Blog Post

Windows IT Pro Blog
3 MIN READ

Access safeguard hold details with Update Compliance

Megha_Sharma's avatar
Megha_Sharma
Icon for Microsoft rankMicrosoft
Oct 22, 2020

IT administrators using Update Compliance now have access to information on which safeguard holds are preventing individual devices in their organization from updating to a new version of Windows 10.

What are safeguard holds?

Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.

Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.

The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices. Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services (WSUS)) to remain aware of known issues that might also be present in their environments.

How can you monitor safeguard holds impacting devices in your organization?

Previously, IT administrators using Update Compliance could see which devices were unable to update due to safeguard holds, but did not have any information on which individual hold was preventing the device from updating. We have made improvements to Update Compliance to address this customer pain point.

Update Compliance now supports two queries designed to help you retrieve data related to safeguard holds. The first query, “Devices with a safeguard hold”, shows the device data for all devices impacted by safeguard holds. The second query, “Target build distribution of devices with a safeguard hold”, shows data specific to how many devices are prevented from updating and which build version they belong to. One commercial ID can have devices that could be on different OS build versions. The “Target build distribution” queries displays the devices belonging to different build versions impacted by safeguard holds in the form of a chart.

Safeguard holds as they appear in Update Compliance

Update Compliance reporting surfaces the safeguard hold IDs for known issues impacting a device in the ‘DeploymentErrorCode’ column.  Every safeguard hold has a unique ID associated with it. Safeguard hold IDs for documented issues will be included in the Windows release health dashboard. To determine which safeguard hold is preventing your device’s update, go to the “Known issues and notifications” page for the specific version to which you are attempting to update (e.g. Known issues and notifications for Windows 10 and Windows Server, version 20H2). Once you have navigated to the appropriate known issues and notifications page, search (Ctrl + F) for the safeguard ID(s) related to the safeguard hold(s) for your device (e.g. “25178825”). This process enables you to easily look up information related to the safeguard hold impacting your devices if that safeguard hold’s documentation is publicly available. 

Safeguard IDs as they appear on the Windows release health dashboard

Microsoft publicly discloses information about safeguard holds preventing Windows updates when the holds are broadly applied, and Microsoft can independently address the issues driving the hold. When a safeguard is the result of third-party software or hardware incompatibilities, Microsoft is subject to confidentiality requirements. Only in certain circumstances are we authorized to disclose original equipment manufacturer-driven holds.

Safeguard holds help deliver a positive update experience. Similarly, this new reporting capability in Update Compliance helps to ensure that IT administrators have a positive management experience with the insights they need to effectively manage the devices in their organization. This is another step in our path toward providing IT administrators with greater transparency and control when managing Windows updates.

 

Updated Feb 01, 2023
Version 5.0
  • trevorjones's avatar
    trevorjones
    Brass Contributor

    This is helpful. In our environment, we have a number of Safeguard Hold IDs that cannot be found in the Windows release health dashboard. Should we assume that these are 'the result of third-party software or hardware incompatibilities' that you cannot disclose?

  • bykskt's avatar
    bykskt
    Copper Contributor

    I'm not familiar with Update Compliance. Is it possible to access this information through PowerShell or REST? -Mike

  • StevieLamb's avatar
    StevieLamb
    Copper Contributor

    I like this because it has helped me identify OEMs that I cannot reasonably trust if my company is to provide a reliable service.

     

    We have a not-insignificant number of devices on Safeguard Hold, none of which show associated public details, and using Kusto I have joined the data with that from Intune, to get very clear info on which OEMs are limiting my company's decision-making capacity.
    (Happy to share the "quick and dirty" Kusto query on request).)

     

    Suffice it to say, this will factor in our procurement processes.
    When someone chooses not to share information in this context, I become suspicious that there are security risks associated with the information blackout.