Getting started with the Windows Update for Business deployment service

This week is about the Windows Update for Business deployment service. That subject has been touched recently when discussing the different options for upgrading devices to Windows 11, but that subject never got the attention that it deserves. The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the often still unknown part is that it’s actually actively used already within Microsoft Intune. The Feature updates for Windows 10 and later profile and the Quality updates for Windows 10 and later profile, both rely on that deployment service. This post will start with a quick introduction of the Windows Update for Business deployment service, followed with the basics of the deployment service APIs.

Introduction to the Windows Update for Business deployment service

The Windows Update for Business deployment service was introduced earlier last year and is aimed at providing IT administrators with more control over the approval, scheduling, monitoring, and safeguarding of content delivered via Windows Update. It’s basically the control that most IT administrators were looking for and simply adds on to the functionality that was already available for configuring the Windows Update for Business policies and for reporting with Update Compliance. The missing piece of the puzzle. That missing piece is available for (hybrid) Azure AD joined devices that are covered by a Windows 10 Enterprise E3 license.

The deployment service is a cloud service that doesn’t interact with the device directly. It provides a communication channel with the Windows Update service, in a way that the IT administrator can control the updates that are offered to devices. That communication channel can be used via custom scripting, or via management tooling like Microsoft Intune. Within Microsoft Intune, there are already profiles that are relying on the deployment service to make sure that specific feature or quality updates are scheduled and installed. It even makes sure that devices are enrolled with the deployment service. The deployment service eventually makes sure that the correct updates are available via Windows Update for the device. That makes it an awesome addition to the Windows Update for Business family and brings the family to the following members.

  • The client policies – available via CSPs and GPOs – can still be used for configuring the update experience and timing
  • The deployment service – available via APIs – can now be used for approving and scheduling specific updates
  • Update compliance can still be used for monitoring update deployments and now contains even more information

Basics of the Windows Update for Business deployment service

The Windows Update for Business deployment service is an awesome addition to the Windows Update for Business family, as it provides a communication channel with the Windows Update service. When looking at the basics of that deployment service, it’s important to be familiar with the different resources that are available via the Microsoft Graph APIs. The focus for now is on showing how to retrieve information and with getting familiar with that information. There will be subtle hints to more advanced capabilities that are related to creating custom update deployments. Now let’s have a look at the main resources.

Catalog

The catalog resource type represents the catalog of content that can be approved for deployment, as it contains different catalogEntry resources. Those resources contain all the different feature updates (featureUpdateCatalogEntry) and quality updates (qualityUpdateCatalogEntry). The following example shows how to retrieve those update entries by querying Microsoft Graph (directly and by using PowerShell).

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries
Get-MgWindowsUpdatesCatalogEntry

Note: This resource can only be used for querying update content and information that is added by Microsoft.

Updatable assets

The updatableAsset resource type represents assets that can receive updates. Those assets can be a group (updatableAssetGroup) and a device (azureADDevice). When that asset is a group, it contains devices. The following example shows how to retrieve those updatable assets by querying Microsoft Graph (directly and by using PowerShell).

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets
Get-MgWindowsUpdatesUpdatableAsset

Updatable assets – devices only

The azureADDevice resource type represents a device in Azure AD that is registered with the deployment service. That is one of the updatableAsset resource types that are available and knowing a bit more details can be beneficial for troubleshooting. The following example shows how to retrieve only devices by querying Microsoft Graph (directly and by using PowerShell).

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/?$filter=isof('microsoft.graph.windowsUpdates.azureADDevice')
Get-MgWindowsUpdatesUpdatableAsset -Filter "isof('microsoft.graph.windowsUpdates.azureADDevice')" 

Updatable assets – specific device

For troubleshooting it can even be easier to check on a specific device. In that case, the following example shows how to retrieve a specific device by querying Microsoft Graph (directly and by using PowerShell).

https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/{updatableAssetId}
Get-MgWindowsUpdatesUpdatableAsset -UpdatableAssetId $updatableAssetId

Note: This resource can also be used for deleting (DELETE) devices and groups. Besides that, it’s also possible to add and remove members to groups. Adding devices requires the enrollment of with the deployment service.

Deployments

The deployment resource type represents the deployment of content to (a group of) devices. Those deployments basically connect the devices (updatableAssets) with the updates (catalogEntry). The following example shows how to retrieve those deployment entries by querying Microsoft Graph (directly and by using PowerShell).

https://graph.microsoft.com/beta/admin/windows/updates/deployments
Get-MgWindowsUpdatesDeployment

Note: This resource can be used for creating (POST), updating (PATCH) and deleting (DELETE) deployments.

More information

For more information about the Windows Update for Business deployment service, refer to the following docs.

4 thoughts on “Getting started with the Windows Update for Business deployment service”

  1. Just starting to test this out myself now. Are there any more capabillities here, rather than the GUI and Quality Updates/Features Updates? (except maybe a lot older Security updates, that have been depreciated trough endpoint manager)

    While exploring this subject, it was tought we could apply single KB’s and Delete single KB’s – Example when a update that comes trough the ordinary update ring makes a mess.

    Reply

Leave a Reply to Mrtn6y Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.