deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

overview and prereq edits

Browse Source
This commit is contained in:
Meghan Stewart 2023-02-10 14:09:36 -08:00
parent 92e6d643fb
commit 2d359674b8
3 changed files with 44 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deployment/TOC.yml
View File

@ -186,8 +186,6 @@
href: update/deployment-service-expedited-updates.md href: update/deployment-service-expedited-updates.md
- name: Deploy driver and firmware updates using Graph Explorer - name: Deploy driver and firmware updates using Graph Explorer
href: update/deployment-service-drivers.md href: update/deployment-service-drivers.md
- name: Deploy expedited updates using Intune
href: /mem/intune/protect/windows-10-expedite-updates?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Troubleshoot Windows Update for Business deployment service - name: Troubleshoot Windows Update for Business deployment service
href: update/deployment-service-troubleshoot.md href: update/deployment-service-troubleshoot.md
- name: Monitor - name: Monitor

80
windows/deployment/update/deployment-service-overview.md
View File

@ -23,31 +23,23 @@ Windows Update for Business product family has three elements:
- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment - [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell) - Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
## How the deployment service works
With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated into Windows Update, once the admin defines the update deployment behavior, Windows Update is already aware of the how the device should be directed to install when a device scans
the service ensures that the update is delivered to the device in the defined manner.
The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Business reports](wufb-reports-overview.md).
:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family. "::: :::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family.":::
Windows Update for Business comprises three elements: ## How the deployment service works
- Client policy to govern update experiences and timing which are available through Group Policy and CSPs
- Deployment service APIs to approve and schedule specific updates which are available through the Microsoft Graph and associated SDKs (including PowerShell)
- Windows Update for Business reports to monitor update deployment
Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated with Windows Update, once the admin defines the update deployment behavior, Windows Update is already aware of the how the device should be directed to install updates when a device scans for updates. The deployment service creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an admin.
:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
Using the deployment service typically follows a common pattern: Using the deployment service typically follows a common pattern:
1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune. 1. An admin uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune.
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. 2. The chosen management tool conveys your approval, scheduling, and device selection information to the deployment service.
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune. :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Diagram displaying ":::
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as [Microsoft Intune](mem/intune).
## Capabilities of the Windows Update for Business deployment service ## Capabilities of the Windows Update for Business deployment service
@ -60,7 +52,7 @@ The deployment service is designed for IT Pros who are looking for more control
- **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization - **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization
- **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms - **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms
Certain capabilities are available for specific update classifications: Certain capabilities are available for specific update classifications:
|Capabilities | Quality updates | Feature updates | Drivers and firmware| |Capabilities | Quality updates | Feature updates | Drivers and firmware|
|---|---|---|---| |---|---|---|---|
@ -70,30 +62,6 @@ Certain capabilities are available for specific update classifications:
|Safeguard holds| | Yes | | |Safeguard holds| | Yes | |
## Getting started
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
### Using Microsoft Intune
Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
## Deployment protections ## Deployment protections
The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout. The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout.
@ -120,25 +88,37 @@ To verify whether a device is affected by a safeguard hold, see [Am I affected b
### Monitoring deployments to detect rollback issues ### Monitoring deployments to detect rollback issues
During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
## Getting started with the deployment service
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
## Best practices ### Using Microsoft Intune
Follow these suggestions for the best results with the service.
### Device onboarding Microsoft Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see:
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). - [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates)
- [Expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates)
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. ### Scripting common actions using PowerShell
### General The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. ### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
## Next steps ## Next steps
To learn more about the deployment service, try the following: To learn more about the deployment service, see:
- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) - [Prerequisites for Windows Update for Business deployment service](deployment-service-prerequisites.md)
- [Deploy feature updates using Graph Explorer](deployment-service-feature-updates.md)
- [Deploy expedited updates using Graph Explorer](deployment-service-expedited-updates.md)
- [Deploy driver and firmware updates using Graph Explorer](deployment-service-drivers.md)
- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) - [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)

14
windows/deployment/update/deployment-service-prerequisites.md
View File

@ -63,3 +63,17 @@ Deployment scheduling controls are always available. However, to take advantage
<!--Using include for deployment service limitations--> <!--Using include for deployment service limitations-->
[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)] [!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)]
## Best practices
Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General
Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.