Manage safeguards using Windows Autopatch
When you deploy updates with Windows Autopatch, deployments are automatically safeguarded by preventing devices with known or likely issues from being offered the update by Windows Update.
Safeguards are compatible with deployments of Windows 11 and Windows 10 feature updates. Safeguard holds against known issues are available for deployments of Windows 11 and Windows 10 feature updates, and safeguard holds against likely issues are available for deployments of Windows 11.
Apply all safeguards
By default, all applicable safeguards are applied to devices in a deployment. To benefit from safeguards, you don't need to specify anything additional when creating a deployment.
The following example demonstrates how to create a deployment with all safeguards applied.
Request
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry",
"id": "catalog/entries/1"
}
}
}
Response
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"id": "b5171742-1742-b517-4217-17b5421717b5",
"state": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentState",
"value": "offering",
"reasons": [
{
"@odata.type": "microsoft.graph.windowsUpdates.deploymentStateReason",
"value": "offeringByRequest"
}
],
"requestedValue": "none",
"effectiveSinceDate": "String (timestamp)"
},
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
}
},
"settings": null,
"createdDateTime": "String (timestamp)",
"lastModifiedDateTime": "String (timestamp)"
}
Opt out of safeguards against likely issues
You can opt out of safeguards against likely issues in a deployment by configuring safeguard settings. If necessary, you can also opt out of safeguard holds for known issues by using the disable safeguards policy.
The following example demonstrates how to create a deployment without safeguards against likely issues. By specifying a safeguardProfile for the category of likelyIssues under the list of safeguard profiles to disable, you are configuring the deployment to offer the update to a device even if it is likely to have an update issue.
Request
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry",
"id": "catalog/entries/1"
}
},
"settings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"contentApplicability": {
"safeguard": {
"disabledSafeguardProfiles": [
{
"category": "likelyIssues"
}
]
}
}
}
}
Response
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"id": "b5171742-1742-b517-4217-17b5421717b5",
"state": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentState",
"value": "offering",
"reasons": [
{
"@odata.type": "microsoft.graph.windowsUpdates.deploymentStateReason",
"value": "offeringByRequest"
}
],
"requestedValue": "none",
"effectiveSinceDate": "String (timestamp)"
},
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
}
},
"settings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"monitoring": null,
"schedule": null,
"userExperience": null,
"contentApplicability": {
"safeguard": {
"disabledSafeguardProfiles": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.safeguardProfile",
"category": "likelyIssues"
}
]
}
}
},
"createdDateTime": "String (timestamp)",
"lastModifiedDateTime": "String (timestamp)"
}