cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Public preview of Microsoft Graph APIs to manage Windows updates
By
David_Mebane
Published Apr 28 2021 09:05 AM 32.5K Views
David_Mebane
Microsoft
‎Apr 28 2021 09:05 AM

Public preview of Microsoft Graph APIs to manage Windows updates

‎Apr 28 2021 09:05 AM

Gain rich control over the approval, scheduling, and protection of content delivered from Windows Update thanks to the new Microsoft Graph APIs, now available in public preview! Powered by the Windows Update for Business deployment service, these APIs enable IT professionals and app developers to:

  • Approve and schedule specific feature updates to be delivered from Windows Update – including skipping or not taking feature updates.
  • Stage deployments over a period of days or weeks using rich expressions (ex: deploy 20H2 to 500 devices per day, beginning on May 11, 2021)
  • Bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization.
  • Deliver safer update results by leveraging automatic pilots for any deployment.

Microsoft Graph is the gateway to Microsoft 365, making it easy to build apps that span organizations, users, and devices. By connecting deployment service capabilities with Microsoft Graph, app developers can easily build rich update management tools and extend these experiences with contextual user data (such as leveraging a user’s calendar data when scheduling an update).

And the best part is, if you have one of the following Windows or Microsoft 365 subscriptions, you can start using the deployment service today!

  • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

What is the Windows Update for Business deployment service?

The Windows Update for Business deployment service is the bridge between you and Windows Update. It allows you to approve and schedule content approvals directly through a service-to-service architecture.

01_wufb-ds-diagram.png

Here is a common scenario for the deployment service:

  1. Using a management tool, you select the target devices and approve content to be deployed. This tool may be PowerShell, a Microsoft Graph app, or a complete endpoint management solution such as Microsoft Endpoint Manager.
  2. The tool conveys your approval, scheduling details, and device selection to the deployment service.
  3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers the approved content to devices on their next check for updates.

This service-to-service architecture complements existing Windows Update for Business policies while providing unique benefits:

  • Update management now goes beyond the individual device – allowing you to easily understand what updates are applicable to your organization and how best to stage deployments.
  • Reacting to update challenges is faster than ever before – whether you need to pause or accelerate a deployment.
  • New features and capabilities are immediately delivered to all in-support Windows versions – no operating system servicing required.

The Windows Update for Business deployment service is an enterprise-grade solution that provides full control over managed content and is already certified compliant with several industry compliance standards, including: ISO 27001, FedRAMP High, HiTRUST, and SOC II.

Try the service today

With today’s public preview release, you can use the Windows Update for Business deployment service directly through the Microsoft Graph API and associated SDKs, as well as Azure PowerShell. If you're an IT pro, you can leverage these APIs and SDKs within your in-house solutions. If you're a management tool vendor, these APIs and SDKs can help you provide deployment service capabilities to your customers through multi-tenant apps.

To begin exploring the deployment service, we encourage you to use Microsoft Graph Explorer or a proven industry solution, such as Postman.

Using Microsoft Graph Explorer to interact with the deployment service

Microsoft Graph Explorer is a tool that makes it simple to make requests and see responses against Microsoft Graph. To begin using Microsoft Graph Explorer with the deployment service, sign in using your tenant.

Next, provide consent for Graph Explorer to access the deployment service on behalf of your organization. Click the settings gear icon next to your account after signing in and choose Permissions. Select WindowsUpdates.ReadWrite.All and then select the Consent action.

You are now ready to begin using the service. In the left pane, you will find several samples for Windows Updates. Start with a basic operation like list catalog entries.

Interacting with the Windows Update for Business deployment service via Microsoft Graph ExplorerInteracting with the Windows Update for Business deployment service via Microsoft Graph Explorer

While you can immediately query for data provided by the deployment service—such as available content to deploy—querying for other content, such as deployments, will depend on what have been created for your tenant. You can use Microsoft Graph Explorer to explore the capabilities provided by the deployment service and understand how to incorporate these into your apps, including:

  • Enroll in update management. Enroll devices in feature update management by setting the enrollmentUpdateCategory to feature. This will stop offering feature updates to enrolled devices until explicitly approved using the deployment service.
  • Create deployment (expedited security update). If a new critical security update is released and you want to reach compliance as rapidly as possible, you can deploy the update as expedited and control settings like the number of days until devices are required to restart.
  • Create deployment (rate-based gradual rollout). Stage a deployment over time so that devices are offered the feature update at regular intervals and according to a specified number of devices per offer.
  • Create deployment (date-based gradual rollout). Stage a deployment over time so that devices are offered the update at regular intervals until all devices receive the update by a targeted end date/time. You may also use a start date/time with any deployment to control when to begin offering the update.
  • Update deployment (replace monitoring rules). Apply monitoring rules to any deployment to detect a threshold of issues, such as number of rollbacks, and then pause the deployment or alert you to the problem.

To learn more about these operations and the associated capabilities, please see our Microsoft Graph API documentation.

Using Postman to interact with the deployment service

Like Graph Explorer, Postman is an easy tool for interacting with the deployment service and a great way to familiarize yourself with the supported operations. For detailed instructions, see Use Postman with the Microsoft Graph API.

Note
When you reach step 3.9, follow the procedure to add and consent Delegated Permissions for WindowsUpdates.ReadWrite.All.

When you reach step 6, expand the Windows Updates (beta) folder of the Postman collection to see operations you can perform with the deployment service.

Select a request such as List catalog entries, ensure any required variables are populated, then click Send to interact with the service.

Interacting with the Windows Update for Business deployment service via PostmanInteracting with the Windows Update for Business deployment service via Postman

Learn more

We're excited to see how you incorporate the deployment service into your apps. To learn more, see the Windows Update for Business deployment service overview and Microsoft Graph API documentation.

 

12 Comments
lalanc01
Iron Contributor
‎Apr 28 2021 09:36 AM
‎Apr 28 2021 09:36 AM

This is super great news, but am I missreading the fact that we cannot create a feature update deployment on a set of devices so that they will all install/enforce at the same time?

And if it's not currently the case, will it be added in the future?

 

Thank you for clarifying this part.

0 Likes
Like
David_Mebane
Microsoft
‎Apr 28 2021 09:40 AM
‎Apr 28 2021 09:40 AM

Hi lalanc01 - you can schedule a feature update to be deployed to all devices immediately or on a specific date. You do not need to rollout an update over time. Do note, however, that the specific moment in time when a device downloads and installs the update will depend on the configured WU scan policies and device connectivity. Hope this clarifies things.

Reza_Ameri
Silver Contributor
‎Apr 28 2021 12:18 PM
‎Apr 28 2021 12:18 PM

While Graph Explorer is really cool , I would like recommend to create something like script generator where we could like drag and drop basic tasks and it generates scripts. Something similar to System Center Orchestrator.

For more complex tasks using current scripts are the best way but to perform some basic tasks , it would take some times to get familiar and get script working.

lalanc01
Iron Contributor
‎Apr 28 2021 12:42 PM
‎Apr 28 2021 12:42 PM

Would also be very useful to have examples for each scenarios for those who aren't super familiar with graph API

 

Thks

lalanc01
Iron Contributor
‎Apr 28 2021 01:10 PM
‎Apr 28 2021 01:10 PM

forget my last post, I missed the part of the documentation

0 Likes
Like
Jon_Abbott
Copper Contributor
‎Apr 29 2021 05:40 AM
‎Apr 29 2021 05:40 AM

@David_Mebane  Thanks for this article really helpful.  I am very keen getting more info about the updates of our machines via MsGraph.  On this particular call no matter what I did I get a 401, any ideas?

The call I am doing is:
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries

The error I am getting is:

{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-04-29T12:35:21",
"request-id": "a5adfcbe-f54c-4275-a95c-66fc12821d3d",
"client-request-id": "90630b40-4f7d-349c-f614-44f9cf34e3b2"
}
}
}
0 Likes
Like
Christian_Hemken
Copper Contributor
‎Apr 29 2021 11:14 PM
‎Apr 29 2021 11:14 PM

I see the same behavior as Jon_Abbott in all tested tenants. Does it need time to become available in all tenants?

0 Likes
Like
David_Mebane
Microsoft
‎Apr 30 2021 09:25 AM
‎Apr 30 2021 09:25 AM

Thanks Jon and Christian for trying things out! We've identified a service propagation issue that can sometimes lead to a delay in service principal provisioning and cause this issue.

Known issues with Microsoft Graph - Microsoft Graph | Microsoft Docs

 

We're working on a fix now, and this should resolve by itself. If it does not, please send an email to davidmeb AT microsoft.com and we can investigate further.

0 Likes
Like
Jan Bakker
Iron Contributor
‎Jun 10 2021 11:29 PM
‎Jun 10 2021 11:29 PM

@David_Mebane @Aaron_Oneal I've created a deployment using Intune, and assigned device groups. When I query the deployment using https://graph.microsoft.com/beta/admin/windows/updates/deployments/{deploymentID}/audience/members I got:

 

{
"error": {
"code": "NotFound",
"message": "Requested resource 'deployment audience' not found.",
"innerError": {
"date": "2021-06-11T06:23:59",
"request-id": "9c7ff654-659d-42d9-82dc-72e99ae5f521",
"client-request-id": "4c9526c3-5b03-41f0-0b3d-9a610da804a5"
}
}
}
 
I'd like to check wether a device is registered in the right deployment if possible.
0 Likes
Like
Aaron_Oneal
Microsoft
‎Jun 30 2021 04:50 PM
‎Jun 30 2021 04:50 PM

@Jan Bakker Thanks for asking about that. The process of assigning devices is currently asynchronous so there will be some delay before you see them show up. We intend in the future for devices to be present in the members list immediately after adding them. Also note that Intune is a management layer above this service which could introduce additional latency or differences due to data propagation.

0 Likes
Like
KevinJMLiang
Copper Contributor
‎Nov 03 2023 01:33 AM
‎Nov 03 2023 01:33 AM

When will the preview become formal into Graph API?

 

If I do not have following Licenses, How can I try out these APIs?

  • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

Thanks.

0 Likes
Like
Angie_Chen
Microsoft
‎Nov 03 2023 09:58 AM
‎Nov 03 2023 09:58 AM

@KevinJMLiang Thanks for your question! Today we are in the beta API but have plans to be promoted to v1. Regarding licenses, there is no trial license of the Windows E3/E5 or A3/A5. However, the Microsoft 365 Business Premium license has a one-month free trial which will get you access to all the same Graph API capabilities for Windows Updates. We are exploring options to grant trial licenses for our service and will likely post a blog when that becomes available. 

0 Likes
Like
Version history
Last update:
‎Apr 28 2021 11:24 AM
Updated by: