| title | titleSuffix | description | ms.service | ms.subservice | ms.topic | ms.author | author | manager | ms.collection | ms.localizationpriority | appliesto | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Prerequisites for the deployment service |
Windows Update for Business deployment service |
Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization. |
windows-client |
itpro-updates |
conceptual |
mstewart |
mestew |
aaroncz |
|
medium |
|
01/29/2024 |
Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
- An Azure subscription with Microsoft Entra ID
- Devices must be Microsoft Entra joined and meet the below OSrequirements.
- Devices can be Microsoft Entra joined or Microsoft Entra hybrid joined.
- Devices that are Microsoft Entra registered only (Workplace joined) aren't supported with Windows Update for Business
Windows Update for Business deployment service requires users of the devices to have one of the following licenses:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
Windows Update for Business deployment service supports Windows client devices on the General Availability Channel.
-
Expediting updates requires the Update Health Tools on the clients. The tools are installed starting with KB4023057. To confirm the presence of the Update Health Tools on a device:
- Look for the folder C:\Program Files\Microsoft Update Health Tools or review Add Remove Programs for Microsoft Update Health Tools.
- As an Admin, run the following PowerShell script:
Get-CimInstance -ClassName Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}
-
For Changes to Windows diagnostic data collection, installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to deploy driver updates, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send diagnostic data at the Required level (previously called Basic) for these features.
When you use Windows Update for Business reports in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:
- Optional level (previously Full) for Windows 11 devices
- Enhanced level for Windows 10 devices
- Windows Update for Business deployment service operations require WindowsUpdates.ReadWrite.All
- Some roles, such as the Windows Update deployment administrator, already have the permissions.
Note
Leveraging other parts of the Graph API might require additional permissions. For example, to display device information, a minimum of Device.Read.All permission is needed.
-
Have access to the following endpoints:
-
- *.prod.do.dsp.mp.microsoft.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.update.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
-
Windows Update for Business deployment service endpoints
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
-
Windows Push Notification Services: (Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)
- *.notify.windows.com
[!INCLUDE Windows Update for Business deployment service limitations]
[!INCLUDE Windows Update for Business deployment service driver policy considerations]
Follow these suggestions for the best results with the service:
-
Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
-
Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to 0 days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
-
Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.