Microsoft Tells How To Use PowerShell and Windows Update for Business Deployment Services To Control Windows 10 Updates
Microsoft this week described how to use PowerShell to better manage Windows 10 updates when using the Windows Update for Business' new Deployment Service addition.
Windows Update for Business is an amorphous set of policies, stored in Microsoft's datacenters. Organizations can implement Windows Update for Business policies for Windows 10 client devices through things like Group Policy settings. They might use Windows Update for Business to delay Windows 10 feature updates from arriving for a short period of time, for instance.
Deployment Service Preview
In March at its Ignite event, Microsoft unveiled a new Windows Update for Business Deployment Service, which was said to increase IT control over when Windows 10 feature updates and quality updates would arrive.
The Windows Update for Business Deployment Service apparently is still at the preview stage since that announcement. It's expected to become "available to all Windows Enterprise customers in the first half of 2021," the March Ignite announcement had explained. Organizations will need E3-type licensing, at minimum, to use it.
The Windows Update for Business Deployment Service is powered by Microsoft Graph APIs that were released at the preview stage in April, according to this late-April Microsoft announcement.
Microsoft explained in that April announcement that the Windows Update for Business Deployment Service is "the bridge between you and Windows Update." It allows IT pros to more finely schedule Windows 10 updates on devices. IT pros can do things like specify that updates should arrive on a certain day for a certain amount of devices, which might be helpful when planning gradual Windows 10 feature update rollouts. They also can specify an "expedited update" for emergency patching, which will bypass default update settings.
Various tools and management solutions can be used with the Windows Update for Business Deployment Service, such as "PowerShell, a Microsoft Graph app, or a complete endpoint management solution such as Microsoft Endpoint Manager," Microsoft's April announcement clarified.
Microsoft's announcement this week was all about how to use PowerShell as the tool to specify Windows 10 update details using the Windows Update for Business Deployment Service. It turns out that using PowerShell with this service isn't for the faint of heart. It's a roll-up-your-sleeves project.
The announcement clarified that IT pros can use either the Microsoft Graph APIs in preview or the Microsoft Graph PowerShell SDK to script Windows Update actions for Windows 10 clients under the Windows Update for Business Deployment Service scheme.
IT pros can use a PowerShell script to get a list of updates. They can then use a second PowerShell script to schedule an update deployment, including an expedited deployment. Lastly, another PowerShell script can be used to specify the devices to get an update. Sample scripts to that end were included in Microsoft's announcement.
Prerequisites to use the Windows Update for Business Deployment Service including having a Windows 10 E3 (at minimum) subscription or a
Windows Virtual Desktop Access E3 (at minimum) subscription, or a Microsoft 365 Business Premium subscription.
Devices need to be using Windows 10 version 1790 or higher. They need to be either Azure Active Directory-joined or "hybrid AD joined," which means they use a combination of the Azure AD service and local Active Directory.
IT pros need to have the right permissions to use the Windows Update for Business Deployment Service. Permissible roles include:
- Global Admin Role in Azure Active Directory
- Intune Admin Role in Azure Active Directory
- Policy and Profile Manager Role in Microsoft Intune
Microsoft is planning to add to this list with "a new Windows Update Administrator role." That role will be coming "soon," the announcement explained.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.