Windows Update for Business reports prerequisites
Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
Azure and Microsoft Entra ID
- An Azure subscription with Microsoft Entra ID
- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
- Devices that are Microsoft Entra registered only (Workplace joined) aren't supported with Windows Update for Business reports.
- The Log Analytics workspace must be in a supported region
- Data in the Driver update tab of the workbook is only available for devices that receive driver and firmware updates from the Windows Update for Business deployment service
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- Microsoft Entra ID or Intune: Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- Azure: Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- Microsoft 365 admin center: Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in
Roles that can enroll into Windows Update for Business reports
- Global Administrator Microsoft Entra role
- Intune Administrator Microsoft Entra role
- Windows Update deployment administrator Microsoft Entra role
- Policy and profile manager Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
Azure roles that allow access to the Log Analytics workspace
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
- Log Analytics Reader role can be used to read data
- Log Analytics Contributor role can be used if creating a new workspace or write access is needed
Examples of commonly assigned roles for Windows Update for Business reports users:
|Roles||Enroll though the workbook||Enroll through Microsoft 365 admin center||Display the workbook||Microsoft 365 admin center access||Create Log Analytics workspace|
|Intune Administrator + Log Analytics Contributor||Yes||Yes||Yes||Yes||Yes|
|Windows Update deployment administrator + Log Analytics reader||Yes||Yes||Yes||Yes||No|
|Policy and profile manager (Intune role)+ Log Analytics reader||Yes||No||Yes||No||No|
|Log Analytics reader||No||No||Yes||No||No|
|Global reader + Log Analytics reader||No||No||Yes||Yes||No|
The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the Windows tab of the Software Updates page. For more information about the Microsoft 365 Apps tab, see Microsoft 365 Apps updates in the admin center.
Operating systems and editions
- Windows 11 Professional, Education, Enterprise, and Enterprise multi-session editions
- Windows 10 Professional, Education, Enterprise, and Enterprise multi-session editions
Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
Windows client servicing channels
Windows Update for Business reports supports Windows client devices on the following channels:
- General Availability Channel
- Windows Update for Business reports counts Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
Windows operating system updates
- For Changes to Windows diagnostic data collection, installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
Diagnostic data requirements
At minimum, Windows Update for Business reports requires devices to send diagnostic data at the Required level (previously Basic). For more information about what's included in different diagnostic levels, see Configure Windows diagnostic data in your organization.
The following levels are recommended, but not required:
- The Enhanced level for Windows 10 devices
- The Optional level for Windows 11 devices (previously Full)
Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:
- CSP: System/AllowDeviceNameInDiagnosticData
- Group Policy: Allow device name to be sent in Windows diagnostic data under Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Windows Update for Business reports uses services configuration, also called OneSettings. Disabling the services configuration can cause some of the client data to be incorrect or missing in reports. For more information, see the DisableOneSettingsDownloads policy settings.
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see Configure Windows diagnostic data in your organization and Changes to Windows diagnostic data collection.
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
||Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports.|
||Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur.|
||Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier.|
||Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality.|
||Required for Windows Update functionality.|
||Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes.|
||This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc).|
||Azure blob data storage.|
Enrolling into Windows Update for Business reports from the Azure CLI or enrolling programmatically another way currently isn't supported. You must manually add Windows Update for Business reports to your Azure subscription.
Log Analytics regions
Windows Update for Business reports can use a Log Analytics workspace in the following regions:
|Compatible Log Analytics regions|
|East US 2|
|North Central US|
|South Africa North|
|South Central US|
|West Central US|
|West US 2|
- Enable the Windows Update for Business reports solution in the Azure portal