Deeper Control Support Coming to Windows Update for Business Deployment Service

Microsoft has increased the control users have when installing Windows client drivers and firmware.

Those controls are now just becoming publicly accessible via a Microsoft Graph application programming interface (API). In essence, Microsoft has gone public with a sample Web application to use the Microsoft Graph API and have better control over driver and firmware updates to Windows clients when using the Windows Update for Business Deployment Service. Previously, the sample Web app had been available at the private preview stage.

Microsoft's intent is to bring the new driver and firmware management capabilities to mobile device management solutions, but such integration apparently is not the case right now. Also, these capabilities won't be coming to organizations using System Center Configuration Manager or Windows Server Update Services, since it's just for "cloud-attached devices," noted Nir Froimovici of Microsoft's commercial servicing and intelligence team, in the comments section of Microsoft's announcement.

"We have a policy that allows you to turn on dua[l]-scan just for drivers, so that you can try this out," Froimovici added, though.

However, Microsoft did get a couple of endorsements, from VMware and Microsoft itself, stating that their management tools will be able to leverage these new driver and firmware Windows Update for Business Deployment Service controls in the near future.

"VMware Workspace ONE plans to leverage the Microsoft Graph API to deliver end-to-end control of driver and firmware update services for Microsoft Windows E3 or E5 subscribers," stated Bharath Rangarajan, general manager and vice president of products for end-user computing for Workspace ONE, per Microsoft's announcement.

"We are excited to collaborate with the Windows Update for Business deployment service, to bring these management controls to our Windows E3 and E5 customers, leveraging Microsoft Graph, in Intune later this year," stated Steve Dispensa, vice president of product management for Microsoft Intune, in the announcement.

Coming to Mobile Device Management Tools
Microsoft's announcement is just a marker of its progress in bringing firmware and driver controls to the Windows Update for Business Deployment Service for future integration into some management tools. If IT pros want to work with APIs instead right now, though, they can do that using Microsoft's sample app.

"This [Microsoft announcement of driver and firmware controls] is a platform milestone that includes public Graph interfaces, sample queries, and a sample app with code to illustrate how to use it," explained Microsoft product leader Gabe Frost, in a Feb. 14 Twitter post. Frost was apparently replying to hopeful comments that Microsoft had actually rolled out an easy-to-use solution for IT pros.

Other commenters noted that organizations will have to pay for these new driver and firmware controls via E3 licensing at least.

Requirements for the Deployment Service
The Windows Update for Business Deployment Service is a tool that branches off existing Windows Update for Business client management capabilities. It adds greater controls for IT departments over the timing of Windows Update-delivered client updates of all kinds, including Windows feature updates, cumulative updates, and now drivers and firmware.

Organizations wanting such controls will need to have E3 licensing at minimum, plus they'll have to meet the Windows Update for Business Deployment Service prerequisites, which include using Azure Active Directory-joined clients or "hybrid" Azure AD-joined clients. The use of Windows Pro editions, at minimum, is also stipulated.

The Windows Update for Business Deployment Service
Microsoft's real news this week seems to be that it is now more fully describing the Windows Update for Business Deployment Service, which can be found in this "Overview" article.

For instance, the "Overview" article clarified that "the deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings."

Organizations could already freely use Windows Update for Business, which is a bunch of cloud-based management configurations, according to Aria Carley, a program manager on the Windows updates team. Windows Update for Business can presently be used to triage Windows users into groups to test things like feature updates (new Windows operating system installations). However, if organizations want greater control over the timing of those updates, then Microsoft offers the Windows Update for Business Deployment Service, if they have the requisite licensing to use it.

Here's Microsoft's diagram of Windows Update for Business:

[Click on image for larger view.] Figure 1. Windows Update for Business capabilities, consisting of policies, Microsoft Graph API and a reporting capability. The Windows Update for Business Deployment Service is said to "complement" these capabilities, but its use requires having E3-type licensing at minimum (source: Feb. 13 "Windows Update for Business Deployment Service" Microsoft "Overview" document).

The Windows Update for Business Deployment Service currently lets organizations approve and schedule updates, set up gradual update rollouts across the organization, expedite security patches and use "Safeguard Holds" for certain updates. Microsoft itself uses machine learning to impose Safeguard Holds on Windows updates that are deemed problematic for certain machines.

However, Microsoft's "Overview" document included a table indicating that some of those Windows Update for Business Deployment Service capabilities aren't yet available. For instance, quality updates can't yet be approved and scheduled, rolled out gradually or used with Safeguard Holds, per the Feb. 13 "Overview" document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.