This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
Have you tried Microsoft Graph to flexibly manage device workflows in the Windows Update for Business deployment service? Today, let's look at why and how to access the service directly via Microsoft Graph PowerShell SDK, Microsoft Graph Explorer, or your own custom app.
The Windows Update for Business deployment service is powered by the Microsoft Graph, giving you, the IT admin, cloud control over the approval, scheduling, and safeguarding of devices. With it, you can be sure your devices are only offered the updates you want them to receive. The deployment service is part of the Windows Update for Business family, which includes Group Policies and Windows Update for Business reports (previously Update Compliance).
If you have deployed feature updates through Intune or Autopatch, then you've already used the Windows Update for Business deployment service, which powers those experiences! In this post, we'll be showcasing the types of experiences you can create with Windows Update for Business deployment service and Microsoft Graph, including building applications.
Access our service directly through the Microsoft Graph API endpoint
You may be asking: what update management capabilities are available in the Windows Update for Business deployment service? Here's a list of the scenarios you can execute, along with the elements you'll need to use.
Note: The Microsoft Graph API supports OData filtering and querying (e.g., only show feature updates).
Scenario 1: Get a list of deployable updates
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entriescatalog/entries |
|
Request body |
None |
Making this call returns a list of which Windows Update versions are in support and which monthly security updates are available to expedite. See what that looks like in Microsoft Graph Explorer below.
Scenario 2: Target any supported Windows version with a feature update deployment
|
Element |
Entry |
|
Request type |
POST |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/deployments |
|
Request body |
Requires Windows target version (e.g., "Windows 10, version 22H2") |
Scenario 3: Expedite any available security update with an expedited security update deployment
|
Element |
Entry |
|
Request type |
POST |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/deployments |
|
Request body |
Requires release date (e.g., "2022-10-11") |
Scenario 4: Get a list of my current feature update deployments and expedited security update deployments
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/deployments |
|
Request body |
None |
Scenario 5: Enroll and unenroll devices in feature update management
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets or https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets |
|
Request body |
Requires Azure AD IDs of devices |
Scenario 6: Get a list of all my devices enrolled in Azure Active Directory (Azure AD)
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/ ?$filter=isof('microsoft.graph.windowsUpdates.azureADDevice') |
|
Request body |
None |
Scenario 7: Delete and update existing deployments
Some actions you can take on your existing deployments include:
- Delete deployments
- Add or remove devices from a deployment audience
- Add monitoring rules to feature update deployments
See the sample queries under Graph Explorer > Windows Updates to try it out.
Scenario 8 (coming soon): Approve and schedule driver and firmware updates
For upcoming driver and firmware management capabilities, keep an eye out on the Windows IT Pro Blog.
Why should I use the deployment service via the Microsoft Graph API?
Now you have an idea of how powerful the deployment service can be. But you might still be asking: why would I manage updates through the Microsoft Graph API?
The great thing about the deployment service being exposed via Microsoft Graph is that it provides you, the IT admin, a unique opportunity to create a user experience that is most useful for achieving your business goals.
Use one of the three ways to make calls to the deployment service Graph API to support your existing workflows:
- Your own custom application that calls the Microsoft Graph API
- Microsoft Graph Explorer
- Microsoft Graph PowerShell SDK
Let's take a closer look!
Create your own custom tooling
How useful would it be to get quick answers and perform tasks directly from Teams? Here's an example of how we're leveraging our Graph API platform to add value to the Microsoft 365 ecosystem with Microsoft Teams.
It's simple to build a Teams chat bot that:
- Tells you all the Windows versions currently in support.
- Prompts you to create a feature update deployment of a specific Windows version.
- Allows you to add Azure AD device IDs to the deployment audience.
- Allows you to add monitoring and gradual rollout settings so devices are offered updates in waves. This will help you discover incompatibilities and implement solutions with the fewest devices and users affected.
See the following demo on how to create a feature update, exemplified with a Teams chat bot, without ever having to leave Teams.
Note: Any application you choose to integrate with the Microsoft Graph API (like this Teams chat bot) must be able to authenticate a user to retrieve a bearer token. A token is generated and retrieved when a user is authenticated through the Microsoft Identity Platform. The token and app also need to have the appropriate permissions set. WindowsUpdates.ReadWrite.All is a permission that requires admin consent. For more information about authentication requirements, see Authentication and authorization basics.
Use the Graph Explorer or Graph PowerShell SDK to support your existing workflows
Since the API connects you directly to the service, it gives you a window into exactly what the deployment service sees.
We've collaborated with IT consultant and Microsoft MVP Mattias Melkerson from Mindcore, who has used the Microsoft Graph API in this way:
- Enroll devices for feature update management in Intune (powered by the deployment service's enrollment capability).
- Open Microsoft Graph Explorer and enter tenant credentials to authenticate.
- Grant the necessary permission: WindowsUpdate.ReadWrite.All.
- Use the Microsoft Graph sample below to get a list of all enrolled devices (see scenario 6 above, in Access our service directly through the Microsoft Graph API endpoint).
By doing this, you, just like Mattias, can confirm with certainty that your devices are being enrolled in the deployment service.
"My success depends on always being in control of my devices, in terms of their updates. Thanks to the Windows Update for Business deployment service, I'm able to quickly – with just a few clicks in [Graph] Explorer or a PowerShell command – get information about my devices that I need to make critical decisions."
If you do a lot of work in PowerShell, achieve the same result using the Microsoft Graph PowerShell SDK. Check out this learning module for instructions on installing and using the Microsoft Graph PowerShell SDK.
Check your readiness for Windows Update for Business deployment service
Ready to try it yourself? Here's how you can check your readiness for and enjoy this service today.
Check that you have a valid subscription
To get access to Windows Update for Business deployment service, your organization must have one of the following subscriptions:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
Tip: Add the Microsoft 365 Business Premium subscription for free for 30 days with a valid Microsoft tenant account!
Easily check if your tenant is eligible for the Windows Update for Business deployment service by making the following call to the Microsoft Graph API while signed in as your tenant. Look for the WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE service plan. If you see it, you're already eligible!
In some situations, organizations that have one of the licenses above might not have the required Windows Update for Business deployment service plan assigned to their SKU due to human error by the third-party setting up their volume license (VL). If this applies to you, check out Deploy Windows Enterprise licenses to learn how you can get access.
Check your role assignment
The deployment service checks user roles to ensure that only permitted users can manage updates. Any requests made to the deployment service will need to be made by a signed-in user with one of the following user permissions:
- Global Admin Role in Azure Active Directory
- Intune Admin Role in Azure Active Directory
- Windows Update Administrator Role in Azure Active Directory
Check the prerequisites
Additionally, devices managed by the deployment service must meet these requirements:
- Be running a supported version of Windows 11 or Windows 10
- Be joined or hybrid-joined to Azure AD
- Have one of the following Windows 10 or Windows 11 editions installed:
- Pro
- Enterprise
- Education
- Pro Education
- Pro for Workstations
Note: Workplace-join devices are not eligible for the deployment service.
Now that you have checked your readiness, you're fully empowered to leverage all the capabilities that Windows Update for Business deployment service has to offer. And the best part is you can do this in whichever manner that best achieves your business goals: Graph Explorer, PowerShell SDK, or custom application.
Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.