使用 Windows Update for Business 部署服务部署快速安全更新Deploy an expedited security update using the Windows Update for Business deployment service

使用 Windows Update for Business 部署服务,Windows Azure AD 租户中的设备部署更新。With the Windows Update for Business deployment service, you can deploy Windows updates to devices in an Azure AD tenant. 如今,部署服务支持部署Windows 10更新和加速安全更新。Today, the deployment service supports deployments of Windows 10 feature updates and expedited security updates. 本主题重点介绍快速安全更新的部署。This topic focuses on deployments of expedited security updates. 有关部署功能更新的信息,请参阅 部署功能更新For information on deploying feature updates, see Deploy a feature update.

安装安全更新会覆盖Windows更新的延迟策略,以便尽快安装更新。Expediting a security update overrides Windows Update for Business deferral policies so that the update is installed as quickly as possible. 当出现关键安全事件并且需要比正常情况更快速地部署最新更新时,它非常有用。It can be useful when critical security events arise and you need to deploy the latest updates more rapidly than normal. 但是,虽然它可以帮助实现针对特定安全更新的合规性目标,但它并非旨在每月使用一次。However, while it can help to achieve compliance targets against a specific security update, it is not designed to be used every month. 相反,请考虑使用 更新的合规性截止时间Instead, consider using compliance deadlines for updates.

将加速安全更新部署到设备时,Windows更新会向设备提供最新的适用更新(如果设备尚未收到具有指定发布日期的更新)。When you deploy an expedited security update to a device, Windows Update offers the latest applicable update to the device if it has not yet received the update with the specified release date. 例如,如果将 2021 Windows 10 2021 年 4 月 13 日发布的更新安全更新部署到当前没有更新的设备,则设备将收到快速更新。For example, if you deploy the Windows 10 security update released on April 13, 2021 to a device that does not currently have the update, the device receives an expedited update. 如果设备已具有指定的更新或更新版本,则它不会收到加速更新。If the device already has the specified update or newer, it does not receive an expedited update.

加速安全更新还具有以下特征:Expedited security updates also have the following characteristics:

  • 更新立即启动,而不是等待下一次定期更新扫描,默认情况下每 22 小时进行一次。The update starts right away rather than waiting for the next regular update scan, which occurs once every 22 hours by default.
  • 更新将尽快下载和安装。The update downloads and installs as quickly as possible.
  • 更新过程会覆盖配置的设备策略设置,例如,在设备被强制重启之前几天。The update process overrides configured device policy settings, such as days until the device is forced to restart. 安装快速更新后,设备将返回到当前策略设置。After the expedited update is installed, the device returns to the current policy settings.

先决条件Prerequisites

步骤 1: (可选) 获取可安装更新的列表Step 1: (Optional) Get a list of expeditable updates

你可以查询部署服务目录,获取更新列表,这些更新可以加速到设备作为部署中的内容。You can query the deployment service catalog to get a list of updates that can be expedited to devices as content in a deployment.

安全更新由 qualityUpdateCatalogEntry 类型表示 ,qualityUpdateClassificationsecuritySecurity updates are represented by the qualityUpdateCatalogEntry type, with a qualityUpdateClassification of security. 所有Windows 10分类为安全更新的更新质量更新都可以加速,并且使用设置为 的 isExpeditable 属性进行 true 标记以标识它们。All Windows 10 quality updates that are classified as security updates can be expedited and are tagged with the isExpeditable property set to true to identify them.

下面是一个查询所有 Windows 10 安全更新的示例,这些安全更新可通过部署服务作为快速更新进行部署。Below is an example of querying for all Windows 10 security updates that can be deployed as expedited updates by the deployment service. Microsoft 建议只显示三个最新更新,因此该示例包括 $top=3Microsoft recommends to only show the three most current updates, so the example includes $top=3.

请求Request

GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$top=3&$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc

响应Response

HTTP/1.1 200 OK
Content-Type: application/json

{
    "value": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
            "id": "bd9554dc-2737-4e3c-b794-fa2b8b3f4a30",
            "displayName": "MM/DD/YYYY - YYYY.MM B Security Updates for Windows 10",
            "releaseDateTime": "String (timestamp)",
            "deployableUntilDateTime": null,
            "isExpeditable": true,
            "qualityUpdateClassification": "security"
        },
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
            "id": "68860630-c2d0-4dd2-8c4b-9b9737ee5081",
            "displayName": "MM/DD/YYYY - YYYY.MM B Security Updates for Windows 10",
            "releaseDateTime": "String (timestamp)",
            "deployableUntilDateTime": null,
            "isExpeditable": true,
            "qualityUpdateClassification": "security"
        },
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
            "id": "aa336b13-db33-4d94-89ea-90e43e4ad30b",
            "displayName": "MM/DD/YYYY - YYYY.MM B Security Updates for Windows 10",
            "releaseDateTime": "String (timestamp)",
            "deployableUntilDateTime": null,
            "isExpeditable": true,
            "qualityUpdateClassification": "security"
        }
    ]
}

步骤 2:创建部署Step 2: Create a deployment

备注

首次在租户中部署快速安全更新时,在为组织配置服务时,你可能会遇到最多一天的延迟。The first time you deploy an expedited security update in your tenant, you may experience up to a one-day delay while the service is configured for your organization. 此延迟不适用于后续部署或功能更新部署,将在将来的更新中予以解决。This delay does not apply to subsequent deployments or deployments of feature updates, and will be addressed in a future update.

部署指定要部署的内容、如何以及何时部署内容以及目标设备。A deployment specifies content to deploy, how and when to deploy the content, and the targeted devices. 对于质量更新,使用目标合规性日期指定内容。For quality updates, the content is specified using a target compliance date. 创建部署后,将自动将部署访问群体创建为关系。When a deployment is created, a deployment audience is automatically created as a relationship.

将加速安全更新部署到设备时,Windows更新会提供一个更新,将设备超过指定的最低合规性级别。When you deploy an expedited security update to a device, Windows Update offers an update that brings the device above the minimum compliance level specified. 根据每个设备扫描和更新时间,某些设备可能会收到更新 (例如,如果有比所需最低合规性级别) 更新更新的更新,但所有设备都符合指定的安全更新合规性标准。Depending on when each device scans and updates, some devices may receive newer updates (e.g. if there is a newer security update than the one corresponding to the desired minimum compliance level), but all devices meet the specified security update compliance standard. 这种提供最新适用更新的行为(由设置为默认值的属性 equivalentContent 指示)有助于尽可能确保设备安全,并阻止设备在几天后收到快速更新,然后收到另一个 latestSecurity 定期更新。This behavior of offering the latest applicable update, indicated by the property equivalentContent being set to the default value latestSecurity, helps keep devices as secure as possible and prevents a device from receiving an expedited update followed by another regular update just days later.

可以使用部署用户体验设置中的 属性 daysUntilForcedReboot 配置 设备重启 宽限期。You can configure the device restart grace period using the property daysUntilForcedReboot in the user experience settings of the deployment. 宽限期设置安装后用户可以控制设备重启时间的时间量。The grace period sets the amount of time after installation that the user can control the timing of when the device restarts. 如果设备在宽限期到期时尚未重新启动,则会自动重新启动。If the device has not restarted by the time the grace period expires, it restarts automatically.

下面是为快速质量更新创建部署的示例。Below is an example of creating a deployment for an expedited quality update. 目标设备在下一步中指定。The targeted devices are specified in the next step.

请求Request

POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.windowsUpdates.deployment",
    "content": {
        "@odata.type": "microsoft.graph.windowsUpdates.expeditedQualityUpdateReference",
        "releaseDate": "YYYY-MM-DD"
    },
    "settings": {
        "@odata.type": "microsoft.graph.windowsUpdates.windowsDeploymentSettings",
        "userExperience": {
            "daysUntilForcedReboot": 2
        }
    }
}

响应Response

HTTP/1.1 201 Created
Content-Type: application/json

{
    "@odata.type": "#microsoft.graph.windowsUpdates.deployment",
    "id": "b5171742-1742-b517-4217-17b5421717b5",
    "state": {
        "@odata.type": "microsoft.graph.windowsUpdates.deploymentState",
        "value": "offering",
        "reasons": [
            {
                "@odata.type": "microsoft.graph.windowsUpdates.deploymentStateReason",
                "value": "offeringByRequest"
            }
        ],
        "requestedValue": "none",
        "effectiveSinceDate": "String (timestamp)"
    },
    "content": {
        "@odata.type": "microsoft.graph.windowsUpdates.expeditedQualityUpdateReference",
        "releaseDate": "YYYY-MM-DDT00:00:00Z",
        "classification": "security",
        "equivalentContent": "latestSecurity"
    },
    "settings": {
        "@odata.type": "microsoft.graph.windowsUpdates.windowsDeploymentSettings",
        "userExperience": {
            "daysUntilForcedReboot": 2
        },
        "monitoring": null,
        "rollout": null
    },
    "createdDateTime": "String (timestamp)",
    "lastModifiedDateTime": "String (timestamp)"
}

步骤 3:将设备分配给部署访问群体Step 3: Assign devices to the deployment audience

创建部署后,你可以将设备分配给部署 访问群体After a deployment is created, you can assign devices to the deployment audience. 设备可以直接分配,或通过可 更新的资产组进行分配Devices can be assigned directly, or via updatable asset groups. 成功更新部署访问群体后,Windows更新开始根据部署设置向相关设备提供更新。Once the deployment audience is successfully updated, Windows Update starts offering the update to the relevant devices according to the deployment settings.

当设备添加到部署访问群体的成员或排除集合时 (将自动注册服务,即 azureADDevice 对象在部署访问群体中) 。Devices are automatically registered with the service when added to the members or exclusions collections of a deployment audience (i.e. an azureADDevice object is automatically created if it does not already exist).

下面是添加可更新资源组和 Azure AD 设备作为部署受众成员的示例,同时还排除特定的 Azure AD 设备。Below is an example of adding updatable asset groups and Azure AD devices as members of the deployment audience, while also excluding a specific Azure AD device.

请求Request

POST https://graph.microsoft.com/beta/admin/windows/updates/deployments/{deploymentId}/audience/updateAudience
Content-type: application/json

{
    "addMembers": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.updatableAssetGroup",
            "id": "String (identifier)"
        },
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "String (identifier)"
        },
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "String (identifier)"
        }
    ],
    "addExclusions": [
        {
            "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
            "id": "String (identifier)"
        }
    ]
}

响应Response

HTTP/1.1 202 Accepted

部署期间During a deployment

在部署过程中,可以通过更新部署的状态来暂停部署,也可以更新其访问群体成员和排除项。While a deployment is in progress, you can pause the deployment by updating its state, as well as update its audience members and exclusions.

部署后After a deployment

在最初向部署访问群体分配的所有设备都提供更新后,由于设备连接等因素,并非所有设备都启动或完成了更新。After all devices assigned to a deployment audience have been initially offered the update, it is possible that not all devices have started or completed the update, due to factors like device connectivity. 只要部署仍然存在,它就会继续确保Windows只要重新连接,就会向分配的设备提供更新。As long as the deployment still exists, it continues to make sure that Windows Update is offering the update to the assigned devices whenever they reconnect.