Control Windows Update for Business using the deployment service and PowerShell

Home Blog Control Windows Update for Business using the deployment service and PowerShell

4sysops - The online community for SysAdmins and DevOps

    ,   1
The new Windows Update for Business deployment service falls in the portfolio of services offered in the Microsoft Windows Update for Business (WUfB) product family. With it, Microsoft strives to provide more granular controls over WUfB and allow organizations to manage the approval, scheduling, monitoring, and safeguarding of updates delivered from the Windows Update platform.
Contents
  1. How the deployment works
  2. Using the WUfB deployment service
  3. Install the SDK and connect to Microsoft Graph
  4. Examples of using the WUfB deployment service
  5. Concluding thoughts
Latest posts by Brandon Lee (see all)

The new service is designed to work in conjunction with the WUfB policies you have in place today and integrates seamlessly with Microsoft's Endpoint Manager cloud offering. In addition, it provides IT admins with more granular features from a management perspective and allows controlling updates in a programmatic way using PowerShell.

While the plain WUfB provides deferral policies and deployment rings, this may not provide the control granularity admins need in their environment. So how does the deployment service enhance WUfB?

  • Schedule update deployments to start on a specific day—You can schedule the exact date for update deployments.
  • Stage deployments over a specific period of time—You can stage deployments over days or weeks. For example, you can deploy 21H2 to 500 devices per day, beginning on January 22, 2022.
  • Manage firmware and drivers—With the deployment service, you can manage updates for firmware and drivers like you do feature and quality updates.
  • Bypass preconfigured policies to immediately deploy emergency security updates—If an emergency security update is released to patch a vulnerability, the deployment service makes it easy to bypass the preconfigured policies that might prevent endpoints from receiving the critical security update.
  • Automatic piloting for unique business requirements—This helps ensure coverage of hardware and software in your organization.
  • Uses Microsoft artificial intelligence (AI) and machine learning (ML)—This helps to quickly identify issues with updates and hold the deployment from other devices.

How the deployment works

The deployment service uses existing device policies and update compliance settings. It controls them using a new cloud-based mechanism that is exposed programmatically.

Windows Update for Business deployment service direct API communication

Windows Update for Business deployment service direct API communication

Instead of interacting with clients directly, the deployment service's cloud controls communicate with the Windows Update service using a management tool such as Windows PowerShell. PowerShell interacts with the Microsoft Graph REST APIs. This direct communication provides management granularity and features that were not possible before the WUfB deployment service.

Using the WUfB deployment service

First, to use the WUfB deployment service, you need to have one of the following Windows 10 or Windows 11 editions installed:

  • Pro
  • Enterprise
  • Education
  • Pro Education
  • Pro for Workstations

Additionally, your organization must have one of the following subscriptions:

  • Windows 10/11 Enterprise E3 or E5
  • Windows 10/11 Education A3 or A5
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

Install the SDK and connect to Microsoft Graph

The Microsoft Graph PowerShell SDK allows admins to interact directly with the Microsoft Graph service using PowerShell. In addition, the included libraries provide commands to deploy and control updates from the WUfB deployment service.

To install the SDK, create a profile (required), and connect to the API, run the following:

Install-Module Microsoft.Graph
Select-MgProfile -Name "beta"
Connect-MgGraph -Scopes "WindowsUpdates.ReadWrite.All"

Examples of using the WUfB deployment service

Let's consider examples and code snippets using the PowerShell SDK connected to Microsoft Graph to control Windows Updates.

Enroll a device:

Invoke-MgEnrollWindowsUpdatesUpdatableAsset `
 -UpdateCategory "feature" -Assets @(@{
 "@odata.type"= "#microsoft.graph.windowsUpdates.azureADDevice";
 "id" = <AAD Device ID GUID>
})

Check enrollment status:

Get-MgWuUpdatableAsset -UpdatableAssetId <AAD Device ID GUID>

Create a deployment for a feature update (21H1):

New-MgWindowsUpdatesDeployment -Content @{
 "@odata.type" = "#microsoft.graph.windowsUpdates.featureUpdateReference";
 "version"= "21H1"
}

Deploy a feature update at a specific date and time:

New-MgWindowsUpdatesDeployment -Content @{
  "@odata.type" = "#microsoft.graph.windowsUpdates.featureUpdateReference";
     "version"= "21H1"
     }
-Settings @{
  "rollout" = @{ 
  "startDateTime" = [DateTime]"2021-14-09T17:00:00Z"
  }
}

Concluding thoughts

The new WUfB deployment service will provide IT admins with much more granular control over how Windows updates are applied across the Windows client estate.

Subscribe to 4sysops newsletter!

By interacting directly with the Microsoft Graph REST API using the PowerShell SDK, admins can programmatically control how Windows Updates are approved, scheduled, monitored, and applied, including safeguards from problematic updates.

avatar
Related Articles
1 Comment
  1. Rex Keene 7 months ago

    It’s not quite clear in the article, but is this “Windows update for business” limited to client devices only?
    Most businesses include servers. What about them?

    Reply

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account