Blog Post

Windows IT Pro Blog
3 MIN READ

Expedite security updates in Microsoft Endpoint Manager admin center

David_Guyer's avatar
David_Guyer
Icon for Microsoft rankMicrosoft
Mar 02, 2021

Update May 15, 2021: The public preview for this feature is now available in Microsoft Endpoint Manager. For more information, see Expedite Windows 10 quality updates in Microsoft Intune.


The ability to expedite Windows 10 security updates within the Microsoft Endpoint Manager admin center is coming soon as a public preview, so keep an eye on this blog for updates.

Expediting security updates can help you deploy updates faster than normal across your organization, for example, for an important security fix or a fix that solves a problem with a critical line of business application. For these faster-than-normal scenarios, especially in quality updates, expedite will help you step on the gas and go faster than your steady state configuration.

With this new capability, you can create a profile in the Microsoft Endpoint Manager admin center that will expedite Windows 10 security updates. In testing, we have seen more than 90% of expedited devices reach a ready-to-restart stage within two days. This is two to three times more devices updated successfully in the first week of a deployment compared to devices configured with common update settings.

One benefit of expediting an update is that you won’t need to modify existing quality update settings of your Windows 10 update rings. An expedite profile will temporarily override the necessary settings to ensure the expedited update is installed as quickly as possible. The settings will be automatically restored to their original state after the update successfully installs. In addition, expedited updates can be targeted to your whole organization or limited to a specific subset of users or devices.

Once you create an expedite policy, the service will contact devices to start the update deployment without waiting for the next scan for updates.

Profile settings will give you some control over the familiar restart behavior which builds on the Windows Update Compliance Deadline (you can learn more about enforcing compliance deadlines for updates). The restart experience will allow end users to manage when the restart occurs by scheduling the restart, restarting right away, or asking to be reminded later. When the restart deadline is reached, the restart will be enforced. Users will get two warning dialogs before their device automatically restarts. The enforced restart does not wait until outside of active hours to provide reliable update compliance.

Due to the short window of restart control for end users, organizations should only want to use expedited updates when they have a special need to go faster than normal. For fast, steady state patch compliance, we encourage you to use the compliance deadline with a 3-day deadline and a 2-day grace period. If you need to go even faster, use the expedite profile.

Reports to monitor expedited updates will also be entering Public Preview. The summary report will show device states, including Success, In Progress, and Errors. The error report will provide insight into errors to enable you to fix devices that need help.

Support for expediting updates in the Microsoft Endpoint Manager admin center will be available to all Windows 10 devices on builds that have not yet reached end of service (see the Microsoft Lifecycle Policy for dates and details). In addition, devices must be Azure Active Directory joined. (Note that workplace joined devices are not supported.)

 

How does it work?

The demo below shows you how to create a new expedited quality update in Intune and gives you an overview of the available settings. It also shows the restart experience and mockups of the summary and error reports.

 

To learn more

Once the expedite profile is released in Microsoft Endpoint Manager admin center, see the online Microsoft Intune documentation for more details, or watch the below video for further in-depth information:

 

 

Updated May 14, 2021
Version 4.0
  • Simon-Ludlow's avatar
    Simon-Ludlow
    Iron Contributor

    This is a great new feature that will really help when a critical security update is released.

    It would be extremely beneficial to have a similar feature for removing updates.

    A recent example would be the March updates that affected a lot of print drivers. With our onsite devices we could use WSUS to remove the dodgy update, but we could not do that with our Intune managed remote workers.

     

  • David_Guyer this would be also an awesome feature for Azure Update Management which is not WuFB / MS Endpoint admin center. At best it would be great if MS Endpoint admin center would be able to manage Windows Server. Currently many small businesses need to administer 2 different things. In the past they had one tool called WSUS to manage server and clients OS. Can you elaborate this with the PGs?

    I also agree the idea of Simon-Ludlow is really nice. 

  • Why the Out-of-band update is not included with this solution? Is it only for security update release ("B" release)?

    I strongly agree with the idea suggested by Simon-Ludlow  

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    This is very valuable especially when we are dealing with some sort of 0-days which impact our security or we are dealing with mass issue and we need to perform rapid deployment of updates and this is very handy.

  • Jbasuroy369's avatar
    Jbasuroy369
    Copper Contributor

    This is a very useful feature that can be used to expedite critical security updates to specific groups. Way to go Intune Dev Team.