For organizations using Windows Update for Business (WUfB) or Windows Update, Microsoft often puts safeguard holds on Windows 10 feature updates to stop devices with known compatibility issues from receiving the updates. As Microsoft works with vendors to resolve the problems, safeguard holds are gradually lifted.
If you use Windows Server Update Services (WSUS), or another service for distributing updates to endpoints, you don’t need to worry about Microsoft’s safeguard holds. You are responsible for making sure that the feature updates you approve for distribution have been properly tested.
Update Compliance is an Azure Marketplace app that you can download for free. You can use it with Windows 10 Professional, Enterprise, and Education SKUs. It monitors the update status of your Windows endpoints.
To use Update Compliance, you need an Azure subscription that includes Log Analytics. Update Compliance is ideal for organizations that rely on WUfB to manage Windows Updates because it provides reporting that’s not part of WUfB.
For more information on WUfB, see Why You Should Use Windows Update for Business Instead of Windows Server Update Services and Managing Windows 10 Updates in a Small Businesses Environment.
Microsoft uses telemetry data that it collects from devices to determine whether they are ready for a feature update. Feature updates are usually released twice yearly and can involve a full in-place upgrade of Windows 10.
Machine learning is used to process the telemetry data. And if a potential compatibility issue is identified, with either the hardware or a driver, Microsoft blocks the feature update for the device using a safeguard hold.
Before the latest announcement at the end of October, IT administrators were able to see which devices couldn’t update in Update Compliance because of safeguard holds. But now it is possible to see which individual safeguard hold is preventing a device updating.
Two new queries help administrators view information about safeguard holds. “Devices with a safeguard hold” shows device data for all endpoints where safeguard holds are applied. And “Target build distribution of devices with a safeguard hold” shows how many endpoints have safeguard holds applied and which Windows 10 build they are currently running.
Update Compliance reports show the safeguard hold IDs in the DeploymentErrorCode column. You can check out safeguard hold IDs and the related issues for each Windows 10 release on the Windows release health dashboard.
Microsoft says information about widely deployed safeguard holds is publicly disclosed. But if a safeguard hold is due to a third-party software or hardware issue, it is often required to comply with confidentiality agreements.
The changes Microsoft has made to Update Compliance are designed to provide a better experience for administrators managing Windows endpoints. The new queries provide greater insight so that IT can understand why devices are not receiving Windows 10 feature updates.