Windows Update for Business reports prerequisites
Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
Azure and Microsoft Entra ID
- An Azure subscription with Microsoft Entra ID.
- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
- Devices can be Microsoft Entra joined or Microsoft Entra hybrid joined.
- Devices that are Microsoft Entra registered only (workplace joined) aren't supported with Windows Update for Business reports.
- The Log Analytics workspace must be in a supported region.
- Data in the Driver update tab of the workbook is only available for devices that receive driver and firmware updates from Windows Autopatch.
Permissions
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- Microsoft Entra ID or Intune: Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- Azure: Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- Microsoft 365 admin center: Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in
Roles that can enroll into Windows Update for Business reports
To enroll into Windows Update for Business reports from the Azure portal or the Microsoft 365 admin center requires one of the following roles:
- Intune Administrator Microsoft Entra role
- Windows Update deployment administrator Microsoft Entra role
- Policy and profile manager Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
Azure roles that allow access to the Log Analytics workspace
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
- Log Analytics Reader role can be used to read data
- Log Analytics Contributor role can be used if creating a new workspace or write access is needed
Examples of commonly assigned roles for Windows Update for Business reports users:
| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
|---|---|---|---|---|---|
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes | No |
| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No |
| Log Analytics reader | No | No | Yes | No | No |
| Global reader + Log Analytics reader | No | No | Yes | Yes | No |
Note
The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the Windows tab of the Software Updates page. For more information about the Microsoft 365 Apps tab, see Microsoft 365 Apps updates in the admin center.
Operating systems and editions
- Windows 11 Professional, Education, Enterprise, and Enterprise multi-session editions
- Windows 10 Professional, Education, Enterprise, and Enterprise multi-session editions
Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
Important
Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices.
Windows client servicing channels
Windows Update for Business reports supports Windows client devices on the following channels:
- General Availability Channel
- Windows Update for Business reports counts Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
Windows operating system updates for client devices
Installing the February 2023 cumulative update, or a later equivalent update, is required for clients to enroll into Windows Update for Business reports. This update helped enable changes to Windows diagnostic data collection, which Windows Update for Business reports relies on.
For more information about available updates, see Windows 11 release information and Windows 10 release information.
Diagnostic data requirements
At minimum, Windows Update for Business reports requires devices to send diagnostic data at the Required level (previously Basic). For more information about what data each diagnostic level includes, see Configure Windows diagnostic data in your organization.
The following levels are recommended, but not required:
- The Enhanced level for Windows 10 devices.
- The Optional level for Windows 11 devices (previously Full).
Device names don't appear in Windows Update for Business reports unless you individually opt in devices by using a policy. The configuration script does this action for you, but when using other client configuration methods, set one of the following policies to display device names:
- CSP: System/AllowDeviceNameInDiagnosticData
- Group Policy: Allow device name to be sent in Windows diagnostic data under Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Tip
Windows Update for Business reports uses services configuration, also called OneSettings. Disabling the services configuration can cause some of the client data to be incorrect or missing in reports. For more information, see the DisableOneSettingsDownloads policy settings.
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see Configure Windows diagnostic data in your organization and Changes to Windows diagnostic data collection.
Endpoints
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
| Endpoint | Function |
|---|---|
*v10c.events.data.microsoft.com eu-v10c.events.data.microsoft.com for tenants with billing address in the EU Data Boundary |
Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
umwatsonc.events.data.microsoft.com eu-watsonc.events.data.microsoft.com for tenants with billing address in the EU Data Boundary |
Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
v10.vortex-win.data.microsoft.com |
Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
settings-win.data.microsoft.com |
Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
adl.windows.com |
Required for Windows Update functionality. |
oca.telemetry.microsoft.com |
Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
login.live.com |
This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices aren't visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
ceuswatcab01.blob.core.windows.net ceuswatcab02.blob.core.windows.net eaus2watcab01.blob.core.windows.net eaus2watcab02.blob.core.windows.net weus2watcab01.blob.core.windows.net weus2watcab02.blob.core.windows.net |
Azure blob data storage. |
Note
Enrolling into Windows Update for Business reports from the Azure CLI or enrolling programmatically another way currently isn't supported. You must manually add Windows Update for Business reports to your Azure subscription.
Log Analytics regions
Windows Update for Business reports can use a Log Analytics workspace in the following regions:
| Compatible Log Analytics regions |
|---|
| Australia Central |
| Australia East |
| Australia Southeast |
| Brazil South |
| Canada Central |
| Central India |
| Central US |
| East Asia |
| East US |
| East US 2 |
| Eastus2euap(canary) |
| France Central |
| Japan East |
| Korea Central |
| North Central US |
| North Europe |
| South Africa North |
| South Central US |
| Southeast Asia |
| Switzerland North |
| Switzerland West |
| UK West |
| UK south |
| West Central US |
| West Europe |
| West US |
| West US 2 |
Next steps
- Enable the Windows Update for Business reports solution in the Azure portal