This week is about the Windows Update for Business deployment service. That subject has been touched recently when discussing the different options for upgrading devices to Windows 11, but that subject never got the attention that it deserves. The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the often still unknown part is that it’s actually actively used already within Microsoft Intune. The Feature updates for Windows 10 and later profile and the Quality updates for Windows 10 and later profile, both rely on that deployment service. This post will start with a quick introduction of the Windows Update for Business deployment service, followed with the basics of the deployment service APIs.
Introduction to the Windows Update for Business deployment service
The Windows Update for Business deployment service was introduced earlier last year and is aimed at providing IT administrators with more control over the approval, scheduling, monitoring, and safeguarding of content delivered via Windows Update. It’s basically the control that most IT administrators were looking for and simply adds on to the functionality that was already available for configuring the Windows Update for Business policies and for reporting with Update Compliance. The missing piece of the puzzle. That missing piece is available for (hybrid) Azure AD joined devices that are covered by a Windows 10 Enterprise E3 license.
The deployment service is a cloud service that doesn’t interact with the device directly. It provides a communication channel with the Windows Update service, in a way that the IT administrator can control the updates that are offered to devices. That communication channel can be used via custom scripting, or via management tooling like Microsoft Intune. Within Microsoft Intune, there are already profiles that are relying on the deployment service to make sure that specific feature or quality updates are scheduled and installed. It even makes sure that devices are enrolled with the deployment service. The deployment service eventually makes sure that the correct updates are available via Windows Update for the device. That makes it an awesome addition to the Windows Update for Business family and brings the family to the following members.
- The client policies – available via CSPs and GPOs – can still be used for configuring the update experience and timing
- The deployment service – available via APIs – can now be used for approving and scheduling specific updates
- Update compliance can still be used for monitoring update deployments and now contains even more information
Basics of the Windows Update for Business deployment service
The Windows Update for Business deployment service is an awesome addition to the Windows Update for Business family, as it provides a communication channel with the Windows Update service. When looking at the basics of that deployment service, it’s important to be familiar with the different resources that are available via the Microsoft Graph APIs. The focus for now is on showing how to retrieve information and with getting familiar with that information. There will be subtle hints to more advanced capabilities that are related to creating custom update deployments. Now let’s have a look at the main resources.
The catalog resource type represents the catalog of content that can be approved for deployment, as it contains different catalogEntry resources. Those resources contain all the different feature updates (featureUpdateCatalogEntry) and quality updates (qualityUpdateCatalogEntry). The following example shows how to retrieve those update entries by querying Microsoft Graph (directly and by using PowerShell).
Note: This resource can only be used for querying update content and information that is added by Microsoft.
The updatableAsset resource type represents assets that can receive updates. Those assets can be a group (updatableAssetGroup) and a device (azureADDevice). When that asset is a group, it contains devices. The following example shows how to retrieve those updatable assets by querying Microsoft Graph (directly and by using PowerShell).
Updatable assets – devices only
The azureADDevice resource type represents a device in Azure AD that is registered with the deployment service. That is one of the updatableAsset resource types that are available and knowing a bit more details can be beneficial for troubleshooting. The following example shows how to retrieve only devices by querying Microsoft Graph (directly and by using PowerShell).
Get-MgWindowsUpdatesUpdatableAsset -Filter "isof('microsoft.graph.windowsUpdates.azureADDevice')"
Updatable assets – specific device
For troubleshooting it can even be easier to check on a specific device. In that case, the following example shows how to retrieve a specific device by querying Microsoft Graph (directly and by using PowerShell).
Get-MgWindowsUpdatesUpdatableAsset -UpdatableAssetId $updatableAssetId
Note: This resource can also be used for deleting (DELETE) devices and groups. Besides that, it’s also possible to add and remove members to groups. Adding devices requires the enrollment of with the deployment service.
The deployment resource type represents the deployment of content to (a group of) devices. Those deployments basically connect the devices (updatableAssets) with the updates (catalogEntry). The following example shows how to retrieve those deployment entries by querying Microsoft Graph (directly and by using PowerShell).
Note: This resource can be used for creating (POST), updating (PATCH) and deleting (DELETE) deployments.
For more information about the Windows Update for Business deployment service, refer to the following docs.
- Windows Update for Business deployment service – Windows Deployment | Microsoft Docs
- Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Docs
- updates resource type – Microsoft Graph beta | Microsoft Docs
- Managing Windows updates in the cloud (The Blueprint Files) (microsoft.com)