Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.
But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.
What are Windows safeguard holds?
By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.
Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.
With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.
Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.
Looking at issues
When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.
The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.
Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.
How does it work?
Here are additional aspects to understand when recognizing how Windows safeguard holds work.
Identification of known issues
As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.
Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.
Identification of likely issues
For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.
All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.
Safeguarding of devices
The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.
This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:
- Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
- In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.
Known and Unknown Issues
In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.
When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:
- In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
- The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.
When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.
So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.
Taking advantage of Windows safeguard holds
Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.
You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.
ยง Pre-requisites
Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:
- You need to verify that diagnostic data is set to Required or Optional.
- Secondly, you should have the AllowWUfBCloudProcessing policy set to 8. You can see how to do this in Microsoft Endpoint Manager, using Group Policy, or mobile device management.
Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.
Keep track of safeguard holds reporting
One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.
For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.
How to opt-out
If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:
- Navigate to the Open the Local Group Policy Editor (gpedit.msc).
- In that section, look for the policy location in the left pane of the Local Group Policy Editor.
- Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.
Microsoft recommendations
Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.
So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.
There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.
As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.
Wrap up about Windows safeguard holds
Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.
That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.
In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.
Pingback: Intune Newsletter - 12th January 2024 - Andrew Taylor