mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #5900 from Alice-at-Microsoft/patch-4
Add content on safeguard holds--publish11/2 0830
This commit is contained in:
Jaime Ondrusek
GitHub
commit
6426f56043
@ -208,6 +208,8 @@
|
||||
href: update/update-compliance-security-update-status.md
|
||||
- name: Feature update status report
|
||||
href: update/update-compliance-feature-update-status.md
|
||||
- name: Safeguard holds report
|
||||
href: update/update-compliance-safeguard-holds.md
|
||||
- name: Delivery Optimization in Update Compliance
|
||||
href: update/update-compliance-delivery-optimization.md
|
||||
- name: Data handling and privacy in Update Compliance
|
||||
|
||||
@ -29,6 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control
|
||||
- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
|
||||
- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
|
||||
- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
|
||||
- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices.
|
||||
|
||||
The service is privacy focused and backed by leading industry compliance certifications.
|
||||
|
||||
@ -52,7 +53,6 @@ Using the deployment service typically follows a common pattern:
|
||||
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
|
||||
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
|
||||
|
||||
|
||||
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
|
||||
|
||||
## Prerequisites
|
||||
@ -74,7 +74,6 @@ Additionally, your organization must have one of the following subscriptions:
|
||||
- Windows Virtual Desktop Access E3 or E5
|
||||
- Microsoft 365 Business Premium
|
||||
|
||||
|
||||
## Getting started
|
||||
|
||||
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
|
||||
@ -87,7 +86,6 @@ Microsoft Endpoint Manager integrates with the deployment service to provide Win
|
||||
|
||||
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
|
||||
|
||||
|
||||
### Building your own application
|
||||
|
||||
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
|
||||
@ -113,14 +111,19 @@ This built-in piloting capability complements your existing ring structure and p
|
||||
|
||||
You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
|
||||
|
||||
### Safeguard holds against likely and known issues
|
||||
|
||||
Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out.
|
||||
|
||||
To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold)
|
||||
|
||||
### Monitoring deployments to detect rollback issues
|
||||
|
||||
During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
|
||||
|
||||
|
||||
### How to enable deployment protections
|
||||
|
||||
Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft.
|
||||
Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
|
||||
|
||||
#### Device prerequisites
|
||||
|
||||
|
||||
@ -17,27 +17,27 @@ ms.topic: article
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
|
||||
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
|
||||
|
||||
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
|
||||
|
||||
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
|
||||
The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
|
||||
|
||||
Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
|
||||
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
|
||||
|
||||
IT admins managing updates using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) also benefit from safeguard holds on devices that are likely to be affected by an issue. To learn more, see [Safeguard holds against likely and known issues](/windows/deployment/update/deployment-service-overview#safeguard-holds-against-likely-and-known-issues).
|
||||
|
||||
## Am I affected by a safeguard hold?
|
||||
|
||||
IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
|
||||
IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
|
||||
|
||||
Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](/windows/release-health/) dashboard, where you can easily find information related to publicly available safeguards.
|
||||
The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
|
||||
|
||||
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
|
||||
|
||||
|
||||
|
||||
|
||||
If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
|
||||
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
|
||||
|
||||
## What can I do?
|
||||
|
||||
@ -46,4 +46,4 @@ We recommend that you do not attempt to manually update until issues have been r
|
||||
> [!CAUTION]
|
||||
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
|
||||
|
||||
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
|
||||
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
|
||||
|
||||
@ -43,18 +43,21 @@ Refer to the following list for what each state means:
|
||||
|
||||
## Safeguard holds
|
||||
|
||||
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
|
||||
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
|
||||
|
||||
### Queries for safeguard holds
|
||||
|
||||
Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
|
||||
> [!TIP]
|
||||
> For a new Update Compliance report with additional information on safeguard holds, try the [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds).
|
||||
|
||||
The Feature Update Status report offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
|
||||
|
||||
The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
|
||||
|
||||
|
||||
|
||||
Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
|
||||
Update Compliance reporting will display the safeguard hold IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard hold IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
|
||||
|
||||
### Opt out of safeguard hold
|
||||
### Opt out of safeguard holds
|
||||
|
||||
You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
|
||||
You can [opt out of safeguard holds](safeguard-opt-out.md) protecting against known issues by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
|
||||
|
||||
@ -0,0 +1,49 @@
|
||||
---
|
||||
title: Update Compliance - Safeguard Holds report
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.pagetype: deploy
|
||||
audience: itpro
|
||||
itproauthor: jaimeo
|
||||
author: jaimeo
|
||||
ms.author: jaimeo
|
||||
ms.collection: M365-analytics
|
||||
ms.topic: article
|
||||
ms.custom: seo-marvel-apr2020
|
||||
---
|
||||
|
||||
# Safeguard Holds
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds).
|
||||
|
||||
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
|
||||
|
||||
Update Compliance provides two views into the safeguard holds that apply to devices in your population. The report shows data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
|
||||
|
||||
## Safeguard hold view
|
||||
|
||||
The safeguard hold view shows which safeguard holds apply to devices in your population, and how many devices are affected by each safeguard hold. You can use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the chart and corresponding table to show only the selected safeguard hold IDs. Note that a device can be affected by more than one safeguard hold.
|
||||
|
||||
## Device view
|
||||
|
||||
The device view shows which devices are affected by safeguard holds. In the **Safeguard Hold IDs** column of the table, you can find a list of the safeguard holds that apply to each device. You can also use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the table to show only devices affected by the selected safeguard hold IDs.
|
||||
|
||||
## Getting additional information about a safeguard hold
|
||||
|
||||
For safeguard holds protecting devices against publicly discussed known issues, you can find their 8-digit identifier on the [Windows release health](/windows/release-health/) page under **Known issues** corresponding to the relevant release.
|
||||
|
||||
Devices managed by the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) that are affected by a safeguard hold for a likely issue are listed in the report with the safeguard hold ID value **00000001**.
|
||||
|
||||
## Opt out of safeguard holds
|
||||
|
||||
To opt out of safeguard holds protecting against known issues, see [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out).
|
||||
|
||||
To opt out of safeguard holds protecting against likely issues (applicable to devices managed by the deployment service), see [Manage safeguards for a feature update deployment using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards).
|
||||
Loading…
x
Reference in New Issue
Block a user