Unquestionably, one of the challenging tasks an IT admin has to perform is keeping Windows devices updated with the latest patches. Historically, there have been problematic Windows Updates, issues with specific updates, how they interact with drivers, and other issues. As a result, it has led to businesses not performing updates as often. In addition, it can work against keeping a strong security posture since updates don’t get applied at a regular cadence. However, Microsoft has made some positive strides with their cloud-based offerings with new features, helping admins to have better tools to handle Windows Updates. One of those is the new Windows Update for Business Safeguard Hold. What are these?
What is Windows Update for Business?
Before we take a look at the Windows Update for Business Safeguard Holds, what is Windows Update for Business? The Windows Update for Business offering is a solution from Microsoft that Intune can manage. This capability provides a cloud management platform for Windows Updates. Why is this important?
As businesses have drastically transitioned from the traditional on-premises pre-pandemic office strategies, employees are no longer all working from the corporate campus. Instead, the hybrid work model has firmly taken hold. In addition, the hybrid workforce layout has challenged the conventional tools businesses use to manage workstations, updates, security tools, and other legacy approaches.
These conventional tools generally require “line of sight” access to on-premises servers to provide management capabilities. In addition, many of these legacy tools often require access to non-standard proprietary network ports. Since this configuration no longer applies to most businesses, a new approach for management is needed to ensure endpoints can be managed, updated, and secured with policies applied as needed. Moreover, they need to be able to have this functionality without direct access to the corporate network.
Windows Update for Business is a free service available for premium editions of Windows, including Windows 10 and 11 Pro, Enterprise, Pro for Workstation, and Education editions. In addition, IT admins can use Windows Update for Business with Microsoft Intune, which can manage the Windows Update for Business settings to control when and how devices are updated.
Windows Update for Business has built-in mechanisms allowing businesses to control update offerings to endpoints and have the ability to carry out reliability and performance testing on a subset of devices before deploying these across the organization. You can manage Windows Update for Business using legacy Active Directory Domain Services (AD DS) Group Policies or a Mobile Device Management (MDM) solution like Microsoft Intune. However, using Group Policies for management doesn’t align well with the new hybrid strategy and is subject to the limitations of conventional on-premises technologies described above.
Viewing update settings in Microsoft Intune as part of Microsoft Endpoint Manager
Microsoft Endpoint Manager is the umbrella product containing Microsoft Intune. Intune is a cloud-based management platform for endpoints allowing administrators to manage client endpoints no matter where these are located on the Internet. Ideally, Microsoft Intune is the premier management solution for managing Windows Update for Business that aligns with the new hybrid work strategy.
What is Windows Update for Business Safeguard Holds?
If you have been using Windows Update for deploying updates to your devices, including Windows Update for Business, Microsoft already has Safeguard Holds in place for what they refer to as known issues. When you move beyond the traditional Windows update policies and use Windows Update for Business deployment service in Intune, safeguard holds are also available for likely issues. Let’s define these two.
- Known issue – A problem discovered by Microsoft or a customer that can occur after an upgrade
- Likely issue – Likely issues are discovered by machine learning (ML) algorithms Microsoft uses to process diagnostic data from millions of Windows devices. When any evidence of a rollback occurs during the patch installation, such as a driver malfunction, graphics, connectivity, and other issues, the ML algorithms attempt to discover correlations between the hardware and software combinations on the endpoints. For example, suppose specific combinations of hardware and software are discovered to be problematic. In that case, the ML algorithms work to place Safeguard Holds for particular devices to protect a larger set of devices matching the same characteristics from the problematic updates that may not have begun the updates.
In the high-level diagram from Microsoft, you can see that in the lower left consumer device population, a couple of endpoints have issues with updates. The deployment service notifies Windows Update of the problems. It holds the updates for specific endpoints in your organization based on the machine learning correlation that has identified a potential risk in your organization.
Overview of the Windows Update for Business Safeguard Holds
What happens when the Safeguard Hold is triggered?
When the machine learning algorithms identify an issue and the SafeGuard Hold is triggered for a likely issue, the hold is placed temporarily. Microsoft mentions the delay allows a few weeks to decide how you want to proceed with the update process. How long is the temporary hold, and what further actions are taken?
- Hold duration: 4-6 weeks
- If the issue is confirmed, it will transition from a likely issue to a known issue
- If a false positive is identified, the hold on the updates will be removed, allowing updates to begin
Microsoft maintains the safeguard hold on the questionable update until they have reviewed it internally. Once investigated, they will develop and validate the fix before the update is offered again to the affected devices using the update deployment. Once the fix is provided and delivered through Windows Update, the Safeguard Hold is lifted, and Microsoft will offer the update to the device.
How do you use Safeguard Holds for likely issues?
Safeguard holds apply to Windows Update for Business deployments by default. However, it is a good idea to ensure your devices meet the prerequisites of the solution. Devices must be configured to share diagnostic data with Microsoft to leverage the available reporting tools.
To ensure diagnostic data is configured, you can use either Group Policy or Microsoft Intune CSP policies:
Microsoft Intune
Use Policy Configuration Service Provider (CSP) to apply the following MDM policies:
- System/AllowTelemetry
- System/LimitDumpCollection
- System/LimitDiagnosticLogCollection
Group Policy
- From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
- Double-click Limit diagnostic log collection
- In the Options box, choose the setting you want to configure and click OK
In addition to allowing diagnostic data, you need to ensure you have the AllowWUfBCloudProcessing setting configured:
Microsoft Intune
- Name: AllowWUfBCloudProcessing
- Description: Enter a description.
- OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing
- Data type: Integer
- Value: 8
Group Policy
- Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow WUfB Cloud Processing
If you use Intune, update failures related to Safeguard Holds are displayed in the Feature Update Failures Report.
Viewing Safeguard Holds affecting devices
Wrapping up
Microsoft is making great strides to improve the stability and efficiency of Windows Updates. It is great to see them leveraging machine learning (ML) algorithms as part of the process. It should help give visibility to potential issues much more quickly than manual discovery methods by users. In addition, using the massive pool of endpoints for collecting diagnostic data will help improve the overall Windows Update experience for consumers and businesses.
You can learn more about the Safeguard Holds from the official Microsoft documentation here:
