How to configure Windows Update for Business reports

In this post I will show you how to configure Windows Update for Business reports which can help monitoring and reporting for Updates deployment using Quality updates, features updates and also can be used delivery optimization status for devices.

What is Windows Update for Business reports

This is a new kind of reporting which is replacing Update Compliance reporting as Update Compliance support is getting ended on 31^st March, 2023 and will be retired. Though you can still continue using it, but Update Compliance is no longer onboarding new requests as it is deprecated now. We can also say, Update Compliance is rebranded to Windows Update for Business reports.

Windows Update for Business reports are the future for Update compliance which provides much more enhance and detailed updates deployment status per device.

Previously Update Compliance was relying on CommercialID configuration as part of telemetry we enable for diagnostics data, this is no longer required for Windows update for business reports.

This can be easily configured using Azure workbooks for Update compliance. Microsoft doesn’t charge for ingestion of data into Windows Update for Business reports.

What is Azure workbooks for Update Compliance

This is a public template released by Microsoft which can be viewed if you login to Azure Portal and navigate to Home > Monitor > Workbooks, you can view it under Insights with the name “Windows Update for Business Reports” Monitor Windows 10/11 updates.

This can also be searched under Public Templates when you type “Windows Update”

Once fully configured, you can see an awesome dashboard for Update Compliance (Preview).

You can further drill down for Quality updates and can check Update Status & Device status.

Prerequisites for to configure Windows Update for Business reports

There are few prerequisites and settings for configuring the report. Let’s discuss on that.

Prerequisites

Azure AD Join

Devices should be either Azure AD Join or Hybrid Azure AD Join.

Permissions

To configure / enroll Windows Update for Busines reports, you need to have one of the following roles:

• Global Administrator role
• Intune Administrator
• Windows Update Deployment administrator

To display the workbook for Windows Update, you need to have:

• Global Reader role

For Log Analytics permissions, you need to have:

• Log Analytics Contributor: for editing and writing the queries
• Log Analytics Reader: To read the data.

This reporting supports data from Windows 10 / Windows 11 Professional, Education, Enterprise and Enterprise multi-session (formerly known as EVD(Enterprise for Virtual Desktops)).

Diagnostic Data to enable

Windows 10 devices should send diagnostic data at the Required level setting. Though there are few queries which requires much more aggressive diagnostic data to be sent such as:

• Optional level : For Windows 11 devices
• Enhanced  level: For Windows 10 devices

Log Analytics Configuration

Log Analytics workspace needs to be configured to store the data.

For more information check Windows Update for Business reports prerequisites – Windows Deployment | Microsoft Learn.

Configure Windows Update for Business reports

To enable and setup the reports, first thing you need to do is to have Log Analytics workspace under your Azure Subscription.

Create Azure Log Analytics workspace

Login to Azure Portal and search for “Log Analytics workspaces” and open it.

Click on Create and provide Project Details.

• Subscription: Select the existing subscription
• Resource group: Select or create new Resource Group

Instance details

• Name: Specify any valid name
• Region: specify the region, make sure you are specifying one of the regions where Windows Update for Business reports are supported

Click on Review + Create.

Once validation is passed, click on Create.

This will initiate the deployment, wait for couple of minutes to get your Log Analytics workspace created.

Once done, you will be able to see the message “Your deployment is complete” which means your workspace is ready and you can move to next step to enable reporting.

Enable Windows Update for Business reports

This can either be configured using one of the ways:

1. Enrolling it through Azure Workbook (under Azure Portal > Monitor > workbooks.
2. Enrolling it through Microsoft 365 admin center, and navigating to Health > Software updates and click on Windows .

Both options are fine, but the recommended one is to use 1^st one ie. using Azure workbook under Monitor.

Once you login to Azure Portal, navigate to Monitor > workbooks. This is a gallery of all the templates / workbooks made available by Microsoft. Sroll down until end to see Windows Update for Business Reports (you can also search it). Click on it.

You will be prompted with following message:

Monitor updates across your Windows devices
Track the progress of your update deployments and report on devices with compliance issues.

Learn more about Windows Update for Business reports and make sure you meet the prerequisites.

Click on Get started.

Under Windows Update for Business reports enrollment blade, you will see “Configure Windows Update for Business reports”. Select:

• Subscription: Select the existing one.
• Azure Log Analytics workspace: Select the previously created Log Analytics workspace.

Click on Save settings.

Confirm the settings and click on Save again.

Our work is still not done. We need to configure client side settings to send the data.

Enable device Diagnostics for Windows 10 / 11

We need to send the telemetry for the device which can be done either Group Policy, Intune Policy (Policy CSP) or using a script.

I will definitely prefer Intune policy (MDM policy) as we are on cloud journey, hence that should be the way moving forward to enable it, though group policy can also be used if you like.

Configure Intune policies (MDM  policies)

Following settings are required for enabling and sending the data to Log analytics workspace.

1. System/AllowTelemetry : 1
2. System/ConfigureTelemetryOptInSettingsUx : 1
3. System/AllowDeviceNameInDiagnosticData : 1
4. System/ConfigureTelemetryOptInChangeNotification : 1

Login to Microsoft Intune Admin Center and navigate to Home > Devices > Windows > Configuration profiles > Create profile.

On Create a profile page:

Specify Platform as Windows 10 and later.
Profile type: Templates
Template name: Custom

On Basics page, provide name as “Telemetry for WUFB reports” and click Next.

On  Configuration settings blade, we will be adding 5 OMA-URI Settings as mentioned below, for the sake of demo, let me show you 1^st one. Click on Add.

1. Name: Allow Telemetry
   OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowTelemetry
   Data type: Integer
   Value: 1

• Name: Disable Telemetry opt-in interface
  OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx
  Data type: Integer
  Value: 1
• Name: Allow device name in Diagnostic Data
  OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData
  Data type: Integer
  Value: 1
• Name: Configure Telemetry Opt-in Change Notification
  OMA-URI: ./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification
  Data type: Integer
  Value: 1

Once all 4 OMA-URI Settings are created under Configuration Settings, click on Next.

Under Assignments, deploy it to existing group or all devices.

I am skipping Applicability Rules, finally on Review + create page, verify the settings and click on Create.

Verify the status after some time by clicking on Configuration profile “Telemetry for WUFB reports” to check deployment status on targeted devices.

Configure Diagnostics diagnostics data using Group Policy.

Don’t configure it if you already created configuration profile for WUFB reports.

As I previously communicated, I will prefer Intune policies. However, you can do the same using Group Policy as well, following are the settings you need to apply.

Add / edit any existing group policy and navigate to Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds.

Enable all the below mentioned policies and provide the values as defined:

• Allow Telemetry             1 – Basic
• Configure telemetry opt-in setting user interface    1 – Disable diagnostic data opt-in Settings
• Allow device name to be sent in Windows diagnostic data               1 – Enabled
• Disable Telemetry Change Notifications               1 – Enabled

Once policy is deployed. We need to wait for atleast 24 hours. For me it took around 48 hours. That was the case for Update compliance as well when it took 72 hours. So be little patient and allow couple of days.

Verify Windows Update for Business Reports

After waiting for couple of hours, I can see beautiful dashboard while signing into Azure Portal and navigating to Monitor > Workbooks > Windows Update for Business reports.

You can see various tabs such as Overview, Quality updates, Feature updates, Delivery Optimization.

While clicking on Quality updates, I can see the all deployment status with:

• Latest security update
• Missing one security update
• Missing multiple security updates
• Active alerts count

Once I click on Missing multiple security updates, it will open KPI Card Detail which is part of Azure monitor and I can further see more info such as MultipleSecurityUpdatesMissing.

If I click on Ellipses, I can export to excel and also can open the last run query in the logs view.

This will directly take me to the Log analytics workspace where I can see the KQL query running behind the scenes which can easily be modified based upon our custom conditions.

Above mentioned data is fetched from table UCClient which is visible under Update Compliance.

I would highly recommend you to learn KQL query and explore the tables to check and see what kind of information is stored in these tables which will eventually helps you exploring and creating the reports of your own choice.

Sameway I can explore more data for other components, such as Delivery Optimization, where I can see the Efficiency By Group based upon City, Country and ISP.

The possibilities are unlimited and bridges the gap between what you see for SCCM reporting for patch management versus reporting of Windows Update for Business using Intune.

Important Links

Announcing Windows Update for Business reports – Microsoft Community Hub

Public preview of Azure Workbooks for Update Compliance – Microsoft Community Hub

Windows Update for Business reports overview – Windows Deployment | Microsoft Learn

Use the workbook for Windows Update for Business reports – Windows Deployment | Microsoft Learn

Windows Update for Business reports prerequisites – Windows Deployment | Microsoft Learn

Manually configuring devices for Windows Update for Business reports – Windows Deployment | Microsoft Learn