In my last blog post, we talked about how you can expedite the current July 6 out-of-band security update as released by MS to address PrintNightmare (CVE-2021-34527) security bug.
Today let’s get to see how the expediting process actually works. Also, we will talk about the possible reporting issue that you may encounter. So let’s get started.
Table of Contents
Expedite Windows Update with Intune – How it works
- Microsoft releases the monthly B update or an Out-Of-Band security patch via the Windows Update.
- Admin creates Windows 10 quality update profile in Intune to expedite the deployment of the patch.
- The expedite policy is processed by the Windows Update for Business Deployment service.
- The client (Microsoft Update Health Tools) receives the expedite policy.
- The client sets the expedite restart deadline and triggers Windows Update client to perform a scan.
- Windows Update client on the endpoint performs the scan to discover Updates for the endpoint.
- The “Applicable Update” is downloaded and installed. [MS docs has explained this nicely already.]
- Windows Update client restarts the system to commit update action respecting the restart deadline as in the expedite policy. Windows Update settings are reverted back to the original settings as configured via Update Ring policy.
- The Microsoft Update Health Tools (expedite client) monitors the expedite update process and sends the actual status back via telemetry. [Requires Windows Health Monitoring to have Windows updates added in its scope!]
- Admin get to view the Expedite update report from Intune.
Optional: A push notification is triggered to notify the Microsoft Update Health Tools (which acts as the dedicated client for the expedite update process) present on the endpoint about the new expedite policy.
If WNS channels are blocked due to network configuration, the device has to wait for the normal device sync cycle to get the expedite policy.
The Microsoft Update Health Tools (UHSSVC - Update Health Services) is installed by update KB4023057 via Windows Updates on all eligible Windows 10 builds within the support lifecycle.
To confirm if the Update Health Tools is installed on your system, check for its folder inside the program files folder as shown below.
What to do if Update Health Tools is missing?
If systems are configured to get updates from Windows Update, your device should already have received the update KB4023057. However, for any reason, if the update is missing, or the Update Health Tools got uninstalled because of any reason, you can try the manual way.
But note that searching for the update on the Microsoft Update Catalog site, you will see that it is available till Windows 10 version 1803 only.
Considering you are running anything above Windows 10 version 1909 and above (which you should be currently), how do you get the update manually?
If your Update Ring policy allows, you can check for updates manually from the Settings.
But is it viable to ask users to check for updates manually?
Further, users may not be able to check for updates manually if the Windows 10 Update Ring policy restricts manual update checks.
Hence, the option that is left is to utilize PowerShell to trigger the Health Tools installation on the endpoint.
You can use the Install-UpdateHealthTools.ps1 script and deploy it from Intune. The devices should have the Update Health Tools installed post the script execution. (If not go check the log file for local error encountered at runtime.)
Expedite Windows Update with Intune – Basic Checks
First and foremost, confirm that the device(s) targeted with the expedite update policy is/are
- Intune Managed exhibiting either AAD Join or Hybrid AAD Join state. WPJ (AAD registered/BYOD) devices are not supported. Further if the devices are co-managed, then Update workload needs to be set to Intune or Pilot Intune.
- Configured to scan Windows Update services for getting updates (and not pointing to WSUS!)
Especially important for co-managed devices. Check that after switching Update workload to Intune (or Pilot Intune), the previous settings as managed via Group Policy are restored back to defaults (Not configured state) so as to not interfere.
- In ACTIVE state for the Windows Update client on the device to function.
The device needs to be actively used connected to the Internet for the Windows Update agent to scan and download the update properly. Further, there should be enough free disk space (atleast 2GB for quality updates) on the device for Windows Update to work.
Further, you need to ensure that
- Windows Health Monitoring includes Windows Updates in scope on the device.
- Notification update level is Not Set to Turn off all notifications, including restart warnings in the effective Update Ring policy for the device.
- Devices are configured with correct telemetry settings.
Allow Telemetry Value 1 = Required (Basic) 2 = Enhanced (Not used post 1903) 3 = Full (Optional)
- Required services (Windows Update and Update Health Services) are not in a DISABLED state on the endpoint.
Get-Service | Where-Object {($_.Name -eq “wuauserv” -or $_.Name -eq “uhssvc”)} | fl
Expedite Windows Update with Intune – Check Update Health Services log
You can find the logs (ETL trace files) generated by the Microsoft Update Health Tools here at C:\Program Files\Microsoft Update Health Tools\Logs
How to read the ETL files?
One way is to open the trace file with the Windows Event Viewer.
The other way is a quick hack using the Get-WindowsUpdateLog cmdlet that merges and converts Windows Update ETL log files into a single readable WindowsUpdate.log (clear text) file.
But if you try to use the Get-WindowsUpdateLog cmdlet using the -ETLPath switch to point to the Logs directory of the Microsoft Update Health Tools generated ETL files instead, you will get the error as below.
The Get-WindowsUpdateLog cmdlet is hardcoded to detect Windows Update ETL files (filename as “WindowsUpdate*.etl”) but the ETL files as generated by the Update Health Tools uses a different naming.
You can rename all the Update Health Tools generated ETL files to mimic the Windows Update ETL files.
This rename hack actually makes the Get-WindowsUpdateLog command work and you get the readable clear text log file.
However, reading the Update Health log file as generated, I could not find anything useful other than this particular entry with repeated occurrence.
2021-07-07 20:15:36.1099391 892 14172 UpdateHealthToolsServiceBlockedByNoDSSJoin 2147483648
But the most effective way of reading the Windows Update Health Tools log has to be via the Microsoft PerfView tool. This gives you way more information than any of the above methods.
Expedite Windows Update Intune Reporting Issue?
If you have not used Expedite Update feature previously and this is the very first time you have used it to expedite an update, you may see all your devices reporting in Error state, like what I have in my tenant.
However, if the targeted devices are ACTIVE and configured to get updates from Windows Update and meets the other checks as mentioned above, the devices may actually get patched with the expedited update policy even if the report states otherwise.
This is due to some complex pipeline process for Intune reporting. If you haven’t used the feature update policy or the expedite policy before, then it can take up to 24 hours for all the “pipes and services” to get connected.
Gabe Frost, Program Manager at Microsoft has explained this here in the Twitter thread. As per this Twitter thread, because of the 24 hours’ time requirement at the service end to let everything fall in place, pre-enrollment can help.
What this means is that you have created an expedite update policy for the first time in your tenant and targeted to devices (which are properly configured and ACTIVE), on this first attempt you are likely to encounter this Intune reporting issue. However, say there is another OOB security fix that gets released sometime after this and you create another expedite policy for the devices, this time you should not be facing the reporting issue.
For me, though the Intune Windows 10 Quality Update report shows the device update state in Error for KB5004945 (July 6 OOB Update to fix PrintNightmare), the above check locally on the endpoint reveals that the system actually has got the hotfix installed.
Note that this may not always be the case at your end and as such, you can check this excellent blog post from Rudy Ooms showing how you can use Proactive Remediation for this purpose.
Wrap Up
The reporting issue as noticed for expediting Windows Update with Intune is mostly because of the complex reporting architecture at the service end.
However, since it is at the MS end, hence any issues you are facing with the expedited update reporting, you may need to work it out with the MS support to get things sorted.
Note that this expedite windows update feature is still in preview and Microsoft is actively working to make it better and fix any niggling issues that the feature might have, as reported during the preview period!
That was all for today. Thanks for reading…
Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.
Great article, thanks for the insight. Could you clarify what do you mean in this part of the article?
in ACTIVE state for the Windows Update client on the device to function
Active on MEM didn’t quite get this part.
Thanks!
The device needs to be actively used connected to the Internet for the Windows Update agent to scan and download the update properly. Further, there should be enough free disk space (atleast 2GB for quality updates) on the device for Windows Update to work. It wont work on a device that is kept somewhere in the drawer, or not being actively used, idle without internet connection, or is in a sleep state which does not supports Windows Update to work in the background. [Windows Update cannot work if device is in Hibernate state]
Windows 10 21H1 does not have “Microsoft Update Health Tools” installed. Windows catalogue for KB5004945 shows no patch for latest build. Latest is 1803.
Any idea?
Please read https://support.microsoft.com/en-us/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a which states KB4023057 includes reliability improvements to Windows Update Service components in Windows 10, versions 1507, 1511, 1607, 1703, 1709, 1803, 1909, 2004, 20H2, and 21H1.
If you do not see the Update Health Tools installed, check if you have the update installed. Or the UHS also gets auto-installed if there is WUfB expedite deployment applicable for the device.
Great article! I’d also like to clarify that Expedite is supported for 1809 and above devices. So even though there is a KB4023057 for devices 1803 and below, these devices cannot run Expedite.
Hey Kay,
Thanks for the information.
Definitely supported Windows 10 version is also a criteria to run the Expedite update feature.