Hello All, thanks for this lovely collaboration with top notch engineers from MS directly, 

We’re building an automated compliance pipeline for Intune / AVD–managed Windows 11 devices and need a programmatic, Microsoft-supported source for the current Patch Tuesday “B” CU baseline.

Requirement (monthly, 2nd Wednesday):

For each Windows 11 release (22H2, 23H2, 24H2, 25H2, future 26H2), determine:

Expected CU KB

Expected UBR

Security revision

This baseline is then used to compare against device-reported OS/UBR from Graph.

Question:

Is there an authoritative API or dataset (Graph, WUfB, Update Compliance, Intune internal metadata, or Microsoft Update) that exposes the current expected Patch Tuesday CU + UBR per OS version?

Specifically:

How does Intune internally determine “latest update installed / compliant”?

Is KB → expected UBR mapping available programmatically?

Is scraping Update History / Catalog the only option today?

Any supported alternative or roadmap for exposing this via Graph?

We want to avoid manual KB tables or HTML scraping.

Looking for guidance from Intune / WUfB / Graph teams.