Today, we're excited to highlight newly available investments in the Windows Update for Business deployment service:
Since launching the Windows Update for Business deployment service and associated integration with Microsoft Intune, we've been hard at work helping IT professionals around the world leverage this as a tool to achieve more. The deployment service was built to help you and your organization simplify the journey to cloud-connected servicing workloads.
- Update scheduling and monitoring has been extended to support Windows 11.
- Safeguard holds are expanded to support a new class of issues.
- A Microsoft Learn module is available to help facilitate adoption of these features and more.
The enhancements I'm highlighting today will simplify cloud-connected servicing workloads and make it easier than ever to adopt Windows Update for Business.
Update scheduling and monitoring for Windows 11IT professionals have told us that it is hard to know how to stage feature update deployments across their organization, and many simply rely on targeting end users who are more tolerant of issues, such as IT departments or engineering. These techniques can help stage deployments over time, but they do not account for the diversity of hardware and software across an organization.
To help with this problem, the deployment service automatically optimizes the scheduling and rollout of feature updates across an organization. When an update is scheduled with the deployment service to deploy over time, all devices that are configured to send diagnostic data are analyzed, and devices are automatically ordered within the deployment to have the effect of built-in piloting. This ensures that early updates within an organization span the diversity of hardware and software across the devices being updated, allowing for issues to be found early in the update cycle with fewer impacted devices and fostering increased confidence in the update based on initial successes.
As the deployment progresses, automatic deployment monitoring rules track success rates to ensure the feature update is installing correctly and that devices are not experiencing unexpected OS rollbacks. By automatically monitoring for OS rollbacks, IT professionals can be confident that disruptive rollbacks won't spread broadly within the organization—building confidence even when away from the computer.
These capabilities were released earlier this year for Windows 10, and we are excited to announce that they are now extended to Windows 11. This allows for common servicing workflows to apply across Windows versions while organizations are in the process of upgrading their overall estate to Windows 11.
These capabilities are available through the Microsoft Graph and PowerShell SDK today, and they will be rolling out to Intune customers later this month. To learn more about these capabilities and how to configure them, check out how to enable deployment protections.
Expanded safeguard issue protectionMicrosoft uses safeguard holds to ensure organizations have a great experience when updating devices. Safeguard holds allow Microsoft to automatically pause updates to devices that are exposed to known issues when a new feature update is released, and they simultaneously provide IT professionals with the tools and information required to make informed decisions about safeguard hold applicability. These holds are dynamic and evolve based on both what Microsoft learns during a feature update rollout and when issues are fixed and safeguard holds are removed.
With Windows 11 and the deployment service, safeguard holds are even more powerful. During the rollout of Windows 11, Microsoft is using machine learning algorithms to monitor the breadth of the Windows ecosystem and identify which devices are having great experiences and which might be encountering issues. As potential issues are identified, we've automated the creation of early safeguard holds for these devices while the issue is investigated and confirmed. This allows for devices using the deployment service to upgrade to Windows 11 and benefit from safeguard holds up to four weeks earlier, which helps ensure a great experience for every user in an organization.
These automated safeguards are applied by default to devices deploying Windows 11 through the deployment service and have deployment protections enabled. Reporting on the status of these safeguards is available through the Intune and Update Compliance reports you use today (safeguard hold ID: 00000001). These changes are rolling out to customers shortly, and we recommend configuring devices to take advantage of them today, To learn more about configuring your deployment safeguard settings, see our Windows Update for Business deployment service documentation.
Manage Windows updates for cloud-connected devices by using the Microsoft Graph PowerShell SDK
While Microsoft Graph REST APIs provide a great programming model for application development, we know some of you prefer to use PowerShell to script common actions in your organization. Windows Update for Business deployment service capabilities are exposed through the Microsoft Graph PowerShell SDK, and we're excited to release a new Microsoft Learn module to walk you through common deployment service workflows.
If you are interested in using PowerShell to approve and schedule feature updates and/or upgrades, or to expedite security updates when a security event occurs in your organization, check out this digital learning module for practical, hands-on guidance and best practice recommendations. From enrolling devices to viewing applicable content and scheduling a deployment, it will show you how to leverage the deployment service in your organization.
Learn moreTo learn more about these capabilities and how you can use them, we encourage you to view our Microsoft Ignite depth on demand session, Getting to Windows 11 with Windows Update for Business.
Source: New additions to the Windows Update for Business deployment service