New alerts for Windows updates in Microsoft Intune

You can now better find and troubleshoot devices that aren’t reporting Windows update progress in Microsoft Intune reports. It might not have been evident before, but devices that aren’t sending diagnostic data to Microsoft can’t show detailed device status in the deployment process.

Two new alerts will give you better insights into these issues: DeviceDiagnosticDataNotReceived and MinimumOSBuildNotMet. You can find them integrated into Intune reporting just as they are in Windows Update for Business reports and Log Analytics. Let’s learn what these alerts mean, where to find them, and how to troubleshoot and remediate the underlying issues.

Reporting issues and causes

Have you ever faced any of the following issues while monitoring Windows update deployment?

• Devices appear “offline,” preventing the update installation process, while other times they are updated successfully.
• Devices in a deployment appear stuck in the “scheduled” or “offer-ready” states for a prolonged period, sometimes even after the update has been successfully installed. That is, they never show correct progress, such as “installing,” “waiting for a restart,” etc.
• Devices don’t appear in Windows Update for Business reports after enrollment. This happens if the device never communicated diagnostic data in the first place or had not done so in more than 28 days.

These issues occur when a device fails to communicate client data. Some of the top causes are device inactivity or misconfigured client data settings. Another possible cause is that the device may not be on the required minimum OS build to qualify for report enrollment. You can gauge deployment success and monitor the overall health of your organization more effectively with device compliance alerts related to diagnostic data.

Device compliance alerts

Whatever reporting tool you use, it’s critical to see the true state of devices in your organization. Windows diagnostic data allows you to pinpoint a device’s progress through the deployment process and detect any issues that trigger alerts. Alerts provide details about what prevents devices from updating and give clear guidance on resolving these issues with targeted solutions. Here are the insights you can get with the two new alerts and the existing alert in Microsoft Intune.

New DeviceDiagnosticDataNotReceived alert

The DeviceDiagnosticDataNotReceived alert identifies devices that fail to send diagnostic data and thus their client status appears incorrectly in reports.

• Meaning: Device is not communicating diagnostic data. This is a generic signal, and the reasons include but are not limited to:
  • Incorrect diagnostic data configuration
  • No configuration to send diagnostic data
  • Blocked network endpoints
• Recommended action: Make sure that the device is correctly configured to share diagnostic data. Enable use of Windows diagnostic data by Intune and see the troubleshooting and remediation section below.
• Reporting availability: Microsoft Intune (new), Windows Update for Business reports

New MinimumOSBuildNotMet alert

The MinimumOSBuildNotMet identifies a subset of missing devices that fail to qualify for report enrollment.

• Meaning: Device does not meet the minimum servicing requirement for enrollment into reports due to the missing Windows diagnostic data processor configuration.
• Recommended action: Ensure that the device has at least the January 2023 non-security update or February 2023 cumulative update installed. Learn more about Windows diagnostic processor support.
• Reporting availability: Microsoft Intune (new), Windows Update for Business reports (new)

Existing InsufficientUpdateConnectivity alert

A related alert that you might be more familiar with is InsufficientUpdateConnectivity. While not new, it complements the understanding of the bigger picture.

• Meaning: Device is inactive, or its diagnostic data is not enough to validate sufficient activity to successfully update the device.
• Recommended action: Make sure that the device is active and connected to the internet.
• Reporting availability: Microsoft Intune, Windows Update for Business reports

The three alerts are mutually exclusive. An active DeviceDiagnosticDataNotReceived alert only provides a general overview of devices missing from reports for a variety of unspecified reasons. Devices with a known reason, such as not meeting the OS build prerequisite, would be instead identified by an active MinimumOSBuildNotMet alert. Likewise, the InsufficientUpdateConnectivity alert is more specific than the generic alert. These specific alerts would never appear as active together with DeviceDiagnosticDataNotReceived on the same device.

Let’s see how you can use these alerts in Microsoft Intune just as you do in Windows Update for Business reports or Log Analytics.

Integration with Microsoft Intune reporting

Whether you're managing a few devices or thousands, Microsoft Intune helps you ensure that Windows update deployments run smoothly. Imagine that you want to monitor groups of devices associated with specific deployment policies. You can do so for the active devices that meet the prerequisites for enrollment to reports and consistently communicate diagnostic data. Here's how you can locate and troubleshoot these scenarios with the new alerts.

Like all other alerts in Intune, view these alerts in the main status report and failure reports in Intune.

1. Log in to the Microsoft Intune admin center.
2. Navigate to Reports.
3. Under Device management, select Windows updates.
4. Switch to the Reports tab.
   
   A screenshot of the Reports tab in the Microsoft Intune admin center.
5. Select to open the desired report from the available tile list. Note: We’re using an expedited updates report as an example here, but you can apply the following steps to the feature update and driver update reports as well.
6. Select the desired Update policy and Update aggregated status.
7. Select the Generate report button to view the results.
   
   A screenshot of the Windows update status report in Microsoft Intune.

Failure reports bring together devices under specific policies that have errors or alerts. To view the failure reports:

1. Start in the Microsoft Intune admin center.
2. Navigate to Devices.
3. Under Manage updates, select Windows updates.
4. Switch to the Monitor tab.
5. Select the KPI card of the desired policy for a detailed view.
   
   A screenshot of the consolidated view of update policies with active alerts in Microsoft Intune.
6. Select a profile from the list.
   
   A screenshot of the policy profiles that contain devices with active errors in Microsoft Intune.
7. Select any of the policy profiles to view its list of devices with an active alert.
   
   A screenshot of the devices with an active alert in the update failures report.
8. (Optional) Select specific alerts from the Alert filter.
9. Select the alert message for a specific device to view the error description, relevant details, and recommendations.
   
   A screenshot of the Error devices full details flyout for a selected alert message.

Other reports to use these alerts

Using Windows Update for Business reports? You can also find these alerts there using Azure Workbooks or Log Analytics. Both alerts are currently available in the Azure Workbook Overview tab, within the Total devices KPI card. Just select View details and then Missing devices, as shown.

A screenshot of missing devices in Windows Update for Business reports, showing the two new alerts.

Use the following query if you’d like to view the data from the Windows Update for Business reports workbooks in Log Analytics:

UCDeviceAlert
| where AlertSubtype in ("DeviceDiagnosticDataNotReceived", "MinimumOSBuildNotMet")
| project DeviceName, AzureADDeviceId, AlertSubtype, StartTime, AlertData, Description, Recommendation

For more guidance on these reporting options, follow the instructions in Missing devices in Windows Update for Business reports?.

Troubleshoot and remediate diagnostic data issues

Please ensure that devices with these alerts are active and correctly configured to send Windows diagnostic data. To do that, verify that the following settings are configured correctly:

• Default Windows diagnostic data settings. Check your Windows diagnostic data settings. In most cases, the default settings of “Required” or “Basic” are sufficient. If you’ve previously configured these settings to anything other than the default, check whether that configuration might affect diagnostic data behavior.
• Intune diagnostic data settings. Check that you’ve correctly enabled Intune setting for diagnostic data.
• Group Policy settings. Check any Group Policy settings you’re deploying. If the required settings are incorrectly set via Group Policy, they’ll override Intune settings. Pay special attention to any leftover Group Policies on the device. To resolve any conflicts, follow instructions in Allow diagnostic data Group Policy.
• Configuration Manager co-management. If using Configuration Manager co-management, check your Diagnostic data settings in System Center Operations Manager.
• OneSettings service. Make sure that the DisableOneSettingsDownload is enabled. The default is to never disable this configuration policy. To learn more and double-check this policy, visit System Policy CSP.

Start using the new alerts in Microsoft Intune today

Collecting and utilizing diagnostic data is essential for enhancing overall system reliability and efficiency.

Gain a more comprehensive view of Windows update deployment success using the two new alerts, DeviceDiagnosticDataNotReceived and MinimumOSBuildNotMet. This new capability within Microsoft Intune builds on the existing functionality in Windows Update for Business reports and Log Analytics, offering even more flexibility and control over your device management strategy.

In the spirit of continually making improvements, we’re happy to help you gain more insight into the subset of devices that were not easily identifiable before. Try out these new reporting enhancements and check out these additional resources:

• Missing devices in Windows Update for Business reports?
• Microsoft Intune troubleshooting

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.