Devices Missing from Windows Update for Business Reports After Hybrid Intune Setup — How to Fix It
Many admins running hybrid Intune environments (on-prem Active Directory + Azure AD Connect) have reported that after enabling Windows Update for Business (WUfB) reports and linking them to a new Log Analytics workspace, devices suddenly disappear from the dashboard.
Even though they’re enrolled and compliant in Intune, they simply don’t show up in the WUfB reporting portal.
Let’s look at why this happens in hybrid setups and how to fix it effectively.
⚙️ Scenario Overview
You’ve migrated your Windows devices from one Log Analytics workspace to another to improve reporting and enable Windows Autopatch integration.
After syncing Azure AD with your on-prem Active Directory (using Azure AD Connect), several hybrid-joined PCs vanish from the Windows Update for Business reports.
These devices still appear in Intune, and you can manage them — but the WUfB report shows only a fraction of your fleet.
🔍 Common Root Causes
1. Incomplete Diagnostic Data Sync
In hybrid environments, some devices still follow on-prem Group Policy (GPO) settings for telemetry and diagnostic data, while others follow Intune MDM policies.
If these overlap or conflict, diagnostic data may not reach the Microsoft reporting pipeline — leading to missing entries in WUfB reports.
2. Workspace Transition or Misalignment
When migrating from one Log Analytics workspace to another, old agents may still point to the previous workspace.
This mismatch causes partial data uploads — devices report telemetry, but not update insights.
3. Service Connectivity Problems
Corporate proxies or firewalls might block devices from reaching key telemetry endpoints like:
https://v10.events.data.microsoft.com
https://settings-win.data.microsoft.com
As a result, devices can’t send update status to Microsoft’s WUfB back end.
4. Duplicate Device IDs After Hybrid Join
Sometimes, a device appears twice in Azure AD — once as a Hybrid Azure AD Joined device and again as an Azure AD Registered entry.
If WUfB reports query against a single device ID, one record might be skipped.
🧰 How to Fix Missing Devices in WUfB Reports
Step 1: Verify Telemetry Policy Source
Confirm whether devices receive diagnostic settings from GPO or Intune.
In hybrid setups, disable GPO telemetry settings if Intune already manages them.
Set these values via Intune configuration profiles or Group Policy Preferences:
| Policy Name | Value |
|---|---|
| Allow device name to be sent in Windows diagnostic data | Enabled |
| Allow Telemetry | Basic |
| Configure Telemetry Opt-in Change Notification | Disabled |
| Configure Telemetry Opt-in Settings UX | Disabled |
After updating policies, run:
gpupdate /force
Then confirm via registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
Look for AllowTelemetry = 1 (Basic).
Step 2: Check the Log Analytics Agent Configuration
If you migrated to a new workspace:
- Open Control Panel → Microsoft Monitoring Agent.
- Go to the Azure Log Analytics tab.
- Confirm the Workspace ID matches your active one in Intune.
If not, re-onboard the device to the correct workspace using:
Set-AzureRmOperationalInsightsWorkspace -Name "<WorkspaceName>"
Step 3: Resolve Duplicate Azure AD Entries
In the Microsoft Entra admin center, search for the missing device names.
If you see duplicates (Hybrid + Registered), remove the Registered version.
Then restart the device to trigger re-sync with the correct ID.
Step 4: Verify Network and Service Reachability
Run this quick PowerShell check:
Test-NetConnection v10.events.data.microsoft.com -Port 443
If the test fails, allow outbound HTTPS for these domains in your corporate firewall.
Telemetry data can’t upload without access to these endpoints.
Step 5: Re-Sync Devices to WUfB
Once telemetry and workspace links are correct, re-sync devices using:
Invoke-IntuneDeviceSync
Then, wait for up to 24 hours.
Windows Update for Business reports typically refresh on a delayed schedule.
🧩 Pro Tip — Validate Using Update Compliance Logs
You can use UpdateComplianceLogs in your Log Analytics workspace to confirm if devices are sending update data.
Run this KQL query:
UpdateCompliance
| where OSVersion startswith "10." or OSVersion startswith "11."
| project Computer, OSVersion, LastScanTime, UpdateStatus
If no entries appear for certain devices, those endpoints aren’t transmitting telemetry — revisit policy conflicts or workspace connections.
🧾 Summary
| Issue | Root Cause | Fix |
|---|---|---|
| Devices missing after workspace migration | Old agents linked to previous workspace | Re-onboard devices to the new workspace |
| Devices missing after Azure AD Connect sync | Duplicate Hybrid/Registered entries | Delete duplicate entries in Entra ID |
| Devices not reporting telemetry | GPO conflict with Intune policy | Set telemetry to Basic and disable GPO control |
| Data not uploaded | Network or proxy blocks | Allow telemetry endpoints via HTTPS |
| Delay in WUfB visibility | Data pipeline latency | Wait 12–24 hours after reconfiguration |
💬 Final Thoughts
When managing hybrid environments, policy conflicts and workspace misalignments are the most common reasons devices go missing from WUfB reports.
By aligning your telemetry configuration, fixing workspace IDs, and clearing duplicate devices, you can quickly restore visibility in your Windows Update for Business dashboards.
Once fixed, your reports will accurately reflect device compliance and update health — ensuring your Intune and Autopatch environment runs smoothly.
