Event banner
Event details
67 Comments
- Heather_Poulsen
Community Manager
We’re happy you’re here with us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
- Would it not make more sense to have these reports natively built into the Reports section in the Microsoft Endpoint Manager admin center? Seems a bit un-intuitive to have to dig into the Azure portal for this content.
Gabe_FrostMicrosoft
We've definitely heard this feedback and appreciate it. Discussions are happening for how to make this much smoother between WUfB reports and Intune. We are excellent partners.
- Akash_MalhotraWUFB reports does not require an intune license, since it's a free service to monitor updates regardless of how they are managed. Although we do see some benefits in "embedding" or adding workbooks somehow in the portal to manage your wufb policies. Please do share feedback on what the workflow you think would be beneficial. Just a link to open up workbooks? eg. How would you manage your Intune reporting with wufb reports?
- Maybe, but only in addition to. WUfB, WUfB Deployment Service, and I presume now WUfB Reporting is not an Intune feature, it's not tied to an EMS license. It's an OS feature ... service ? ... so it shouldn't be exclusively tied to the Intune UI.
- Update Compliance had a general SLA of 48 hours. Which, for general use is fine. When a zero day hits and I use Expedite to blast the update out there it isn't fine. Your average security department isn't going to accept that kind of SLA. This has led customer to build their own solutions or buy 3rd party reporting. Is there a dial somewhere to get more timely results? Even if it's for just a specific update?
- David_MebaneWindows Update for Business reports has an SLA of 36 hours, whereas the Expedite reporting in Endpoint Manager has an SLA of 8 hours. We'll continue to look at ways to support quicker response times for key scenarios such as Expedite.
Ah, did that get that bumped up (down?) for Expedite? That's great news. It _might_ be enough, but it's a step in the right direction.
- Are there any plans to add Defender antimalware engine updates of definition updates to the update compliance reporting capabilities ?
- David_MebaneWe recommend using Microsoft Defender for Endpoint if you are interested in this information.
- Akash_Malhotrathat would mean that the policy is disabled. There is another technical takeoff session on setting GPO policies on devices!
- Key thing would be to see cumulative update compliance against active devices. How is this achieved with the reports? And the reports should be in MEM Admin center portal.
- Akash_MalhotraYou can filter devices that are not-active. We have an alert called "InsufficientUpdateConnectivity" which is basically telling you that the device is not active enough to scan Windows updates.
- this is a bit clunky still
- Akash_Malhotra
Hey Erin! Thanks for the feedback. Can you please provide some feedback?
lot of configuration and setup, missing granularity of different update types. non os updates not there. Most of this is already available in SCCM? and for this we have to pay for logging and a sub? i just tried in my sub with LA and all i got was errors.
So much of this stuff the last 2 days. too many gaps. just not ready. Feels like im downgrading.
- I like this, I notice this is in the Azure Portal what would the Role requirement be to work with this? Will we be able to work seemlessly with Intune Admin Role?
- Akash_Malhotra
Yes! For enrollment, we currently support Global admin and Intune admin! If there are other roles your org/team uses, please let us know so we can consider supporting for the future. YOu can read on the permissions here: https://learn.microsoft.com/en-us/windows/deployment/update/update-status-admin-center
- Yes, so we might have a need for some reporting for our helpdesk to be able to read specific items to address with users, this would help them track progress without having to pass around a possible out-of-date spreadsheet or post an out-of-date spreadsheet in teams
- We have multiple divisions in one tenant and heavily depend on RBAC based on Dynamic Device Groups, so division admins can see only devices belonging to their area. Is WUfB reporting respecting RBAC and will show only the data of devices the division admins have access to?
- Akash_MalhotraSo right now, we support One Log analytics workspace to One Azure tenant mapping. What this means is that all data is routed into ONE workspace. We are looking at how to add support for multiple workspaces in the future.
- Supporting export to multiple workspaces is also the only way I can see to address that, every tracking e.g. w/ tags on all data inside the default workspace would just blow the size and cost performance. Having the option to copy the data belonging to objects in specified device/user groups to additional workspaces would allow us to use the same Azure AD groups for report access control as for Intune RBAC and we still could apply the reports/workbooks coming from Intune.
Contractually obligated to ask this question: Is there reporting for non-OS updates? .NET/Office/ect. updates are a thing and can be just as important as OS updates from a vulnerability standpoint. We need comprehensive reports that include _all_ updates applicable to the device. Long term that includes 3rd party apps as well because compliance doesn't just equal 'am I running the latest OS'.
- So much of this feels like a downgrade, at least right now. There are glimpses of brilliance, but just not ready yet
- David_MebaneWe do not support non-OS updates today, but know it is an important topic for our customers. It is on the backlog, but no concrete plans to add this to WUfB reports at this time. We're currently focused on delivering a great story across the OS updates.
Thanks David, that was the answer I fully expected to get after 3+ years of asking it. Just know that until Microsoft puts forth a reporting solution that covers all of their products that they're not meeting the most basic needs of vulnerability management. Without a report showing the compliance of a device as a whole I'm left to either build or buy my own. I realize this might not be just one team's responsibility to solve, but someone needs to recognize the problem, take ownership of it, and drive a solution to address it.
- 100% How cool would it be if data from the "new" store plugged into this as well?
