Getting familiar with the Windows Update for Business deployment service

This week is a follow-up on last week. Last week the focus was on getting started with the Windows Update for Business deployment service and this week is about getting more familiar with the Windows Update for Business deployment service. Last week the focus was on getting information and this week the focus is on adding information. More specifically, this week is about enrolling devices, creating groups, adding devices to groups, creating feature update deployments and assigning groups to feature update deployments. In other words, this week is about creating custom feature update deployments. For the basics of the Windows Update for Business deployment service have a look at last weeks post, this post will continue on that information. This post will go through the different steps to create a custom feature update deployment, by going through:

Note: Every example also contains a quick PowerShell example. Most of those examples rely on the input of the params variable, which should be the correctly formatted version of the provided request body.

Managing devices

When creating a custom deployment by using the Windows Update for Business deployment service, the first step is to have the required devices enrolled in update management by the deployment service. The enrollment of a device in update management makes sure that the deployment service becomes the authority of updates of the specified category in Windows Update. After that enrollment, devices only receive the updates in that category from Windows Update when deployed via the deployment service. So, let’s start by looking at enrolling and unenrolling devices in update management.

Enroll a device in update management by the deployment service

The enrollment of a device in update management can be achieved by enrolling an Azure AD device as an updatable assets. That can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That body contains the update category for the service to manage and the actual assets to enroll. For every asset, the Azure AD device ID must be provided as the id.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets
{
    "updateCategory": "feature",
    "assets": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "001e3d92-1fc7-4870-bfcd-2cb98044af6e"
        }
    ]
}
Invoke-MgEnrollWindowsUpdatesUpdatableAsset -BodyParameter $params

Unenroll a device from update management by the deployment service

Besides the enrollment of a device, it’s also good to be familiar with the unenrollment of a device from the update management. After the unenrollment, the deployment service is no longer the authority for updates of the specified category in Windows Update. The unenrollment is similar to the enrollment and relies on the Azure AD device as an updatable assets. That can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That body contains the update category for the service to stop managing and the actual assets to unenroll. For every asset, the Azure AD device ID must be provided as the id.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets
{
    "updateCategory": "feature",
    "assets": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "001e3d92-1fc7-4870-bfcd-2cb98044af6e"
        }
    ]
}
Invoke-MgUnenrollWindowsUpdatesUpdatableAsset -BodyParameter $params

Managing an updatable assets group

When creating a custom deployment by using the Windows Update for Business deployment service, the second step is to group the devices that are enrolled in update management by the deployment service. Within the deployment service, the devices and groups that can be used for deploying updates to are updatable assets. So, let’s continue by looking at creating and deleting updatable assets groups and adding and removing members to updatable assets groups.

Create an updatable assets group

The creation of an updatable assets group can be achieved by specifying the type as the body. That can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That body contains the type. After the successful creation of the updatable assets group, the id is returned. That id can be used for further automation actions, like deleting the group, adding members to the group and assigning a deployment to the group.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets
{
    "@odata.type": "#microsoft.graph.windowsUpdates.updatableAssetGroup"
}
New-MgWindowsUpdatesUpdatableAsset -BodyParameter $params

Add members to an updatable assets group

Once the updatable assets group is created, updatable assets can be added as members to that group. Those members can be Azure AD devices that are enrolled in update management. Adding members can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That URI contains the id of the updatable assets group and that body contains the Azure AD device id.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/49e84430-2793-4bf4-a217-d902fdaf5af8/addMembers
{
    "assets": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "001e3d92-1fc7-4870-bfcd-2cb98044af6e"
        }
    ]
}
Add-MgWindowsUpdatesUpdatableAssetMember -UpdatableAssetId $updatableAssetId -BodyParameter $params

Remove members from an updatable assets group

Besides adding members to an updatable assets group, it’s also good to be familiar with removing members of an updatable assets group. Removing members can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That URI contains the id of the updatable assets group and that body contains the Azure AD device id.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/49e84430-2793-4bf4-a217-d902fdaf5af8/removeMembers
{
    "assets": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "001e3d92-1fc7-4870-bfcd-2cb98044af6e"
        }
    ]
}
Remove-MgWindowsUpdatesUpdatableAssetMember -UpdatableAssetId $updatableAssetId -BodyParameter $params

Delete an updatable assets group

Besides the creation of an updatable assets group, it’s also good to be familiar with the deletion of an updatable assets group. That deletion is really straight forward and relies on the id of the updatable assets group. That can be achieved by performing the DELETE-method on the request-URI as shown below. The specified id is the id of the updatable assets group.

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/484d35bc-c39b-41d9-b888-4dd015315be6
Remove-MgWindowsUpdatesUpdatableAsset -UpdatableAssetId $updatableAssetId

Managing a deployment

When creating a custom deployment by using the Windows Update for Business deployment service, the third step is to create an update deployment and to assign that deployment to an updatable assets group. When deploying a feature update, Windows Update will offer the update based on the configuration of the update deployment. So, let’s finish by looking at creating an update deployment and assigning the deployment to an updateable assets group.

Creating a deployment

The creation of an update deployment can be achieved by specifying the configuration of the deployment in the body. That configuration initially contains the content and the settings. The content is simply the feature update that should be deployed and the settings contains multiple components:

  • rollout – The rollout settings of the deployment controls how the deployment service deploys the update over time. That control can be achieved by controlling when devices in the deployment start receiving the update (startDateTime) and by controlling when all devices in the deployment are offered the update (endDateTime). Besides that, the number of devices that are offered the update at the same time can be controlled (devicesPerOffer) and the duration between each set of devices can be controlled (durationBetweenOffers)
  • monitoring – The monitoring settings of the deployment controls actions that can be triggered by the deployment. That control can configure a signal (signal) to monitor that will trigger an action (action) once a specific threshold (threshold) has been reached
  • safeguard – The safeguard settings of the deployment controls the safeguard holds on the update content. Safeguard holds are applied by default on feature update deployments

Together that means that the creation of an update deployment can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That body configures the deployment of the Windows 10, version 21H2, feature update with a rollout schedule of 5 devices every 7 days. Besides that, a monitor is in place to pause the deployment once 5 devices experienced a rollback. After the successful creation of the deployment, the id is returned. That id can be used for further automation actions, like deleting the deployment and assigning the deployment to an updatable asset.

https://graph.microsoft.com/beta/admin/windows/updates/deployments
{
    "@odata.type": "#microsoft.graph.windowsUpdates.deployment",
    "content": {
        "@odata.type": "microsoft.graph.windowsUpdates.featureUpdateReference",
        "version": "Windows 10, version 21H2"
    },
    "settings": {
        "@odata.type": "microsoft.graph.windowsUpdates.windowsDeploymentSettings",
        "rollout": {
            "devicesPerOffer": 5,
            "durationBetweenOffers": "P7D"
        },
        "monitoring": {
            "monitoringRules": [
                {
                    "signal": "rollback",
                    "threshold": 5,
                    "action": "pauseDeployment"
                }
            ]
        }
    }
}
New-MgWindowsUpdatesDeployment -BodyParameter $params

Assign update audience to deployment

Once the feature update deployment is created, updatable assets can be assigned to that deployment. Those updatable assets are added as the update audience of the deployment. Assigning update audience can be achieved by performing the POST-method on the request-URI as shown below, with the request body as shown below. That URI contains the id of the feature update deployment and that body contains the id of the updatable assets group.

https://graph.microsoft.com/beta/admin/windows/updates/deployments/415c7d12-e9ba-460d-a8dc-0ecda332a5c2/audience/updateAudience
{
    "addMembers": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.updatableAssetGroup",
            "id": "49e84430-2793-4bf4-a217-d902fdaf5af8"
        }
    ]
}
Update-MgWindowsUpdatesDeploymentAudience -DeploymentId $deploymentId -BodyParameter $params

Delete a deployment

Besides the creation of a feature update deployment, it’s also good to be familiar with the deletion of a deployment. That deletion is really straight forward and relies on the id of the deployment. That can be achieved by performing the DELETE-method on the request-URI as shown below. The specified id is the id of the deployment.

https://graph.microsoft.com/beta/admin/windows/updates/deployments/415c7d12-e9ba-460d-a8dc-0ecda332a5c2
Remove-MgWindowsUpdatesDeployment -DeploymentId $deploymentId

More information

For more information about using the Windows Update for Business deployment service, refer to the following docs.

1 thought on “Getting familiar with the Windows Update for Business deployment service”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.