Windows Update for Business reports prerequisites

Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.

Azure and Microsoft Entra ID

Permissions

Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:

  • Microsoft Entra ID or Intune: Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
  • Azure: Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
  • Microsoft 365 admin center: Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in

Roles that can enroll into Windows Update for Business reports

To enroll into Windows Update for Business reports from the Azure portal or the Microsoft 365 admin center requires one of the following roles:

Azure roles that allow access to the Log Analytics workspace

The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:

Examples of commonly assigned roles for Windows Update for Business reports users:

Roles Enroll though the workbook Enroll through Microsoft 365 admin center Display the workbook Microsoft 365 admin center access Create Log Analytics workspace
Intune Administrator + Log Analytics Contributor Yes Yes Yes Yes Yes
Windows Update deployment administrator + Log Analytics reader Yes Yes Yes Yes No
Policy and profile manager (Intune role)+ Log Analytics reader Yes No Yes No No
Log Analytics reader No No Yes No No
Global reader + Log Analytics reader No No Yes Yes No

Note

The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the Windows tab of the Software Updates page. For more information about the Microsoft 365 Apps tab, see Microsoft 365 Apps updates in the admin center.

Operating systems and editions

  • Windows 11 Professional, Education, Enterprise, and Enterprise multi-session editions
  • Windows 10 Professional, Education, Enterprise, and Enterprise multi-session editions

Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.

Important

Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices.

Windows client servicing channels

Windows Update for Business reports supports Windows client devices on the following channels:

  • General Availability Channel
  • Windows Update for Business reports counts Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.

Windows operating system updates for client devices

Installing the February 2023 cumulative update, or a later equivalent update, is required for clients to enroll into Windows Update for Business reports. This update helped enable changes to Windows diagnostic data collection, which Windows Update for Business reports relies on.

For more information about available updates, see Windows 11 release information and Windows 10 release information.

Diagnostic data requirements

At minimum, Windows Update for Business reports requires devices to send diagnostic data at the Required level (previously Basic). For more information about what data each diagnostic level includes, see Configure Windows diagnostic data in your organization.

The following levels are recommended, but not required:

  • The Enhanced level for Windows 10 devices.
  • The Optional level for Windows 11 devices (previously Full).

Device names don't appear in Windows Update for Business reports unless you individually opt in devices by using a policy. The configuration script does this action for you, but when using other client configuration methods, set one of the following policies to display device names:

  • CSP: System/AllowDeviceNameInDiagnosticData
  • Group Policy: Allow device name to be sent in Windows diagnostic data under Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds

Tip

Windows Update for Business reports uses services configuration, also called OneSettings. Disabling the services configuration can cause some of the client data to be incorrect or missing in reports. For more information, see the DisableOneSettingsDownloads policy settings.

Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see Configure Windows diagnostic data in your organization and Changes to Windows diagnostic data collection.

Endpoints

Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:

Endpoint Function
*v10c.events.data.microsoft.com

eu-v10c.events.data.microsoft.com for tenants with billing address in the EU Data Boundary
Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports.
umwatsonc.events.data.microsoft.com

eu-watsonc.events.data.microsoft.com for tenants with billing address in the EU Data Boundary
Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur.
v10.vortex-win.data.microsoft.com Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier.
settings-win.data.microsoft.com Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality.
adl.windows.com Required for Windows Update functionality.
oca.telemetry.microsoft.com Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes.
login.live.com This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices aren't visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc).
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
Azure blob data storage.

Note

Enrolling into Windows Update for Business reports from the Azure CLI or enrolling programmatically another way currently isn't supported. You must manually add Windows Update for Business reports to your Azure subscription.

Log Analytics regions

Windows Update for Business reports can use a Log Analytics workspace in the following regions:

Compatible Log Analytics regions
Australia Central
Australia East
Australia Southeast
Brazil South
Canada Central
Central India
Central US
East Asia
East US
East US 2
Eastus2euap(canary)
France Central
Japan East
Korea Central
North Central US
North Europe
South Africa North
South Central US
Southeast Asia
Switzerland North
Switzerland West
UK West
UK south
West Central US
West Europe
West US
West US 2

Next steps