How to enable and use Windows Update for Business reports
Organizations that use Windows Update for Business to manage Windows OS updates and patches should learn how to make the most of the reporting features it offers.
Perhaps the most important and time-consuming task that an IT administrator has is managing software and hardware updates. So, they need to evaluate update data and issues via whatever reporting methods are available.
Windows administrators who need to manage system updates can turn to Windows Update for Business to help with both the management and the process assessment thanks to its extensive reporting system.
However, it can take some getting used to, so admins should learn how to make the most of Windows Update for Business and its reporting features before they can implement this feature in production.
What is Windows Update for Business reporting?
Windows Update for Business, also known as WUfB, is a service in the Microsoft Azure and Intune cloud platforms that manages and monitors Windows update status for domain-joined cloud devices. Intended for commercial customers, it provides comprehensive reporting on the status of Windows security, quality, product and driver updates for Windows clients. This allows the IT admin to identify out-of-compliance devices for update action. Further, it helps keep devices healthy, reducing downtime and avoiding security breaches.
Organizations used to rely on Windows Server Update Services (WSUS) and Microsoft Update Compliance for update management and reporting. However, Microsoft Update Compliance retired in March 2023 and WSUS is scheduled to retire in early 2025. Update Compliance was replaced by Windows Update for Business reports.
Microsoft said Windows Update for Business is a result of the vendor listening to customers' complaints and suggestions. It identified several areas in which Windows Update for Business reporting provides new benefits to the IT staff.
How to enable Windows Update for Business with prerequisites
While Windows Update for Business is available in Azure and Intune, the following description is focused on how to enable Windows Update for Business in Azure. This assumes that the user has an Azure subscription and devices with proper licenses are configured. The operating systems (OSes) and editions that Windows Update for Business supports include Windows 10 and Windows 11 Professional, Education, Enterprise and Enterprise multi-session editions. These must be multi-tenant editions.
In addition, Windows Update for Business reports only provide reporting data for standard Windows client version and does not support Windows Server, Surface Hub, IoT or other versions.
Primarily, devices must be Microsoft Entra ID joined or Entra ID hybrid joined. Microsoft Entra-registered devices, such as BYOD, are not supported. Microsoft Entra ID can manage user identities and control access to network data. Domain services and Azure Active Directory (AD) are included in Entra ID. Other prerequisites for enabling Windows Update for Business include the following:
Azure Log Analytics workspace in a supported region. Note that the regions listed in the workspace creation wizard are not all supported.
Permissions are provided from Microsoft Entra ID or Intune, Azure, and Microsoft 365 Admin Center.
Specific roles in resources, such as Intune Administrator, are required to enroll in Windows Update for Business reports.
The Windows Update for Business reports must be enrolled in the Azure Workbook.
Windows clients must be running an OS with the February 2023 cumulative update or later to enroll in Windows Update for Business reports. Devices must also be configured to send client diagnostic data to Windows Update for Business.
Additional information regarding endpoint support, diagnostic data requirements and supported log analytics regions is available in the Microsoft Windows Update for reports prerequisites article.
Configuring Windows Update for Business Reports in Azure
Windows Update for Business is an Azure Workbook template that is pre-defined in the Azure portal and is a part of the Log Analytics workspace. Access Windows Update for Business by logging into the Azure Portal and clicking Monitor. Then, select Workbooks in the left navigation pane and go all the way to the end of the workbooks list to find Windows Updates for Business as shown in Figure 1.
Figure 1. The Windows Update for Business section in the Azure Workbooks gallery.
To configure Windows Update for Business properly, there are a few preparation steps to take. For instance, IT needs the right subscriptions in place, and admins must configure and deploy the devices within a Resource Group and a Log Analytics workspace. Assuming devices are available and an active subscription is in place, IT must perform the following steps for Windows Update for Business creation and configuration.
Figure 2. The page allows admins to create a resource group that they can use to define Windows Update for Business policies.
Figure 3. The option to add specific clients to a targeted resource group so IT can manage updates.
Open and log in to the Azure Portal.
Associate the clients with an Azure Log Analytics workspace, and a Resource Group must be created and configured with the proper clients associated with them.
Create a Resource Group by clicking on the Resource Group icon on the Azure portal home page.
Click on Create.
Select the subscription and provide a name for the resource group (Figure 2).
Click Review + Create, then click Create.
Assign devices to the Resource Group. This is done in the client configuration as shown in Figure 3.
Figure 4. The steps to create an Azure Log Analytics workspace that will allow IT to group and monitor the reports.
On the Azure Portal Home page, click on the Log Analytics workspace icon on the Azure Home page, then click on Create. Complete the form to create the workspace (Figure 4) by indicating the subscription and the Resource Group to be used.
Provide an Instance name and region and click Review & Create, then click Create. Figure 5 lists all Log Analytics workspaces and the assigned resource groups. This example uses a basic Windows Update for Business workspace.
Figure 5. The Windows Update for Business reporting tab in the Log Analytics directory.
To create the Windows Update for Business workbook from the Azure portal Home page, click on the Monitor icon, then click on the Workbook link in the left pane. This will display pre-configured workbooks. Select Windows Update for Business, located at the very end (Figure 1).
In the Windows Update for Business Reports screen, click in the subscription and resource fields and select the proper subscription and Log Analytics workspace. Windows Update for Business. Click Save Settings. Once it is all configured and the devices are set to send diagnostic data, it might take up to 24 hours to get reports.
How to use Windows Update for Business reports
Once Windows Update for Business is configured, and devices are set for the desired data reporting, IT can view the reports in the Windows Update for Business workbook. Go to Azure Portal > Monitor > Workbooks > Windows Update for Business. Select the subscription and Workspace desired. It is recommended not to pin the workbook as it will display static data.
IT staff will find these reports well-suited for gathering error logs, but also for helping fix the problems that they identify.
IT staff will find these reports well-suited for gathering error logs, but also for helping fix the problems that they identify. Overall, it is an effort by Microsoft to move organizations to a more Azure-centric environment. Besides Azure, Windows Update for Business integrates with Microsoft 365 Admin Center, Intune and Autopatch, integrating cloud reporting tools into Azure AD.
Windows Update for Business allows the admin to do the following:
View the device information and status of update progress from one view.
Gather information at a device level or for quality or feature updates.
View success, failure and status of the updates on every client.
View error codes complete with description and remediation action recommended. This is perhaps the most powerful feature, saving countless hours and money by eliminating looking up codes and troubleshooting tips to resolve each error.
Windows Update for Business reporting displays key data points, which include the following:
Organization device information:
Total enrolled devices.
Total active alerts.
Windows 11 eligibility can identify devices that are eligible for Windows 11 update as well as those that are not, why they are not, and how to remediate them.
Update status and failures. Admins can click on Quality Updates or Feature Updates to find the status for the entire organization on specific updates and drill down to see which clients are having the issue.
Device information including the following:
OS update version and stock-keeping units.
Failures displayed with error codes, descriptions and recommended action, such as remediation.
Admins can import information to Excel or view it in the Azure Workbook Logs view.
Bringing the legacy Windows Update Services into what Windows Update for Business has become gives IT admins and staff in Azure environments a powerful tool. IT can quickly identify the status of desktops with online reporting that lets IT view device status, configuration and overall update status. This allows for quick identification of status and progress.
Additionally, locating devices or groups of devices where updates have failed will prove to be invaluable to admins who need to manage update posture.
Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.
