IT admins can now force a feature upgrade onto a Windows 10 machine even in the face of a Microsoft attempt to block the system from receiving the refresh.
"Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back," Microsoft confirmed in an October 23 post to a company blog. "When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences."
Note: This term — safeguard hold — is new for Microsoft. Although it has long listed issues that have kept it from installing Windows 10 feature upgrades on some PCs, most commentators described them as blockers instead. Microsoft likely swung to the more euphemistic safeguard and hold because it thought the options too negative.
Normally, Microsoft prevents PCs with specified blockers — okay, safeguard holds — from downloading feature upgrades through Windows Update or Windows Update for Business (WUfB). Other methods, including WSUS (Windows Server Updates Services), are not affected.
Forget the safeguard holds
What Microsoft now offers is the means to force Windows Update or WUfB to accept a PC, holds notwithstanding, and offer a feature upgrade.
Eligible PCs must be running Windows 10 Pro, Windows 10 Enterprise or Windows 10 Education — all but Home, in other words — version 1809 or later, and have applied the security update issued on October 13.
Using the Update/DisableWUfBSafeguards policy setting, aka the Disable safeguards for Feature Updates group policy, administrators can instruct a PC to skip all safeguards. There is no way, though, to skip the second hold of a current list of five. Not surprisingly, there are a host of caveats linked to using Disable safeguards for Feature Updates.
For one thing, the setting is automatically nullified after a successful feature upgrade installation. To continue opting out of holds, the policy must be restored prior to each upgrade.
Microsoft also warned administrators about relying on the policy. "Opting out of the safeguards can put devices at risk from known performance issues," the firm said. "We recommend opting out only in an IT environment for validation purposes."
Nor did Microsoft promise much. "Disabling safeguards does not guarantee your device will be able to successfully update," it said. "The update may still fail on the device and will likely result in a bad experience post upgrade."
Such bad news may be warranted from Microsoft's point of view, but some admins will certainly ignore the warnings in their pursuit of uniformity. It's not uncommon for a staff to struggle with a few systems that simply won't upgrade — laggards are inventible — and grow frustrated at Microsoft's lack of progress solving the issues causing the holds. This is a way to migrate those last few machines to the company-wide, perhaps company-mandated, version, validation be damned.
Microsoft displays safeguard holds on its Windows release health dashboard, showing them by feature upgrade. The holds now active for Windows 10 2004 — the upgrade released in late May — are available here, for example, while those for Windows 10 20H2, the October release, are available here.
Tracking down held systems
Not coincidentally, Microsoft also recently added information about safeguard holds — specifically, which systems in an environment have been so designated — to the Update Compliance dashboard. Update Compliance requires Windows 10 Pro, Enterprise or Education, and mines some of the copious data those operating systems harvest for Microsoft. It also requires an Azure subscription.
In an October 22 post, Megha Sharma, a Microsoft program manager, spelled out one of the new capabilities of Update Compliance. "Update Compliance reporting surfaces the safeguard hold IDs for known issues impacting a device in the 'DeploymentErrorCode' column," Sharma wrote.
Microsoft identifies each hold with one or more identifiers, which are tucked into the descriptions on the Windows release health dashboard. With the ID from Update Compliance, the admin must then transit to the health dashboard, find the appropriate feature upgrade — the one that's being blocked — and then scour the still unsolved issues. The process sounds cumbersome, to say the least.
And according to Microsoft, it's not foolproof; some of the hold IDs reported by Update Compliance may not, in fact, be shown in the Windows release health dashboard.
"When a safeguard is the result of third-party software or hardware incompatibilities, Microsoft is subject to confidentiality requirements," Sharma said. "Only in certain circumstances are we authorised to disclose original equipment manufacturer-driven holds."