Windows Update for Business reports is a new kind of reporting system that replaces Update Compliance reporting, which is set to end on March 31, 2023. Although you can still use Update Compliance, it will no longer accept new requests as it is now deprecated. Update Compliance is now rebranded as Windows Update for Business reports.
Windows Update for Business reports provide enhanced and detailed updates on deployment status per device, making it the future of Update Compliance. In contrast, Update Compliance relied on CommercialID configuration, which is no longer necessary for Windows Update for Business reports. The latter can be easily configured using Azure workbooks for Update compliance. Microsoft does not charge for data ingestion into Windows Update for Business reports.
Azure workbooks for Update Compliance is a public template released by Microsoft. It can be accessed through the Azure Portal by navigating to Home > Monitor > Workbooks. It can also be found under Public Templates when searching for “Windows Update.” Once fully configured, you can see an awesome dashboard for Update Compliance (Preview). You can further drill down for Quality updates and check Update Status & Device status.
Before configuring Windows Update for Business reports, there are a few prerequisites and settings that need to be met. Devices should be either Azure AD Join or Hybrid Azure AD Join. Permissions are required to configure/enroll Windows Update for Business reports. These include the Global Administrator role, Intune Administrator, and Windows Update Deployment administrator. To display the workbook for Windows Update, you need the Global Reader role. For Log Analytics permissions, you need the Log Analytics Contributor for editing and writing the queries, and Log Analytics Reader to read the data.
Diagnostic data needs to be enabled for Windows 10 devices at the Required level setting. Windows 11 devices require the Optional level, and Windows 10 devices require the Enhanced level. The Log Analytics workspace must also be configured to store the data.
To enable and set up the reports, you need to have a Log Analytics workspace under your Azure Subscription. Login to Azure Portal, search for “Log Analytics workspaces,” and create it. Specify the name, region, and subscription, and then click on Review + Create. Once validation is passed, click on Create. This will initiate the deployment of the Log Analytics workspace.
You can enroll Windows Update for Business reports either through Azure Workbook or through Microsoft 365 admin center. However, the recommended method is to use Azure workbook under Monitor. To enroll through Azure Workbook, navigate to Monitor > Workbooks. Scroll down until you see Windows Update for Business Reports (you can also search it). Click on it, and then click on Get started. Under Windows Update for Business reports enrollment blade, select the subscription and the previously created Log Analytics workspace. Click on Save settings and then confirm the settings and click on Save again.
To send the data, device diagnostics for Windows 10/11 must be enabled. This can be done through Group Policy, Intune Policy, or using a script. Configure Intune policies (MDM policies) and add the required settings to enable and send the data to the Log Analytics workspace.
Once the policies are deployed, wait for at least 24 hours for the data to appear on the dashboard. You can access the dashboard by signing into Azure Portal and navigating to Monitor > Workbooks > Windows Update for Business reports. The dashboard displays various tabs such as Overview, Quality updates, Feature updates, and Delivery Optimization, each with its own set of details. You can also explore the data using KQL query and create custom reports.