Gradual rollouts enable you to roll out Windows feature updates across your organization, similar to how Microsoft uses machine learning to update the global Windows population. We are excited to bring you this net-new aspect of the Windows Update for Business deployment service and outline how you can best leverage it to improve your organization's security and productivity.
A few months ago, we published a blog post about the Windows Update for Business deployment service features providing enterprise-grade control over content delivered by Windows Update. In that post, we walked you through prerequisites and then outlined scheduling, deploying, and monitoring the deployment process. Primary features of the service include new capabilities for Windows feature update management: safeguard holds for potentially impactful issues, gradual rollouts, and automated rollback monitoring. These features are available to organizations with Windows 10/11 Enterprise E3 or greater and work together to help ensure your devices stay protected and productive. I plan to discuss each feature in detail, starting today with gradual rollouts.
In the words of John Cable, the VP of Product Management at Windows Servicing and Delivery:
"As our team continues to drive Windows servicing innovation all up, we're excited to share these developments for the Windows Update for Business deployment service. In many ways, Microsoft serves as the IT pro for hundreds of millions of consumer PCs worldwide, which has helped us hone our focus on innovations at scale. By ensuring equivalent rollout innovations are available to organizations, we believe IT pros can build greater confidence in accelerating adoption of updates across their respective ecosystems."
The deployment service enables you to successfully update your entire population of Windows PCs or devices and limit the impact of potential issues through gradual rollouts. It does so by intelligently ordering devices to be updated in waves, where every wave is designed to help you discover incompatibilities and implement solutions with the fewest devices and users affected. Gradual rollouts provide a tailored update experience to organizations with unique needs and unique challenges around compatibility of hardware and software necessary for its effective functioning.
Modeling and implementing gradual rollouts
Let's walk through an example that illustrates how the deployment service eliminates a lot of manual labor by gradually updating your population and building confidence in the outcome.
Consider a population of 25 devices that you want to update in 5 waves, with 5 devices per wave. From Microsoft's experience updating hundreds of millions of consumer devices, we have learned that a device's experience with an update is related to a range of hardware attributes (like manufacturer/model, GPU, or total physical RAM) and software attributes (like applications and drivers). By enabling the AllowWUfBCloudProcessing policy, you give Microsoft permission to collect and process information on these important device attributes and use this information to optimize the order in which devices are included within a gradual rollout.
The Confidence over time graphic illustrates the 5 waves of gradual rollout with growing confidence in successful device update outcomes. The IT pro benefits from this structuring by gaining knowledge from previous waves through repetition or redundancy. Redundancy represents the number of times devices with the same attribute have successfully undergone an update, providing the IT pro with a higher level of confidence that other devices in subsequent waves of deployment would behave similarly. In this illustration, the first 5 devices show 0 confidence at the pre-deployment state. Each time the update is complete, the newly observed redundancy numbers now offer a higher confidence level for the following 5 devices in the subsequent wave.
The following illustrative example helps visualize how your device inventory may be organized by the deployment service and prepare your population for the gradual rollout update process. Imagine that our sample population consists of 4 device models, 8 applications, and 8 drivers. The following image shows the frequency of these attributes in the 25 devices. As you can see, some attributes are more common than others: Model A with 16 devices is more frequent than Model B with 2.
Models |
Applications |
Drivers |
||||||||||||||||||
A |
B |
C |
D |
A |
B |
C |
D |
E |
F |
G |
H |
A |
B |
C |
D |
E |
F |
G |
H |
|
Overall frequency |
16 |
2 |
3 |
4 |
19 |
13 |
2 |
11 |
10 |
19 |
7 |
3 |
19 |
20 |
19 |
2 |
17 |
2 |
2 |
2 |
Figure 1. Device attributes in the population
Let's look at the devices selected by the deployment service for the first wave. A circle represents attributes for applicable devices, one device per row. Before the deployment, the update outcome of every device is considered unknown and is represented by empty circles. Since there are no insights available to prepare devices in this and subsequent waves for the update, the confidence level prior to the deployment of Wave 1 is 0, as shown in the Confidence over time graphic above.
Models |
Applications |
Drivers |
||||||||||||||||||
Wave 1 |
A |
B |
C |
D |
A |
B |
C |
D |
E |
F |
G |
H |
A |
B |
C |
D |
E |
F |
G |
H |
Device 1 |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
|||||||||||||
Device 2 |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
||||||||||
Device 3 |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
|||||||||
Device 4 |
○ |
○ |
○ |
○ |
○ |
○ |
||||||||||||||
Device 5 |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
○ |
|||
Overall frequency |
16 |
2 |
3 |
4 |
19 |
13 |
2 |
11 |
10 |
19 |
7 |
3 |
19 |
20 |
19 |
2 |
17 |
2 |
2 |
2 |
Figure 2. Wave 1 devices and their attributes
After applying the update to the first 5 devices, the IT pro now has some learnings to help build their confidence in the update outcome of the devices in Wave 2. For example, we've seen 5 devices with Application F complete the update (redundancy = 5). If there is any update issue for devices with Application F, we will start getting some signals about it. Attributes not seen that many times, like Model D, haven't contributed to the learning yet. If an issue was discovered after the update, such as with Application F, the IT pro now can pause or remediate the issue before proceeding with additional waves.
As we move through Waves 2, 3, and 4, we continue to update devices while learning and building confidence in the update outcomes of the remaining devices in the deployment. By the final wave, we see that even the device for which we have the lowest confidence (Device 23) has at least 6 layers of redundancy on each of its attributes.
|
Models |
Applications |
Drivers |
||||||||||||||||||
A |
B |
C |
D |
A |
B |
C |
D |
E |
F |
G |
H |
A |
B |
C |
D |
E |
F |
G |
H |
||
Redundancy (times seen from start) |
Wave 1 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Wave 2 |
2 |
1 |
1 |
1 |
5 |
3 |
1 |
3 |
3 |
5 |
2 |
1 |
5 |
5 |
5 |
1 |
4 |
1 |
1 |
1 |
|
Wave 3 |
4 |
2 |
2 |
2 |
8 |
7 |
2 |
7 |
6 |
8 |
4 |
2 |
8 |
10 |
9 |
2 |
8 |
2 |
2 |
2 |
|
Wave 4 |
7 |
2 |
3 |
3 |
12 |
9 |
2 |
8 |
7 |
12 |
5 |
3 |
12 |
15 |
13 |
2 |
12 |
2 |
2 |
2 |
|
Wave 5 |
11 |
2 |
3 |
4 |
15 |
11 |
2 |
9 |
9 |
15 |
6 |
3 |
15 |
18 |
16 |
2 |
15 |
2 |
2 |
2 |
|
Overall frequency |
16 |
2 |
3 |
4 |
19 |
13 |
2 |
11 |
10 |
19 |
7 |
3 |
19 |
20 |
19 |
2 |
17 |
2 |
2 |
2 |
Figure 3. Confidence levels based on redundancy (i.e. number of updated attributes) at the pre-deployment state of each update wave
When you have more confidence in update outcomes, the risk of unexpected issues is lower. Importantly, you are better set up to address any issues that may come up and protect devices. Gradual rollouts in the deployment service help you build this confidence and ensure that more devices in your population have a smooth update experience. The best part is that this illustrated process is fully automated by the gradual rollouts feature in the Windows Update for Business deployment service.
To benefit from gradual rollouts
Let's walk through how you can configure a gradual rollout in Microsoft Endpoint Manager (Intune) (or visit Microsoft Graph to see an alternative way to do the same). To allow the deployment service to optimize the order of devices within the gradual rollout, make sure to set the AllowWUfBCloudProcessing policy using Intune, another Mobile Device Management, or group policy.
Device prerequisites
The following device settings must be configured to allow the deployment service to optimize your rollout:
- Diagnostic data is set to Required or Optional.
- The AllowWUfBCloudProcessing policy is set to 8.
Set the correct policy using Microsoft Endpoint Manager
Microsoft Endpoint Manager makes it easy to configure these device settings by creating a Configuration Profile:
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Devices > Configuration profiles > Create profile.
- For Platform, select Windows 10 and later and then for Profile type, select Settings catalog (preview).
- On the Configuration settings page, select Add settings, and then on the Settings picker page, search for Allow WUfB Cloud Processing. You'll find this setting in the System category. Select the checkbox for this setting and then close the Settings picker window.
- Set Allow WUfB Cloud Processing to Enabled.
- On the Assignments page, assign the profile to the same groups you use for your Feature update profiles, and then complete and Create this settings catalog profile, to deploy it.
Configure a gradual rollout in Intune
Once the device configuration has been applied, any feature update policy created in Intune is now eligible for rollout optimizations. Simply choose to make the update available gradually and configure your rollout parameters. The deployment service will take over and optimize your deployment from there!
Conclusion
In recapping what we've shared in this blog, the Windows Update for Business deployment service optimizes deployments to help you better protect your device population. Specifically, it automates several risk-lowering and confidence-boosting decisions, empowering you to identify and address any incompatibilities early in the deployment process. This ensures a smoother feature update experience and better protection and productivity for your users. The only thing you need to do is set up the correct policy and configure the gradual rollout without affecting your existing Windows Update for Business policies. In our next set of blogs following this one, we take a deeper look at how safeguard holds and automated rollback monitoring features pair up with gradual rollouts to ensure an even more successful update experience, including before, during, and after the update.
To learn more, check out these resources on the deployment service and on safeguard holds:
- Announcing the Windows Update for Business deployment service
- Windows Update for Business deployment service - Windows Deployment | Microsoft Docs
- Deployment service for driver updates public preview coming soon
- New additions to the Windows Update for Business deployment service
- Safeguard holds overview
- Access safeguard hold details with Updated Compliance
- Microsoft 365 Enterprise Licensing Guide
Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro and @WindowsUpdate on Twitter.