wufb
23 TopicsBehind the scenes: access and region control in Windows Update for Business reports
Interested in using Windows Update for Business reports for richer access and region control? As we've announced on the Windows IT Pro Blog today, you now have more power and flexibility to route data and to control access to your data with Windows Update for Business reports, as well as to host it in an expanded set of regions. While you can find out how in the blog article linked below, let's get behind the scenes of the new capability: The architecture Pricing structure A few current limitations Additional information The architecture When you run the Ansible solution to control access and region, your automated script deploys the following resources to your tenant. This solution automatically creates the following resources. Azure resources: Azure Function triggered on an interval to perform periodic data export Log Analytics resources: Log Analytics workspace for each scope Azure Monitor resources: Data collection endpoint for ingesting data Data collection rule for each scoped workspace to direct data routing You can easily manage these resources through the Azure Portal. The diagram below shows the key workflows, resources, and interactions for the Contoso/Fabrikam deployment example. If you're an Azure administrator, you may find it helpful for understanding the created resources and how data is routed throughout the solution. Pricing structure Since you'll be routing data for Azure AD device groups to different Log Analytics workspaces, let's see if anything changes in your billing based on your existing infrastructure. Data is stored in Log Analytics workspaces with the same schema as your already existing Windows Update for Business reports workspace, and so billing remains the same—which is to say there is no data charge at the default 30-day retention period. See Log Analytics pricing tiers for more information. The Azure Function that copies data to scoped workspaces will incur standard Azure Function compute and consumption costs, and this is dependent upon the scale of your scopes and devices. You can use the calculator to estimate costs after running a test with your lab configuration to determine how many scopes and devices are processed over what time frame. A few limitations of the Ansible solution for access control Since this is a preview of the Ansible solutions, you might encounter a few limitations with access control capabilities: All scoped workspaces in the tenant are shown in the drop-down menu. We'll be filtering that list to just those each user has access to in a future update. Aggregated delivery optimization status is not computed. Aggregated status is tenant-wide in the primary workspace. Therefore, scoped workspaces would need to compute the aggregate for their device set separately. The Azure Function doesn't yet perform that process. No support for nested Azure AD groups. Only direct group members are considered at present. Nested support could be added by modifying the Azure Function. The solution assumes a single subscription and target resource group. This may or may not be relevant for your tenant. Tenants that need greater control can extend the solution by modifying the Ansible project. Additional information Not sure how easy it is for you to implement our new access control solution? You won't need anything other than your familiar Azure Portal and general understanding of resource management and Azure security fundamentals. Just follow these 7 easy steps to route the tenant's primary workspace into separate secured workspaces for each access control scope: Define scopes. Create Azure Active Directory groups. Group resources and restrict tag access. Download the Ansible solution. Configure your deployment. Deploy the Ansible solution to Azure. Use the Ansible solution. Find precise guidance and answers to your questions in Windows Update for Business reports: access and region control. Get in on the conversation This space is excellent for discussion with your peers and with our team members, so feel free to leave a comment below! If you have any feedback or questions regarding the Ansible solution on GitHub, please feel free to open project issues for support or reach out through our other Windows Update for Business reports support options.1.9KViews0likes3CommentsQuality update uninstall with WUFB and Intune
Hi, I wanted to know what happens when we click on 'Uninstall' for quality updates with WUFB managed via Intune. When I go in the ring summary I can see that Quality updates say : Uninstalled and Paused (Days remaining: 35) but the updates are not getting uninstalled on the devices assigned to this ring. How long should it take for the uninstall to start and where could I look to see why it's not? Thks in advance and don't hesitate if you have any questions.3.9KViews0likes2CommentsConnectivity data for Update compliance
Will the Achieve better patch compliance with Update Connectivity data - Windows IT Pro Blog (microsoft.com) data also be available in the new Feature updates and expedite updates reports (Windows 10 and later feature updates - Microsoft Endpoint Manager admin center (azure.com)) so that we have all the info in one place? Also, will we ever get the same information for cumulative updates (other than expedite) so we can also see if we have devices that aren't online enough? Also, what is the amount of time devices need to be online for cumulative updates? I'm guessing it's significantly lower than the 2+6h for feature updates? Thks for clarifying that part.888Views0likes1CommentUpdate Compliance stale devices
Hello, do you know what is the retention policy for stale devices (that are no longer in sccm/Intune) for Update Compliance? Asking because our Update Compliance statistics are really bad because we have a ton of old devices that are seen as not updated (they can’t be because they no longer exist). Also, do you have a recommendation on how to exclude those devices? Maybe by excluding devices with LastScan older than X days? Thank you in advance and don't hesitate if you have any questions1.1KViews0likes1CommentWUfB - Update Baseline / Best Practise
We use WUfb about more than one year. Now we want to work with "Deadline" But there are a lot (?) of unknow unsure... We found this "Windows 10 Update Baseline" with a lot of settings (Update from: 16.09.2020) and the article from AriaUpdated --> here What we want: - Do not Auto-restart during the Work hours (08:00 - 17:00) - a lot of User Notification (annoy the user to restart his device) - do not Auto-restart without inform the user in the attachmend is our Policy (censored) What is the "best practise" for our use case? Thank for your Help! 🙂Solved2.7KViews0likes7CommentsWindows feature update rollout
Hi, when using the new deployment options to plan the upgrade of new Windows builds, do we need to exclude those devices from any existing feature updates for Windows 10 and later (Preview) policies (the ones that were forcing to stay on a specific builds or even new deployments like shown in the screenshot above? We want to make sure that we properly set or policies to work as they should. Thks in advance.Solved1.1KViews0likes1CommentWUFB pausing and superseeded updated
Hi, if we paused the January CU on Jan 13th and we want to resume to only get the February CU (we have a 7day deferral and a 3day deadline) is it ok to resume today or will devices also get the Jan one (which are now superseded) if so, can we make sure we only the Feb ones? Thks in advanceSolved1KViews1like2CommentsFeature Update deployment with WUFB
Hi, how can we make sure that a device really has a feature update deployment scheduled on the device itself (not in the Intune portal) to help in the troubleshooting where we have devices that don't get upgraded to the build we've selected and Update Compliance logs don't give out any errors. Thank you in advance.Solved1.5KViews0likes1CommentWUFB Deadlines
Hi, I wanted to know the real definition/behavior for quality update deadlines. Let's say we set it to 2days. For already WUFB managed, I understand it means the devices will reboot two days after the end of the deferal But lets say I add an existing sccm managed device into co-management for WUFB, 10days after patch Tuesday, if there's no grace period set, will the device start to see the update right away, since it's past the 2 days deadline or will it still wait for the 2 days (meaning the deadline starts when the device sees that it has an update to install? Thank you in advance and don't hesitate if you have any questions.2.3KViews0likes3CommentsWUFB Pause or uninstall KBs
Hi, with WUFB in Intune, how do you suggest we set our rings and/or scope our devices so that when we need to pause or uninstall a KB, we only do it for a specific build (the one that is problematic) and not all builds? Do we create sccm collections for each Win 10 builds and Assign a different Update ring to each or is there another/better way to do this? Because it is my understanding that you cannot (until KIR is release in Intune) specify which Windows 10 build you want to uninstall the latest KB (which also pauses). Thank you in advance and don't hesitate if you have any questions.1.2KViews0likes2Comments