Microsoft Previews Graph API Support in Windows Update for Business Deployment Service
Microsoft on Wednesday announced a preview of Microsoft Graph application programming interfaces (APIs) for use with the Windows Update for Business Deployment Service.
These REST-based Microsoft Graph APIs add flexibility for software developers making client management "multi-tenant apps." They also can be leveraged by IT pros for use with their "in-house solutions," the announcement explained. The Graph APIs are "powered" by the Windows Update for Business Deployment Service, which gets used with the Windows Update service to help keep Windows 10 client devices patched and updated.
Windows Update for Business Deployment Service
The Windows Update for Business Deployment Service is actually a new service. It's said to "complement existing Windows Update for Business capabilities," per this overview document. The deployment service combines Group Policy for client policy settings, Microsoft Graph deployment service APIs for tapping metadata, plus compliance capabilities used for monitoring software updates.
The operations of the Windows Update for Business Deployment Service are cloud-based.
"The [Windows Update for Business Deployment] service is native to the cloud and all operations take place between various Microsoft services," the overview document explained.
The overview document added that IT pros link to these services via a management tool. Microsoft Endpoint Manager, PowerShell or a Microsoft Graph-based management application are supported.
Microsoft had mentioned the Windows Update for Business Deployment Service during its March Ignite event, saying that it was scheduled to come into being sometime during the first half of this year. It was described back then as giving IT pros more controls over when Windows 10 quality and feature updates arrive, plus controls over firmware and driver updates, too. The bottom line, licensing-wise, to use the Windows Update for Business Deployment Service is having E3-type licenses at minimum.
Other minimum requirements for using the Windows Update for Business Deployment Service is having Windows 10 version 1709 or later clients that are joined to Azure Active Directory or "hybrid" (using a combination of local Active Directory plus Azure AD), and it requires a Windows 10 Pro edition.
The Windows Update for Business Deployment Service apparently is fairly robust already, according to the announcement:
The Windows Update for Business deployment service is an enterprise-grade solution that provides full control over managed content and is already certified compliant with several industry compliance standards, including: ISO 27001, FedRAMP High, HiTRUST, and SOC II.
The use of Microsoft Graph APIs with the Windows Update for Business Deployment Service is said to add "rich control over the approval, scheduling, and protection of content delivered from Windows Update."
Examples of that rich control include even "skipping or not taking feature updates." Windows Update for Business, which is a bunch of cloud-based controls for managing updates to Windows 10 devices, already has some update delaying capabilities. Apparently, the Graph API support just enhances those existing capabilities.
The Graph APIs permit IT pros to immediately deploy a security update. They can do that because the Graph APIs let them bypass "pre-configured Windows Update for Business policies."
The Graph API support also lets IT pros detect when a Windows 10 feature update fails, resulting in an operating system rollback, which might happen due to a driver issue. IT pros can arrange for updates to be paused in such circumstances.
Graph API support adds greater flexibility on staging Windows 10 deployments. They can take place over a period of time, starting on a specific day. Microsoft's example of that flexibility was deploying Windows 10 version "20H2 to 500 devices per day, beginning on May 11, 2021."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.