Windows Update for Business Reports is a vital part of any organisations setup when it comes to reporting on Windows Updates from the WUfB Deployment Service.

With an incline in the adoption of Cloud Native (or Cloud First) Endpoint Management, we see more organisations relinquish some of their control of update using things like WSUS. This isn’t always a terrible thing, but organisations are also moving towards IaC (Infrastructure as Code) and are wanting to deliver repeatable deployments to further support Business Continuity planning.

One of the best ways to achieve this with Microsoft Intune and its Microsoft counterparts is using the Microsoft Graph API, and configuring your Intune Tenant settings and Windows Update for Business Reports workspace settings is no exception, and in this article, we will go through the require steps to do just that.

Before we get started, you will require the following Access Rights.

• Global Administrator for your Tenant
  • This is used to enable Data Processing (Configure Windows diagnostic data in your organisation (Windows 10 and Windows 11) – Windows Privacy | Microsoft Learn)
• A Log Analytics Workspace
  • You can use a current workspace or create a new one for the sole purpose of WUfB Reporting.
• The ability to run MS Graph PowerShell actions against your tenant
• The Microsoft.Graph.Beta PowerShell Module

Prior to running the PowerShell Commands, you must be connected to the Microsoft Graph using the the Connect-MGGraph cmdlet.

By default, the enablement of features that require data processing are Disabled as shown in the above image. As mentioned in the Microsoft documentation, the following services require this setting to be enabled.

• Windows feature update device readiness report
• Windows feature update compatibility risks report
• Windows driver updates report

To configure these options via the Microsoft Graph API, you can run the following code snippet;

Once this command has successfully run you should then see within your Intune Tenant that the following settings are configured.

Now we have our Data Processing configured, let get our Windows Update for Business Reports configured.

This time, we have to make a slight change to our authentication method to the Graph API, we have to connect with the “WindowsUpdates.ReadWrite.All” & “DeviceManagementServiceConfig.ReadWrite.All” scopes, without doing so we will run into a forbidden issue.

We also need the following information to hand to replace the placeholder text in the below code snippet.

• The Subscription ID of the sub where our Log Analytics workspace resides
• The Resource Group name
• The Log Analytics Workspace name (not ID)

Once we have these to hand, replace the placeholders within the $params array.

Once this is configured, the data usually appears within the Log Analytics Workspace and the Windows Update for Business Report within 72 Hours.

This is just one small step in configuring your Intune Tenant, however it gives you vital insight into your Windows Updates across your endpoint estate.

Doing this via the Graph API allows you to have a repeatable and less error prone deployment strategy.