scans.
Which Windows versions are supported?
Veri-Patch supports Windows 10 and Windows 11 devices managed by Microsoft Intune. Compatibility scans evaluate readiness for the latest Windows feature updates using WUfB assessment data.
Can I schedule recurring scans?
Yes. Configure daily, weekly, or monthly recurring compatibility scans from the Reports page. Scans run automatically and results are available immediately. With auto-sync enabled, device groups are updated after each scan completes.

All Products · Full Permission Reference · AI Features & Privacy · Control Frameworks

Questions? Submit a ticket · Email support