Blog Post

Windows IT Pro Blog
7 MIN READ

Gradual rollouts with the Windows Update for Business deployment service

David_Mebane's avatar
David_Mebane
Icon for Microsoft rankMicrosoft
Mar 22, 2022

Gradual rollouts enable you to roll out Windows feature updates across your organization, similar to how Microsoft uses machine learning to update the global Windows population. We are excited to bring you this net-new aspect of the Windows Update for Business deployment service and outline how you can best leverage it to improve your organization's security and productivity.

A few months ago, we published a blog post about the Windows Update for Business deployment service features providing enterprise-grade control over content delivered by Windows Update. In that post, we walked you through prerequisites and then outlined scheduling, deploying, and monitoring the deployment process. Primary features of the service include new capabilities for Windows feature update management: safeguard holds for potentially impactful issues, gradual rollouts, and automated rollback monitoring. These features are available to organizations with Windows 10/11 Enterprise E3 or greater and work together to help ensure your devices stay protected and productive. I plan to discuss each feature in detail, starting today with gradual rollouts.

In the words of John Cable, the VP of Product Management at Windows Servicing and Delivery:

"As our team continues to drive Windows servicing innovation all up, we're excited to share these developments for the Windows Update for Business deployment service. In many ways, Microsoft serves as the IT pro for hundreds of millions of consumer PCs worldwide, which has helped us hone our focus on innovations at scale. By ensuring equivalent rollout innovations are available to organizations, we believe IT pros can build greater confidence in accelerating adoption of updates across their respective ecosystems."

The deployment service enables you to successfully update your entire population of Windows PCs or devices and limit the impact of potential issues through gradual rollouts. It does so by intelligently ordering devices to be updated in waves, where every wave is designed to help you discover incompatibilities and implement solutions with the fewest devices and users affected. Gradual rollouts provide a tailored update experience to organizations with unique needs and unique challenges around compatibility of hardware and software necessary for its effective functioning.

Modeling and implementing gradual rollouts

Let's walk through an example that illustrates how the deployment service eliminates a lot of manual labor by gradually updating your population and building confidence in the outcome.

Consider a population of 25 devices that you want to update in 5 waves, with 5 devices per wave. From Microsoft's experience updating hundreds of millions of consumer devices, we have learned that a device's experience with an update is related to a range of hardware attributes (like manufacturer/model, GPU, or total physical RAM) and software attributes (like applications and drivers). By enabling the AllowWUfBCloudProcessing policy, you give Microsoft permission to collect and process information on these important device attributes and use this information to optimize the order in which devices are included within a gradual rollout.

The Confidence over time graphic illustrates the 5 waves of gradual rollout with growing confidence in successful device update outcomes. The IT pro benefits from this structuring by gaining knowledge from previous waves through repetition or redundancy. Redundancy represents the number of times devices with the same attribute have successfully undergone an update, providing the IT pro with a higher level of confidence that other devices in subsequent waves of deployment would behave similarly. In this illustration, the first 5 devices show 0 confidence at the pre-deployment state. Each time the update is complete, the newly observed redundancy numbers now offer a higher confidence level for the following 5 devices in the subsequent wave.

The following illustrative example helps visualize how your device inventory may be organized by the deployment service and prepare your population for the gradual rollout update process. Imagine that our sample population consists of 4 device models, 8 applications, and 8 drivers. The following image shows the frequency of these attributes in the 25 devices. As you can see, some attributes are more common than others: Model A with 16 devices is more frequent than Model B with 2.

 

Models

Applications

Drivers

 

A

B

C

D

A

B

C

D

E

F

G

H

A

B

C

D

E

F

G

H

Overall frequency

16

2

3

4

19

13

2

11

10

19

7

3

19

20

19

2

17

2

2

2

Figure 1. Device attributes in the population

Let's look at the devices selected by the deployment service for the first wave. A circle represents attributes for applicable devices, one device per row. Before the deployment, the update outcome of every device is considered unknown and is represented by empty circles. Since there are no insights available to prepare devices in this and subsequent waves for the update, the confidence level prior to the deployment of Wave 1 is 0, as shown in the Confidence over time graphic above.

 

 

Models

Applications

Drivers

Wave 1

A

B

C

D

A

B

C

D

E

F

G

H

A

B

C

D

E

F

G

H

Device 1

     

       

   

 

     

Device 2

     

 

   

 

     

Device 3

 

   

 

 

 

     

Device 4

   

 

       

   

         

Device 5

     

Overall frequency

16

2

3

4

19

13

2

11

10

19

7

3

19

20

19

2

17

2

2

2

Figure 2. Wave 1 devices and their attributes

 

After applying the update to the first 5 devices, the IT pro now has some learnings to help build their confidence in the update outcome of the devices in Wave 2. For example, we've seen 5 devices with Application F complete the update (redundancy = 5). If there is any update issue for devices with Application F, we will start getting some signals about it. Attributes not seen that many times, like Model D, haven't contributed to the learning yet. If an issue was discovered after the update, such as with Application F, the IT pro now can pause or remediate the issue before proceeding with additional waves.

As we move through Waves 2, 3, and 4, we continue to update devices while learning and building confidence in the update outcomes of the remaining devices in the deployment. By the final wave, we see that even the device for which we have the lowest confidence (Device 23) has at least 6 layers of redundancy on each of its attributes.

 

 

Models

Applications

Drivers

 

A

B

C

D

A

B

C

D

E

F

G

H

A

B

C

D

E

F

G

H

Redundancy (times seen from start)

Wave 1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Wave 2

2

1

1

1

5

3

1

3

3

5

2

1

5

5

5

1

4

1

1

1

Wave 3

4

2

2

2

8

7

2

7

6

8

4

2

8

10

9

2

8

2

2

2

Wave 4

7

2

3

3

12

9

2

8

7

12

5

3

12

15

13

2

12

2

2

2

Wave 5

11

2

3

4

15

11

2

9

9

15

6

3

15

18

16

2

15

2

2

2

Overall frequency

16

2

3

4

19

13

2

11

10

19

7

3

19

20

19

2

17

2

2

2

Figure 3. Confidence levels based on redundancy (i.e. number of updated attributes) at the pre-deployment state of each update wave

When you have more confidence in update outcomes, the risk of unexpected issues is lower. Importantly, you are better set up to address any issues that may come up and protect devices. Gradual rollouts in the deployment service help you build this confidence and ensure that more devices in your population have a smooth update experience. The best part is that this illustrated process is fully automated by the gradual rollouts feature in the Windows Update for Business deployment service.

To benefit from gradual rollouts

Let's walk through how you can configure a gradual rollout in Microsoft Endpoint Manager (Intune) (or visit Microsoft Graph to see an alternative way to do the same). To allow the deployment service to optimize the order of devices within the gradual rollout, make sure to set the AllowWUfBCloudProcessing policy using Intune, another Mobile Device Management, or group policy.

Device prerequisites

The following device settings must be configured to allow the deployment service to optimize your rollout:

  • Diagnostic data is set to Required or Optional.
  • The AllowWUfBCloudProcessing policy is set to 8.

Set the correct policy using Microsoft Endpoint Manager

Microsoft Endpoint Manager makes it easy to configure these device settings by creating a Configuration Profile:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Go to Devices > Configuration profiles > Create profile.
  3. For Platform, select Windows 10 and later and then for Profile type, select Settings catalog (preview).
  4. On the Configuration settings page, select Add settings, and then on the Settings picker page, search for Allow WUfB Cloud Processing. You'll find this setting in the System category. Select the checkbox for this setting and then close the Settings picker window.
  5. Set Allow WUfB Cloud Processing to Enabled.
  6. On the Assignments page, assign the profile to the same groups you use for your Feature update profiles, and then complete and Create this settings catalog profile, to deploy it.

Configure a gradual rollout in Intune

Once the device configuration has been applied, any feature update policy created in Intune is now eligible for rollout optimizations. Simply choose to make the update available gradually and configure your rollout parameters. The deployment service will take over and optimize your deployment from there!


Conclusion

In recapping what we've shared in this blog, the Windows Update for Business deployment service optimizes deployments to help you better protect your device population. Specifically, it automates several risk-lowering and confidence-boosting decisions, empowering you to identify and address any incompatibilities early in the deployment process. This ensures a smoother feature update experience and better protection and productivity for your users. The only thing you need to do is set up the correct policy and configure the gradual rollout without affecting your existing Windows Update for Business policies. In our next set of blogs following this one, we take a deeper look at how safeguard holds and automated rollback monitoring features pair up with gradual rollouts to ensure an even more successful update experience, including before, during, and after the update.

To learn more, check out these resources on the deployment service and on safeguard holds:


Continue the conversation. Find best practices. Visit the Windows Tech Community.

Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro and @WindowsUpdate on Twitter.

Updated Mar 22, 2022
Version 2.0
  • wroot's avatar
    wroot
    Silver Contributor

    That's nice, but for me the main issue is not how to make waves or gradual release, but fighting all the strugglers that are not online enough or update failing with some cryptic errors which Google says might be fixed by deleting SoftDist folder or doing other manipulations. Out of 10k we have hundreds of such problematic machines with every feature update and it is very frustrating. What i would like is less lead time and less time in total to apply update (i know i know, Windows 11 is great, but we still have a fleet of Windows 10) and better self healing capabilities if users turn off PCs suddenly, if there is disk space issues, etc.

  • This is a great start. Now this needs to be expanded to application/package deployment, take delivery optimization into account (i.e. early waves should include devices from different sites that will do "cache warming") and offer proper reporting/analysis UI (or at least a way to export it into PowerBI) - this is going to be a treasure trove for any enterprise admin to understand the correlations and trends in their device/app/driver fleet.

  • barberj66's avatar
    barberj66
    Copper Contributor

    I agree with what wroot  stated. I see the same problems where the vast majority of clients update without any problems which is great but we are always left over with an amount of machines which don't take the update.

     

    The "update failure" reason in the intune reporting is almost next to useless it most often gives a reason which is completely unrelated to the actual problem the device is having. Sadly for these machines it means someone has to remote on or get hands on with the machine to troubleshoot what the problem is so it can be rectified. I understand the reasons for an update not installing could be one of hundreds but I would of thought using all the telemetry there would be some better insight into whats causing them not to update.

  • SiJackAnorak's avatar
    SiJackAnorak
    Copper Contributor

    Only really of use if you have an estate with lots of different makes/models in to make the time you need to invest in it worthwhile. I'm sure most corporates keep a tight reign on their hardware and the OS builds so its not an issue for them. Funny how its fixing a problem that didn't really exisit before 'Modern Management'...

  • wroot's avatar
    wroot
    Silver Contributor

    Not to mention WindowsUpdateLog is so cryptic and bloated, that it is very hard to find anything useful in it. Nothing that human can read and see "oh, this is a corruption in Windows Update DB, oh space issues". I also suspect that Delivery Optimization service doesn't play nice in VPN scenarios, but i cannot pinpoint that. You try dozens of things and suddenly machine updates next day or next week.

  • Pardu1's avatar
    Pardu1
    Brass Contributor

    Not bad. New features are always welcome. But as you said, "Based on consumer experiences".... you have designed AllowWUfBCloudProcessing
    Values like CPU, are not meaningful for companies. A SMARTER gradually rollout should be able to check endpoints before assign them the created waves.
    An outdated, or unhealthy SCCM agent could be an issue, an HybridJoin device in PENDING status, a device with no JoinType defined on AAD, Hybrids without an owner which makes INTUNE to not catch workloads passed from SCCM, if a computer belongs to a ring with the Feature PAUSED, WU services stopped, legacy WSUS configs in conflict with INTUNE settings, if a targeted device could be considered as stolen, if it could be tagged as "INSUFFICIENT UPDATE CONNECTIVITY", and so so on...  

    Consumer requirements to upgrade are quite less than for enterprises. 

    Maybe detect those enterprise grade pre-requesites, and assign not compliant devices to the last wave, will allow us to update faster, and at a predictable speed rate.
    Keep in mind that´s the final absolute goal of this subject. Update as much as possible, as fast as possible, as much reliable as possible, just a step lower than your max available corp network capabilities.