Forum Discussion
Cordell Melin
Mar 04, 2021Copper Contributor
Making sure Safeguards are respected
Moving devices from ConfigMgr SW Updates to WUfB, some will get the latest Feature Update before Compatibility Appraisal is done, thus, before any knowledge of Safeguards. How can I best ensure that t...
byteben
Mar 04, 2021Copper Contributor
Cordell Melin There is a known limitation where feature update policies may not take immediate effect when moving the Updates workload from ConfigMgr to Intune. This may result in unexpected FU being made available to the client. If this is what you mean, follow this article to understand how to use a CSP to prevent this behaviour. The policy won't override a safeguard hold. https://docs.microsoft.com/en-us/troubleshoot/mem/intune/create-feature-update-hold-co-managed-devices
4cbmelin-work
Mar 04, 2021Copper Contributor
Thank you. Since we are not yet able to take advantage of Intune, we applied the WUfB GPO Select the target Feature Update version. Thing is, we would like to let them go to latest FU offered by WU, as long as it respects any Known Issues (Safeguards).
- bytebenMar 04, 2021Copper Contributor
Hey 4cbmelin-work
Forgive me. I misunderstood the context of your question and offered advice that wasn't pertinent to your issue. I have co-management on the brain today 🙂 Regards, Ben. - Jason_SandysMar 04, 2021
Microsoft
Intune plays no part here. As noted, SafeGuard Holds are part of the Windows Update service itself (which includes WUfB); Intune as well as GPOs merely set policies for WUfB. Thus, any system using Windows Updates (including WUfB) for updates is subject to the defined SafeGuard Holds (unless as noted the registry value is present on the device to disable this which we don't recommend and is not default).
If you want to explicitly track and report on update compliance and SafeGuard hold applicability to your devices (and why wouldn't you), you should deploy the Update Compliance solution: https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started. See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/access-safeguard-hold-details-with-update-compliance/ba-p/1809652 for details on tracking SafeGuard Holds with Update Compliance.