Expediting Windows quality updates

This week is all about expediting the installation of the latest Windows quality updates. Expediting the installation of the latest Windows quality updates can be useful to quickly mitigate security threats when the normal update process wouldn’t facilitate in that deployment yet. That can be achieved because the deployment of expedited Windows quality updates is done without needing to pause or edit the existing update process. It basically enables the IT administrator to temporarily override the deferrals and deadlines to install the specified update as quickly as possible. And that can be used for the most recent monthly quality update as well as an out-of-band security update. This post will look closer at the concept of expediting Windows quality updates, followed with the steps to expedite a Windows quality update, by using Microsoft Intune. This post will end with the reporting capabilities that are available for expedited a Windows quality updates.

Note: Expediting Windows quality updates relies on the Windows Update for Business deployment service.

Introducing the ability to expedite Windows quality updates

When looking at the ability to expedite Windows quality updates that makes an ideal solution to expedite the installation of the most recent monthly quality update as well as an out-of-band security update. It is, however, good to understand that not all updates can expedited. At this moment, only security updates that can be expedited are available to deploy with an Expedite policy. The Expedite policy enables IT administrators to temporarily override the configured deferral and deadline configurations of the applied update ring configurations. That enables devices to start the download and installation of the expedited update as quickly as possible, without having to wait for the next check-in of the device.

Within the Expedite policy, the IT administrator selects a single update to deploy, based on the release date of the update. That makes sure that the expedited installation of the update is applicable to all supported Windows versions. Windows Update evaluates the build and architecture of the Windows devices and eventually delivers the applicable version of the update. But only when those devices are running a lower build version of Windows than the update. When a restart is required to complete the installation of the update, the Expedite policy specifies the period of time that users have to restart the device before it will actually automatically restart the device. That can eventually happen at any time of the day. Before reaching that deadline, the user has the option to schedule the restart themselves.

Note: Keep in mind that expedited updates are not recommended for the normal monthly quality update deployment.

Creating the policy to expedite Windows quality updates

After being familiar with the workings of expediting the installation of Windows quality updates, it’s good to understand the configuration options. That starts with understanding that the Expedite policy relies on the Windows Update for Business deployment service, which has additional licensing requirements on top of Microsoft Intune. Generally speaking that’s at least Windows 10/11 Enterprise E3, or something that includes that license (like Microsoft 365 E3). Besides that, it’s recommended to rely on the Windows Push Notification Services, as that will make sure that Windows devices get notified about expedited quality updates without having to wait till their next daily check for updates.

The configuration itself is pretty straight forward. It can be achieved by using the Windows Update for Business deployment service directly, but Microsoft Intune provides a really nice interface to easily achieve that. That nice interface is the Expedite policy in the Windows updates section. In a few simple steps, the installation can be expedited of a quality update. The following 5 steps walk through the configuration for expediting the installation of the February update.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Windows updates
  2. On the Windows | Windows updates blade, navigate to the Quality updates tab and click Create > Expedite policy
  3. On the Settings page, as shown below in Figure 1, configuration the following settings and click Next
  • Name: Specify a unique name for the expedite policy to distinguish it from similar profiles
  • Description: (Optional) Specify a description for the expedite policy to specify additional details
  • Expedite installation of quality updates if device OS version less than: Select the quality update to expedite
  • Number of days to wait before restart is enforced: Select the number of days to wait before forcing a restart
  1. On the Assignments page, configure the assignment for the required devices and click Next
  2. On the Review + create page, verify the configuration and click Create

Note: Keep in mind that B updates are the regular monthly “patch Tuesday” updates.

Experiencing expediting Windows quality updates

After expediting the installation of the quality update of February, the user experience is pretty straight forward. The Windows device will start downloading and installing the latest quality update, as soon as the device receives the notification (or does a check-in). Windows Update provides the device with the update information. The quality update to install and the content. Once the update is installed, the user must restart the device. Either before the new restart deadline, or automatically at the deadline. That restart deadline can now also be during working hours.

From an IT administrator perspective, there is some more reporting to look at. That information can be in the reporting section, by navigating to Reports > Windows updates. In the Summary tab is a brief overview of the status of the Expedite policy (as shown in the header of the post). Besides that, there is more detailed information available via Reports > Windows Expedited Update Report. An example is shown below in Figure 2. That report provides a status for the assigned devices. Eventually, devices should reach the statuses of Update state > Installed and Update substate > Update installed. Alternatively, there is also a error status report available via Devices > Monitor > Expedited quality update policies with alerts. That report provides more information about potential issues with the installation of expedited quality updates and helps with troubleshooting.

Note: For Microsoft Intune to be able collect the status of expedited quality updates, it is important to configure Enable features that require Windows diagnostic data in processor configuration > On in Intune and to configure Windows diagnostic data collection at a level of required or higher on Windows devices.

In the end it is good to understand that when deleting an Expedite policy that it won’t result in the quality update being uninstalled if it already completed installation. When the quality update is not yet installed, Windows Update will attempt to cancel any in-progress installations. A successful cancellation of an in-progress installation, however, can’t be guaranteed.

More information

For more information about expediting Windows quality updates, refer to the following docs.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

5 thoughts on “Expediting Windows quality updates”

  1. For SEO reference its worth pointing out this occurs frequently even when using autopatch

    Error type: Expedite client missing
    Error description: The device does not have the necessary client in order to Expedite.
    Severity: Error
    Recommendation: Make sure you’re connected to Windows Update and manually trigger a scan to download and install the Expedite client. If you are still unable to scan and download the Expedite client, you can download the package here from Microsoft’s Download Center.

    and in addition, report items also flag these types too

    Error type: Install Issue
    Error description: There was an issue installing the update.
    Severity: Error
    Recommendation: Run “dism /online /cleanup-image /restorehealth” on the device with administrator privileges, then retry the update. If the commands fails, a reinstall of Windows may be required.

    We’ve created a remediation script to detect and repair the later to self-heal so to speak

    Reply
  2. I’ve turned on hotpatching for my organization, as a result we received hotpatch KB5052105.
    Our Tenable vulnerability scanner, now reports we are missing security patch KB5051987, but when I do as you described for KB5051987, I’m not getting it offered.
    Is KB5051987 part of hotpatch KB5052105?

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.