IT administrators using Update Compliance now have access to information on which safeguard holds are preventing individual devices in their organization from updating to a new version of Windows 10.
What are safeguard holds?
Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices. Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services (WSUS)) to remain aware of known issues that might also be present in their environments.
How can you monitor safeguard holds impacting devices in your organization?
Previously, IT administrators using Update Compliance could see which devices were unable to update due to safeguard holds, but did not have any information on which individual hold was preventing the device from updating. We have made improvements to Update Compliance to address this customer pain point.
Update Compliance now supports two queries designed to help you retrieve data related to safeguard holds. The first query, “Devices with a safeguard hold”, shows the device data for all devices impacted by safeguard holds. The second query, “Target build distribution of devices with a safeguard hold”, shows data specific to how many devices are prevented from updating and which build version they belong to. One commercial ID can have devices that could be on different OS build versions. The “Target build distribution” queries displays the devices belonging to different build versions impacted by safeguard holds in the form of a chart.
Safeguard holds as they appear in Update Compliance
Update Compliance reporting surfaces the safeguard hold IDs for known issues impacting a device in the ‘DeploymentErrorCode’ column. Every safeguard hold has a unique ID associated with it. Safeguard hold IDs for documented issues will be included in the Windows release health dashboard. To determine which safeguard hold is preventing your device’s update, go to the “Known issues and notifications” page for the specific version to which you are attempting to update (e.g. Known issues and notifications for Windows 10 and Windows Server, version 20H2). Once you have navigated to the appropriate known issues and notifications page, search (Ctrl + F) for the safeguard ID blocking your device (e.g. “25178825”). This process enables you to easily look up information related to the safeguard hold impacting your devices if that safeguard hold’s documentation is publicly available.
Safeguard IDs as they appear on the Windows release health dashboard
Microsoft publicly discloses information about safeguard holds preventing Windows updates when the holds are broadly applied, and Microsoft can independently address the issues driving the block. When a safeguard is the result of third-party software or hardware incompatibilities, Microsoft is subject to confidentiality requirements. Only in certain circumstances are we authorized to disclose original equipment manufacturer-driven holds.
Safeguard holds help deliver a positive update experience. Similarly, this new reporting capability in Update Compliance helps to ensure that IT administrators have a positive management experience with the insights they need to effectively manage the devices in their organization. This is another step in our path toward providing IT administrators with greater transparency and control when managing Windows updates.