The combination of the Microsoft Graph and Windows Update for Business gives IT managers granular control over updates to users’ devices — on-site and at home.
One of the advantages of a Microsoft 365 subscription is just how much it lets you automate. At the heart of the platform is the Microsoft Graph, a set of APIs that link the underlying services together and allow you to write your own code. Microsoft has significantly expanded the graph APIs since their original launch as the Office 365 APIs.
Now the APIs cover security and systems management, as well as Office data and the cloud-hosted Office services. The Graph has become a powerful tool, with one endpoint and a consistent grammar for a wide selection of very different APIs that serve many different constituencies. You can use the same Graph to build Office extensions, or to extract security data, or now, to directly manage PCs, laptops, and phones that are connected to your Intune service. Microsoft has even opened up incoming connections to third parties, allowing data to cross from cloud to cloud.
As it has grown, the Microsoft Graph has evolved into a common grammar for services. If you’ve built code that works with one service, it’s not hard to switch to another, with each call requiring similar authorisations and having a similar structure. It’s a sensible approach, as it makes learning the Microsoft Graph relatively simple and reduces the need to retrain when new services launch.
Using Windows Update for Business instead of WSUS
Some of the latest additions are a new set of APIs that add support for the Windows Update For Business service. Windows Update for Business (WUfB) is best thought of as a managed version of the consumer Windows Update service, or as an alternative to using a locally hosted Windows Server Update Services (WSUS) instance. With more and more staff working remotely, using Windows Update for managed devices makes sense, as it moves updates off congested and slow VPNs, allowing users to reap the benefits of their home broadband connections.
Management policies control what’s delivered to devices, working with different types of update (feature updates, quality updates, driver updates, and Microsoft product updates). You can control whether users have access to Windows Insider builds, managing the channels that groups of users can use so you can monitor new releases in advance of general availability. Administrators can defer updates — for example, holding back Patch Tuesday quality updates until they have been tested by an IT department. Similarly, updates can be paused if they’re seen to cause problems.
Windows Update for Business allows you to control when devices update, using Windows’ built-in tooling to choose to deploy outside active hours. As it relies on features like this, it’s best to treat WUfB as a light-touch management tool, setting only basic policies in order to work with Windows. Users can even control some aspects of the update process, so you can set grace periods for updates, requiring them to be installed after a set number of days, controlling when devices restart. Microsoft provides an Update Baseline as a set of pre-built policies that you can modify as necessary for your business needs.
Adding APIs to Windows Update for Business
WUfB is a powerful way to control updates, but as part of Microsoft 365 it becomes a programmable tool, thanks to a set of APIs currently in preview. Instead of relying on policies to control updates, you can use the Microsoft Graph to give you a more granular control of the service, building applications that can manage updates via API calls. If you prefer, you can use the Graph calls via PowerShell. The APIs manage the deployment service, not the Windows Update client on devices, although it can be used to collect monitoring signals from them.
SEE: Comparison guide: Top enterprise collaboration tools (TechRepublic download)
Those signals are a useful tool, and the Graph lets you set thresholds for alerts based on those signals. Not every failed update is a sign that you have to pause updates: a user may have accidentally shut a PC down forcing a rollback, for example. However, five rollbacks for a single update is probably a signal that needs investigating.
Controlling and managing updates with the Microsoft Graph
Using the APIs and Windows Update for Business does require managed devices to be part of an Azure Active Directory (AAD). This allows you to enrol them in the service, adding deployment categories to a device registration. New devices are automatically added to AAD when enrolled, creating the appropriate entries in the Microsoft Graph for your organisation. You can do this enrolment using the Graph APIs, with one call able to enrol multiple devices into multiple services.
SEE: 69 Excel tips every user should master (TechRepublic)
The ability to batch up multiple devices into a single call to the WUfB API is useful. Administering multiple devices makes a lot of sense, and it allows you to use Azure Active Directory queries to select devices by user, group, or even type, and then make the appropriate settings in the Graph. If you want to block the current feature update for devices in your marketing department, for example, one query can select the requisite device IDs from the Graph, and another can block updates for all those IDs. All you need is code to make the initial API call, parse the returned data, before constructing a call that manages the service.
One useful feature of the service is the ability to expedite updates, if they fix an urgent security issue that might impact your business. Windows Update for Business will install the version specified unless it, or a newer one, is installed. You can start by getting a list of updates that can be expedited using a single call, and then use that data to build a deployment request that can be used to force a reboot shortly after the update has been installed. Once you have defined a deployment, you can then get a list of applicable devices, which can be used to target the deployment. This approach lets you exclude certain devices — exempting devices in the finance team, for example, when you’re close to quarter end and are expecting users to be completing key reports.
You will need an appropriate subscription to use the APIs — either a Windows 10 Enterprise or Windows 10 Education subscription, or the equivalent Microsoft 365 subscription. They also support the SMB-focused Microsoft 365 Business Premium subscription and Windows Virtual Desktops in the cloud.
The combination of the Microsoft Graph and Windows Update for Business is a powerful one, giving you many of the features you need to manage and support updates for remote users. As more and more staff move to working from home at least some of the week, you can’t rely on them being on the office network when an important update is released. Using the Graph APIs to control Windows Update means you don’t need additional software on client devices, reducing management overhead — and letting users use their work PCs exactly as they would their personal devices, with no training needed.