The expedite quality update feature available in Microsoft Intune (currently in preview) can help you deploy security updates faster than normal across your organization, and is especially useful when you need to make sure that the important “out-of-band” security patches get deployed to your production endpoints faster, as and when released by Microsoft.
For example, consider the current July 6 out-of-band security update released by MS to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527). To ensure that your managed endpoints get the patch applied at a much faster TAT than what is usual with the normal Update Ring policy, you can do it via an expedite quality update configuration profile.
Let’s go ahead and see how you can expedite Windows security updates with Microsoft Intune, a.k.a Microsoft Endpoint Manager.
Table of Contents
License Requirement
In addition to a license for Intune, your organization must have one of the following subscriptions:
- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10 Virtual Desktop Access (VDA) per user
Supported Windows 10 editions:
- Professional
- Enterprise
- Pro Education
- Education
Create Windows 10 Quality Updates (Preview) profile in Intune to Expedite an Out-Of-Band Windows Security Update release
In the MEM Admin Center,
- Navigate to Devices > Windows 10 quality updates (Preview)
- Click on Create profile
- Give it a Name (Required) and Description (Optional)
- Select the expedite condition. Set to the current OOB security update.
- Set the number of days to wait before restart is enforced to 0 days. (or you can set it to 1 or 2 days as per requirement)
- Click on Next.
- Set the required assignment and click on Next.
You can deploy to either user or device group. Make sure to use the same group type if using exclusion. You cannot have a user group in inclusion and then put a device group in exclusion or vice-versa.
- Finally click on Create.
The Windows 10 quality updates (Preview) profile will get created to expedite the deployment of the selected OOB security patch to the endpoints as per the profile assignment.
Enable Intune Reporting for Expedited Windows Update
Reporting of Expedited Windows Update is facilitated via the Update Health tools on the endpoint.
As such, your Windows Health Monitoring profile must include the Windows Updates in its Scope.
If your current Windows Health Monitoring profile does not include the Windows updates in its scope, you can modify the policy to make the necessary changes and save it. Wait for the policy change to take effect on the targeted endpoints.
Post that you should be able to receive expedited update data in the Windows updates (preview) report.
Expedite Out-Of-Band Windows Security Update – Reporting in Intune
In the MEM Admin Center,
- Navigate to Reports > Windows updates (preview)
- Click on Reports tab on the top
- Click on Windows Expedited Update Report (Preview)
- Click on Select an expedited update profile
- Select the required expedited update profile from the list (if you have many created) and click on OK
- With the expedited update profile selected, you can now click on Generate report button.
The report gets generated and shows you the update compliance status of the devices that are targeted by the selected expedite update profile. You get the Export button to take the report out as a CSV to be provided to the concerned team (mostly management or security!)
As you can see, the two devices in my test environment which the expedite update profile applies to are sadly in the error state. But troubleshooting is for another day!
Wrap Up
With the normal Windows Update Ring policy, there are several factors like the Deferral period (days), Deadline period (days), and Grace period (days) on which the device restart depends to commit the update action.
In contrast, an expedite update profile can bring the device to a restart-ready state at a max of 2 days (you can even configure it to 0 days as we have done in this blog post).
And the best thing about expediting is that it does not require you to modify the existing quality update settings of your Windows 10 Update Ring policies.
An expedite profile temporarily overrides the update settings as configured via the effective Update Ring policy and automatically reverts to them post the targeted update is installed.
Resources
I did it and…. 6K Devices in error. I´m alone?
You ended up having the same report state as in my test environment. Hopefully, you are not alone as I am trying to figure out the same.
The test device seems to have the update installed though, as such not much concern from the security perspective.
Are your devices in co-management with the WU workload moved to Intune?
No. Its AAD join Intune only in my test environment.
Did you figure it out on why these devices are in Error state?
Check out my latest blog post which talks about expedite update Intune reporting anomalies and why it is so.
https://joymalya.com/expedite-windows-update-with-intune-behind-the-scenes-secret/
I am on Win10 21H1 and do not have Microsoft Update Health Tool installed. KB4023057 in Windows catalog does not have 21H1 latest that shows is 1803. Any suggestions?
Check https://support.microsoft.com/en-us/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a under How to get this update section.
You can download KB4023057 from the update catalog site till 1803 only. The other way is to use Windows Update.
Are you managing updates via WSUS? Then this is not applicable.
I use Microsoft Intune to manage updates to workstation
Not yet. But I have a pending test for this weekend, and I think I’m quite near. I will post my outcome on “Behind the scenes” if there’s something useful for everyone. Thanks for your interest.
Will wait to hear about your testing.