Configure WUfB Reports with Graph API & PowerShell

Published On: March 18, 2024Last Updated: March 18, 2024By 2.6 min readViews: 282

TOC

Windows Update for Business Reports is a vital part of any organisations setup when it comes to reporting on Windows Updates from the WUfB Deployment Service.

With an incline in the adoption of Cloud Native (or Cloud First) Endpoint Management, we see more organisations relinquish some of their control of update using things like WSUS. This isn’t always a terrible thing, but organisations are also moving towards IaC (Infrastructure as Code) and are wanting to deliver repeatable deployments to further support Business Continuity planning.

One of the best ways to achieve this with Microsoft Intune and its Microsoft counterparts is using the Microsoft Graph API, and configuring your Intune Tenant settings and Windows Update for Business Reports workspace settings is no exception, and in this article, we will go through the require steps to do just that.

Pre-Reqs

Before we get started, you will require the following Access Rights.

Prior to running the PowerShell Commands, you must be connected to the Microsoft Graph using the the Connect-MGGraph cmdlet.

Configuring WUfB Reports

Configure Data Processing & Windows License Verification

WindowsData Unconfigured
WindowsData Unconfigured

By default, the enablement of features that require data processing are Disabled as shown in the above image. As mentioned in the Microsoft documentation, the following services require this setting to be enabled.

To configure these options via the Microsoft Graph API, you can run the following code snippet;

Copy to Clipboard

Once this command has successfully run you should then see within your Intune Tenant that the following settings are configured.

WindowsData Configured
WindowsData Configured

Configure Windows Update for Business Reports

Now we have our Data Processing configured, let get our Windows Update for Business Reports configured.

This time, we have to make a slight change to our authentication method to the Graph API, we have to connect with the “WindowsUpdates.ReadWrite.All” & “DeviceManagementServiceConfig.ReadWrite.All” scopes, without doing so we will run into a forbidden issue.

We also need the following information to hand to replace the placeholder text in the below code snippet.

  • The Subscription ID of the sub where our Log Analytics workspace resides
  • The Resource Group name
  • The Log Analytics Workspace name (not ID)

Once we have these to hand, replace the placeholders within the $params array.

Copy to Clipboard

Once this is configured, the data usually appears within the Log Analytics Workspace and the Windows Update for Business Report within 72 Hours.

Conclusion

This is just one small step in configuring your Intune Tenant, however it gives you vital insight into your Windows Updates across your endpoint estate.

Doing this via the Graph API allows you to have a repeatable and less error prone deployment strategy.

Configure WUfB Reports with Graph API & PowerShell

Published On: March 18, 2024Last Updated: March 18, 2024By 2.6 min readViews: 282

TOC

Windows Update for Business Reports is a vital part of any organisations setup when it comes to reporting on Windows Updates from the WUfB Deployment Service.

With an incline in the adoption of Cloud Native (or Cloud First) Endpoint Management, we see more organisations relinquish some of their control of update using things like WSUS. This isn’t always a terrible thing, but organisations are also moving towards IaC (Infrastructure as Code) and are wanting to deliver repeatable deployments to further support Business Continuity planning.

One of the best ways to achieve this with Microsoft Intune and its Microsoft counterparts is using the Microsoft Graph API, and configuring your Intune Tenant settings and Windows Update for Business Reports workspace settings is no exception, and in this article, we will go through the require steps to do just that.

Pre-Reqs

Before we get started, you will require the following Access Rights.

Prior to running the PowerShell Commands, you must be connected to the Microsoft Graph using the the Connect-MGGraph cmdlet.

Configuring WUfB Reports

Configure Data Processing & Windows License Verification

WindowsData Unconfigured
WindowsData Unconfigured

By default, the enablement of features that require data processing are Disabled as shown in the above image. As mentioned in the Microsoft documentation, the following services require this setting to be enabled.

To configure these options via the Microsoft Graph API, you can run the following code snippet;

Copy to Clipboard

Once this command has successfully run you should then see within your Intune Tenant that the following settings are configured.

WindowsData Configured
WindowsData Configured

Configure Windows Update for Business Reports

Now we have our Data Processing configured, let get our Windows Update for Business Reports configured.

This time, we have to make a slight change to our authentication method to the Graph API, we have to connect with the “WindowsUpdates.ReadWrite.All” & “DeviceManagementServiceConfig.ReadWrite.All” scopes, without doing so we will run into a forbidden issue.

We also need the following information to hand to replace the placeholder text in the below code snippet.

  • The Subscription ID of the sub where our Log Analytics workspace resides
  • The Resource Group name
  • The Log Analytics Workspace name (not ID)

Once we have these to hand, replace the placeholders within the $params array.

Copy to Clipboard

Once this is configured, the data usually appears within the Log Analytics Workspace and the Windows Update for Business Report within 72 Hours.

Conclusion

This is just one small step in configuring your Intune Tenant, however it gives you vital insight into your Windows Updates across your endpoint estate.

Doing this via the Graph API allows you to have a repeatable and less error prone deployment strategy.