Windows Update for Business Deployment Service Will Apply Safeguard Holds Automatically for Suspect Patches
Microsoft this week began further explaining its Windows Update for Business Deployment Service, with a focus on Safeguard Holds.
Safeguard Holds are temporary software patch blocks, typically instigated by Microsoft in an automated process. The patch blocks get applied when Microsoft’s “telemetry” information suggests that Windows 10 or Windows 11 systems had problems after applying a software update.
Microsoft also has an automated patch blocking process for so-called “likely” problematic patches, as determined by machine learning algorithms. The automated blocking for likely problematic patches is only available for organizations that use the Windows Update for Business Deployment Service, the announcement clarified.
Microsoft also offers Windows Update for Business, a collection of cloud-based policies for managing updates. It allows manually setting a Safeguard Hold for a patch suspected of causing problems. However, Windows Update for Business users don’t get the same sort of automated blocking on suspect patches that comes by default with the Windows Update for Business Deployment Service.
Consumer Guinea Pigs
Microsoft derives information about so-called likely patch problems from consumers and unmanaged Windows devices, using machine learning algorithms. These users are essentially Microsoft’s “guinea pig” testers, and they are used to help find Windows patch problems before they reach organizations.
Here’s how the announcement expressed that notion:
In addition to safeguards for known issues, the deployment service utilizes machine learning (ML) performed across millions of unmanaged, daily consumer and commercial PCs installing the upgrade. It looks for any evidence of rollback during setup, an app or driver malfunction, graphics, audio or connectivity issue, etc. When upgrade problems like these surface, this ML spots correlations among device hardware and software characteristics to identify a larger set of devices that have not yet started the upgrade and automatically safeguards them.
The blocking information that Microsoft derives from this process is device specific. Flagged patches may be deemed OK for delivery to other PCs that do not fit the specific hardware and software profile.
It’s not clear why Microsoft doesn’t extend automatic bad software update blocking for Windows Update for Business users, who presumably face the same issues with a bad patch as Windows Update for Business Deployment Service users.
Microsoft does have an information-sharing device requirement, though, for organizations wanting to use the Windows Update for Business Deployment Service, namely:
Windows Update for Business Deployment Service Release Status
Safeguard Holds have been around for a couple of years, but the Windows Update for Business Deployment Service is more of an emerging service.
In March, Microsoft described a Gradual Rollouts feature in the Windows Update for Business Deployment Service. It’s designed to help organizations install new Windows 10 or Windows 11 “feature updates” (which are new operating system releases) to machines in a phased process. Organizations can use the gradual rollout approach to better isolate Windows upgrade issues with a smaller group of users before a broader rollout.
In its March announcement, Microsoft had suggested that a public preview of the Windows Update for Business Deployment Service with all of its capabilities, including Microsoft Intune and Microsoft Graph capabilities, would be available as a “public preview in July 2022,” and would be offered as “a fully open-sourced web application.”
That planned July 2022 target release for the Windows Update for Business Deployment Service preview appears to have been skipped. Exactly when the public preview would be available, given the slipped schedule, was not described.
Microsoft’s “Overview” document on the Windows Update for Business Deployment Service, dated June 16, 2022, similarly did not indicate the product’s release status or when the public preview would be available.
Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.