In this post I will show you how to configure Windows Update for Business reports which can help monitoring and reporting for Updates deployment using Quality updates, features updates and also can be used delivery optimization status for devices. WUfB reports requires few configurations, once done you can start exploring the inbuilt reports with beautiful dashboard provided by Microsoft. It also allows you to customize the dashboard.

What is Windows Update for Business reports

This is a new kind of reporting which is replacing Update Compliance reporting as Update Compliance support is getting ended on 31st March, 2023 and will be retired. Though you can still continue using it, but Update Compliance is no longer onboarding new requests as it is deprecated now. We can also say, Update Compliance is rebranded to Windows Update for Business reports.

Windows Update for Business reports are the future for Update compliance which provides much more enhance and detailed updates deployment status per device.

Previously Update Compliance was relying on CommercialID configuration as part of telemetry we enable for diagnostics data, this is no longer required for Windows update for business reports.

This can be easily configured using Azure workbooks for Update compliance. Microsoft doesn’t charge for ingestion of data into Windows Update for Business reports.

What is Azure workbooks for Update Compliance

This is a public template released by Microsoft which can be viewed if you login to Azure Portal and navigate to Home > Monitor > Workbooks, you can view it under Insights with the name “Windows Update for Business Reports” Monitor Windows 10/11 updates.

Windows Update for Business report workbook

This can also be searched under Public Templates when you type “Windows Update”

Template Windows Update for Business reports

Once fully configured, you can see an awesome dashboard for Update Compliance (Preview).

Update Compliance Preview

You can further drill down for Quality updates and can check Update Status & Device status.

Update Compliance Device status

Prerequisites for to configure Windows Update for Business reports

There are few prerequisites and settings for configuring the report. Let’s discuss on that.

Prerequisites

Azure AD Join

Devices should be either Azure AD Join or Hybrid Azure AD Join.

Permissions

To configure / enroll Windows Update for Busines reports, you need to have one of the following roles:

  • Global Administrator role
  • Intune Administrator
  • Windows Update Deployment administrator

To display the workbook for Windows Update, you need to have:

  • Global Reader role

For Log Analytics permissions, you need to have:

  • Log Analytics Contributor: for editing and writing the queries
  • Log Analytics Reader: To read the data.

This reporting supports data from Windows 10 / Windows 11 Professional, Education, Enterprise and Enterprise multi-session (formerly known as EVD(Enterprise for Virtual Desktops)).

Diagnostic Data to enable

Windows 10 devices should send diagnostic data at the Required level setting. Though there are few queries which requires much more aggressive diagnostic data to be sent such as:

  • Optional level : For Windows 11 devices
  • Enhanced  level: For Windows 10 devices

Log Analytics Configuration

Log Analytics workspace needs to be configured to store the data.

For more information check Windows Update for Business reports prerequisites – Windows Deployment | Microsoft Learn.

Configure Windows Update for Business reports

To enable and setup the reports, first thing you need to do is to have Log Analytics workspace under your Azure Subscription.

Create Azure Log Analytics workspace

Login to Azure Portal and search for “Log Analytics workspaces” and open it.

Click on Create and provide Project Details.

Create Log Analytics workspace
  • Subscription: Select the existing subscription
  • Resource group: Select or create new Resource Group

Instance details

Click on Review + Create.

Create Log Analytics workspaces

Once validation is passed, click on Create.

WUFBReports 07

This will initiate the deployment, wait for couple of minutes to get your Log Analytics workspace created.

Once done, you will be able to see the message “Your deployment is complete” which means your workspace is ready and you can move to next step to enable reporting.

Enable Windows Update for Business reports

This can either be configured using one of the ways:

  1. Enrolling it through Azure Workbook (under Azure Portal > Monitor > workbooks.
  2. Enrolling it through Microsoft 365 admin center, and navigating to Health > Software updates and click on Windows .

Both options are fine, but the recommended one is to use 1st one ie. using Azure workbook under Monitor.

Once you login to Azure Portal, navigate to Monitor > workbooks. This is a gallery of all the templates / workbooks made available by Microsoft. Sroll down until end to see Windows Update for Business Reports (you can also search it). Click on it.

WUFBReports 08

You will be prompted with following message:

Monitor updates across your Windows devices
Track the progress of your update deployments and report on devices with compliance issues.

Learn more about Windows Update for Business reports and make sure you meet the prerequisites.

Click on Get started.

Monitor updates across your windows devices

Under Windows Update for Business reports enrollment blade, you will see “Configure Windows Update for Business reports”. Select:

  • Subscription: Select the existing one.
  • Azure Log Analytics workspace: Select the previously created Log Analytics workspace.

Click on Save settings.

Configure Windows Update for Business reports

Confirm the settings and click on Save again.

WUFBReports 10

Our work is still not done. We need to configure client side settings to send the data.

Enable device Diagnostics for Windows 10 / 11

We need to send the telemetry for the device which can be done either Group Policy, Intune Policy (Policy CSP) or using a script.

I will definitely prefer Intune policy (MDM policy) as we are on cloud journey, hence that should be the way moving forward to enable it, though group policy can also be used if you like.

Configure Intune policies (MDM  policies)

Following settings are required for enabling and sending the data to Log analytics workspace.

  1. System/AllowTelemetry : 1
  2. System/ConfigureTelemetryOptInSettingsUx : 1
  3. System/AllowDeviceNameInDiagnosticData : 1
  4. System/ConfigureTelemetryOptInChangeNotification : 1

Login to Microsoft Intune Admin Center and navigate to Home > Devices > Windows > Configuration profiles > Create profile.

We can either create settings catalog or custom profile.

When creating Configuration profile using settings catalog, add following settings:

  • Allow device name to be sent in Windows diagnostic data: Allowed
  • Configure Telemetry Opt In Change Notification: Disable telemetry change notifications
  • Configure Telemetry Opt in Settings Ux: DisableTelemetry opt-in Settings
  • Allow Telemetry: Basic
WUFBReports 23

Alternatively, custom templates can be used which as well requires OMA-URI settings:

Specify Platform as Windows 10 and later.
Profile type: Templates
Template name: Custom

WUFBReports 11

On Basics page, provide name as “Telemetry for WUFB reports” and click Next.

Telemetry for Windows Update for Business custom setting

On  Configuration settings blade, we will be adding 5 OMA-URI Settings as mentioned below, for the sake of demo, let me show you 1st one. Click on Add.

WUFB reports OMA-URI Settings
  1. Name: Allow Telemetry
    OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowTelemetry
    Data type: Integer
    Value: 1
  • Name: Disable Telemetry opt-in interface
    OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx
    Data type: Integer
    Value: 1
  • Name: Allow device name in Diagnostic Data
    OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData
    Data type: Integer
    Value: 1
  • Name: Configure Telemetry Opt-in Change Notification
    OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification
    Data type: Integer
    Value: 1

Once all 4 OMA-URI Settings are created under Configuration Settings, click on Next.

2023 05 12 14 16 41

Under Assignments, deploy it to existing group or all devices.

WUFBReports 15

I am skipping Applicability Rules, finally on Review + create page, verify the settings and click on Create.

Verify the status after some time by clicking on Configuration profile “Telemetry for WUFB reports” to check deployment status on targeted devices.

Assignment Status

Configure Diagnostics diagnostics data using Group Policy.

Don’t configure it if you already created configuration profile for WUFB reports.

As I previously communicated, I will prefer Intune policies. However, you can do the same using Group Policy as well, following are the settings you need to apply.

Add / edit any existing group policy and navigate to Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds.

Enable all the below mentioned policies and provide the values as defined:

  • Allow Telemetry             1 – Basic
  • Configure telemetry opt-in setting user interface    1 – Disable diagnostic data opt-in Settings
  • Allow device name to be sent in Windows diagnostic data               1 – Enabled
  • Disable Telemetry Change Notifications               1 – Enabled

Once policy is deployed. We need to wait for atleast 24 hours. For me it took around 48 hours. That was the case for Update compliance as well when it took 72 hours. So be little patient and allow couple of days.

Verify Windows Update for Business Reports

After waiting for couple of hours, I can see beautiful dashboard while signing into Azure Portal and navigating to Monitor > Workbooks > Windows Update for Business reports.

You can see various tabs such as Overview, Quality updates, Feature updates, Delivery Optimization and Driver Updates.

While clicking on Quality updates, I can see the all deployment status with:

  • Latest security update
  • Missing one security update
  • Missing multiple security updates
  • Active alerts count
WUFB Reports Quality Updates

Once I click on Missing multiple security updates, it will open KPI Card Detail which is part of Azure monitor and I can further see more info such as MultipleSecurityUpdatesMissing.

KPI Card Detail Quality updates

If I click on Ellipses, I can export to excel and also can open the last run query in the logs view.

This will directly take me to the Log analytics workspace where I can see the KQL query running behind the scenes which can easily be modified based upon our custom conditions.

KQL Query UCClient

Above mentioned data is fetched from table UCClient which is visible under Update Compliance.

Update Compliance UCClient KQL

I would highly recommend you to learn KQL query and explore the tables to check and see what kind of information is stored in these tables which will eventually helps you exploring and creating the reports of your own choice.

Sameway I can explore more data for other components, such as Delivery Optimization, where I can see the Efficiency By Group based upon City, Country and ISP.

Delivery Optimization Efficiency By Group

The possibilities are unlimited and bridges the gap between what you see for SCCM reporting for patch management versus reporting of Windows Update for Business using Intune.

Important Links

Announcing Windows Update for Business reports – Microsoft Community Hub

Public preview of Azure Workbooks for Update Compliance – Microsoft Community Hub

Windows Update for Business reports overview – Windows Deployment | Microsoft Learn

Use the workbook for Windows Update for Business reports – Windows Deployment | Microsoft Learn

Windows Update for Business reports prerequisites – Windows Deployment | Microsoft Learn

Manually configuring devices for Windows Update for Business reports – Windows Deployment | Microsoft Learn