Microsoft recently added a new feature to their Windows Update for Business reports as announced in this Tech Community article. The data of these reports now show data of devices that are missing from the Windows Update reports.
The DeviceDiagnosticDataNotReceived alert compares device data from Entra ID with Windows Update for Business reports to help identify devices that aren’t sending diagnostic data.
You can use Log Analytics or Windows Update for Business reports, which are built on queries from Log Analytics, to locate missing devices. Let’s see how you can work with this alert in either service.
That’s interesting information to understand which devices are missing from the report and need your attention.
It is great to have this information in WUfB reports in an online portal. But wouldn’t it be nice to get a weekly overview in your mailbox with these devices so you get notified to take action? Of course, that would be nice!
Let’s create our own solution to get this job done.
The solution in short
The data of the missing devices is available in a Log Analytics Workspace as you can see in the below example.
By running a API query, we can pull that data into an Azure Logic Apps workflow. We can process that data and add it, for example, to an Excel sheet for better readability. That Excel sheet can then be sent, using a shared mailbox, to any mailbox of our choice.
That would be the most simple solution. But I have seen most (or all) of these missing devices miss the device name in this data. Only the Azure Device ID is shown, with the issue description and recommendation.
I would rather also have the device name in the report, instead of having to look for that manually in Entra ID. To get the device name, we run an Graph API query, but this time to get the device name from Entra ID.
The flow is also available on my GitHub repo for easy deployment.
Requirements
To create this solution, we have a few requirements.
To retrieve the data from the Log Analytics Workspace we need permission. I use a managed identity for this, which is assigned the Log Analytics reader role. The role can be assigned on the resource group level.
To query Microsoft Graph to retrieve the device name, we need to assign the Device.Read.All permission to the Managed Identiry.
To create an Excel sheet, we need to save it (temporary) to a SharePoint documents library. So, a requirement is a document library and a (service) account with read-write permissions to the library.
And last, we need to have a mailbox (if you want to send the file via email). I used a service account with permission to send an email from a shared mailbox.
Setup the Logic App flow – Part 1
When the requirements are in place, we can start creating the Logic Apps flow.
In the first part of the flow we create an Excel sheet to store our data in. We pull the data of the missing devices from our Log Analytics Workspace and process this to variables we can use in our flow.
Sign in to the Azure portal and open the Logic App service. I created a blank Logic App of type Consumption.
When the flow is created, click Settings to open the Identity section, and on the tab, User assigned add your Managed Identity.
Open the Overview tab, which shows a few templates, and choose Recurrence.
Change the interval settings to your needs.
Next, we add our first action by selecting +New step.
We add an Initialize variable action. In this variable, we store the Workspace ID of the Log Analytics workspace in which our data is stored.
We give the variable a name of choice, select String as Type, and add the Workspace ID.
This is an additional step, we could also add the workspace later in the flow directly in the HTTP action.
First, we need to compose an Excel file, otherwise, we end up with an empty sheet. We do this by using a Compose action, that is found under the Data Operations actions.
This is the input from an empty Excel sheet, you can just copy-paste this into the inputs field. Otherwise, you need to create an empty Excel sheet and import it once in a flow to retrieve this information.
{
"$content": "",
"$content-type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
}
After the Compose action, we add a Create file action, which is a SharePoint action. With this action, we create an Excel sheet on a SharePoint library, and as file content, we use the outputs from the Compose action.
First sign in with your (service) account.
Select the Site Address from the drop-down list or choose Enter custom value and manually enter the site address.
Via the folder icon, you can browse the folder path.
As File content, we want to add the output from the compose action. We add this as Dynamic content.
Select Outputs from the Dynamic content list.
You can manually enter a File name, ending with .xlsx. But I want it to hold the current date. We can do this by entering an Expression. Place your cursor on the correct place in the file name field and add the below expression:
formatDateTime(utcNow(), ‘yyyy-MM-dd’)
And this is our Create file action.
Our sheet needs to have a table, so we add a Create table action to the flow, which is an Excel action.
Choose the SharePoint site from the list and select the Document library. In the File field, we enter the Id of the create file action.
My table only contains the displayName, deviceId, and startTime from the configuration, thus the table range is A1:C1.
Add these items to the Columns names field separated with a comma. And add a Table name.
If you want to add more data from the LA Workspace to the columns, for example, the Description it needs to be added here (and later in in the flow as well).
Now it’s time to add our first HTTP action to query the Log Analytics Workspace.
Add the first HTTP action.
As Method select GET.
As URI enter:
https://api.loganalytics.io/v1/workspaces/[WORKSPACEID]/query
We need to replace [WORKSPACEID] in the URI with WorkspaceID found as Dynamic content.
Enter in the left box at Queries “query”.
And add below KQL query in the right box;
UCDeviceAlert
| where AlertSubtype == "DeviceDiagnosticDataNotReceived"
| where TimeGenerated > ago(1d)
| project DeviceName, AzureADDeviceId, AlertStatus, AlertSubtype, StartTime, AlertData, Description, Recommendation
Next, choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://api.loganalytics.io as Audience.
This is our HTTP action.
Often we can just use a Parse JSON action to process the output of the HTTP action, so we can use the variables from the output later in the flow. The information we need is stored in rows (see the screen shot). Therefor we need to pull out the rows in two different steps, for which I use two Initialize variable actions.
First we pull out the body.
Add an Initialize variable action and enter DeviceResults as Name.
Choose Object as Type and add Body from the Dynamic content as value.
When we now run the flow and check the output of this Initialize variable, this is the data we have.
Add another Initialize variable action. Select Array as Type and as value we add an Expression:
variables('DeviceResults')?['tables'][0]?['rows']
This pulls out the array with the rows after which we can further process it.
Now that we have the arrays, we add a For each action, to loop through each array (Row). We use the output from the latest Initialize variables action.
Next, add a Compose action, which is a Data operations action. With this action we loop through the missing devices found in the query.
As Input add Current item from the Dynamic content list.
When we now run the flow and have a look at the Compose action, we see we have multiple runs in the For each.
We have separated the data per missing device, but it is still one array with information. I want to pull out all the values so I can use them as variables later in the flow.
To perform this job, we create a JSON format of the data and after that, we Parse that information. I only need the deviceId and startTime later in the flow, so this is my JSON. If you also want other values, you need to expand the JSON.
Add another Compose action and add below as Input;
{
"deviceId":,
"startTime":
}
Per missing device, we have this array with information available. These are 8 rows with information, that are identifiable with numbers, starting at 0.
I need the device ID, which is on the second row, but because numbering starts with 0, this row is number 1.
And I need start time, identified as number 4.
We can pull out the rows with these two expressions;
outputs('Compose_loop_over_all_devices')[1]
outputs('Compose_loop_over_all_devices')[4]
This is the Compose action. Please note the location of the Expression in the input field.
When running the flow, we see we finally have the information we need.
We only need to parse the information, so we can use it later in the flow.
Add a Parse JSON Action.
As content add Outputs in the Content (1) field.
We can create the Schema by pasting the output of the previous Compose action as example payload in the action (2).
Which gives us our Parse JSON action.
Setup the Logic App flow – Part 2
It took quite some steps to process the data from the LA Workspace to variables.
In this second part of the flow we pull data from Entra ID to retrieve the missing devices hostnames. We store the information in the Excel sheet and send the sheet as attachment via e-mail.
Add a new HTTP action to the flow.
Add an HTTP Action.
Choose GET as Method.
As URI enter:
https://graph.microsoft.com/v1.0/devices?$filter=(deviceId eq '[DEVICEID]')
Replace [DEVICEID] with deviceId of the Parse JSON action.
Next, choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://graph.microsoft.com as Audience.
We need to parse the output of the HTTP action again with a Parse JSON action.
To create the schema, run the flow and copy the output of the HTTP action as sample payload.
We now have the information pulled from the LA Workspace and Entra ID. To store it in the Excel sheet, we first need to add the data into a table.
For this we use a Compose action.
Add below schema to the Inputs field.
{
"displayName":,
"deviceId":,
"startTime":
}
The values we add to the Inputs field can be found as Dynamic content.
The deviceId and startTime are from the device details Parse JSON Action (that follows the Compose actions)
The displayName is from the last Parse JSON action.
Next we add an Add a row into table action which is an Excel Business action. With this action we add the data to the previously created Excel sheet on SharePoint.
As location choose the SharePoint group where the sheet is stored and also select the library. Add Id to identify the File and add the name of the Table.
And as last add Outputs from the last Compose action is Body.
Close the For each actions and add a Delay action to the flow, this is a Schedule action.
This action delays the flow for a few minutes before it sends out the e-mail. We do this because sometimes not all data is already processed and available in the sheet when we immediately send out the e-mail. This means without the delay, you would receive an Excel sheet that doesn’t hold all data we retrieved.
The last action in out flow is to send an e-mail from a shared mailbox.
Add the information to you needs to the different fields.
Choose Add new parameter and select Attachments.
Add Name and File content as dynamic content.
And this is our flow!
The end result
And the end result is an e-mail.
With a report of all the missing devices from the Windows Update for Business report!
That’s it for this post.
Thanks for reading!