Enable Windows Update for Business (WUfB) in Intune with Reporting

1. Prerequisites

Device Join Type: Microsoft Entra joined or Hybrid joined.
Supported OS: Windows 10/11 Pro, Enterprise, Education.
Roles Required:
- Intune Administrator or Windows Update Deployment Administrator.
- Log Analytics Contributor/Reader for workspace access.
Azure Subscription and a Log Analytics workspace in a supported region.
Ensure network endpoints for Microsoft Update and telemetry are allowed.
WUfB ingestion is free; standard Log Analytics retention costs apply.

2. Create or Select an Azure Log Analytics Workspace

In Azure portal, search Log Analytics workspaces → Create.
Choose subscription, resource group, and supported region.
Save workspace details—you’ll link this later.

3. Enroll WUfB Reports

You have two options:

Option A: Azure Portal

Go to Azure portal → Monitor → Workbooks → Windows Update for Business reports.
Select Get Started, choose your subscription and workspace, and save.

Option B: Microsoft 365 Admin Center

Sign in at https://admin.microsoft.com.
Navigate to Health → Software updates → Windows.
Select Windows Update for Business reports.
Click Get started, pick your Azure subscription and workspace, and confirm.

4. Configure Diagnostic Data in Intune

Create a Settings catalog profile for Windows 10 and later:

System/AllowTelemetry = 1 (Required)
System/ConfigureTelemetryOptInSettingsUx = Disable opt-in
System/AllowDeviceNameInDiagnosticData = Allowed
Enable Commercial data pipeline if applicable.

Deploy to pilot devices first.

5. Set Up Diagnostic Settings in Intune

To ensure data flows to Azure Monitor:

In Intune admin center, go to Tenant administration → Diagnostic settings.
Select Add diagnostic setting.
Choose the categories: AuditLogs, OperationalLogs, and DeviceManagementLogs. (Or just select all)
Select Send to Log Analytics workspace and pick the workspace created earlier.
Save the configuration.

This step ensures Intune logs are streamed to your Log Analytics workspace for deeper insights.

6. Enable Tenant-Level Switch

In Intune admin center:

Go to Tenant administration → Connectors and tokens → Windows data.
Set Enable features that require Windows diagnostic data = On.

7. Create Intune Update Policies

Update rings: Control timing and restart behavior.
Feature updates: Lock or upgrade to specific versions.
Quality updates: Expedite critical patches.
Driver updates: Approve or pause drivers.

8. Reporting Portals

Azure Monitor Workbooks: Deep analytics and dashboards.
Microsoft 365 Admin Center: High-level compliance view.
Intune Admin Center: Policy-centric reports.
Log Analytics (KQL): Custom queries on UC* tables.

9. Data Latency

Initial data appears in 48–72 hours.
Reports refresh daily and show devices active in the last 28 days.

10. Verify Data Population

To confirm data is flowing:

In Azure portal, open your Log Analytics workspace → Logs.
- Run a simple query:

UCClient | take 10

If results appear, devices are reporting.

Check Azure Monitor → Workbooks → Windows Update for Business reports for populated charts.
In Microsoft 365 Admin Center → Health → Software updates → Windows, verify compliance data.
In Intune Admin Center → Reports → Windows updates, confirm update status for devices.

If no data appears after 72 hours:

Verify telemetry settings (AllowTelemetry = 1).
Ensure tenant-level switch is enabled.
Confirm devices are online and Entra joined.

A more advanced query:

IntuneDevices
| summarize Latest = arg_max(LastContact, OSVersion) by DeviceName
| project DeviceName, OSVersion
| order by OSVersion desc

Quick Checklist

✔ Create Log Analytics workspace

✔ Enroll WUfB reports (Azure or M365 Admin Center)

✔ Configure telemetry via Intune

✔ Set up diagnostic settings in Intune

✔ Enable tenant-level switch

✔ Deploy update policies

✔ Verify network prerequisites

✔ Use portals for reporting

✔ Run KQL queries to confirm data flow

References

https://portal.azure.com
https://admin.microsoft.com
https://endpoint.microsoft.com