Update May 15, 2021: The public preview for this feature is now available in Microsoft Endpoint Manager. For more information, see Expedite Windows 10 quality updates in Microsoft Intune.
The ability to expedite Windows 10 security updates within the Microsoft Endpoint Manager admin center is coming soon as a public preview, so keep an eye on this blog for updates.
Expediting security updates can help you deploy updates faster than normal across your organization, for example, for an important security fix or a fix that solves a problem with a critical line of business application. For these faster-than-normal scenarios, especially in quality updates, expedite will help you step on the gas and go faster than your steady state configuration.
With this new capability, you can create a profile in the Microsoft Endpoint Manager admin center that will expedite Windows 10 security updates. In testing, we have seen more than 90% of expedited devices reach a ready-to-restart stage within two days. This is two to three times more devices updated successfully in the first week of a deployment compared to devices configured with common update settings.
One benefit of expediting an update is that you won’t need to modify existing quality update settings of your Windows 10 update rings. An expedite profile will temporarily override the necessary settings to ensure the expedited update is installed as quickly as possible. The settings will be automatically restored to their original state after the update successfully installs. In addition, expedited updates can be targeted to your whole organization or limited to a specific subset of users or devices.
Once you create an expedite policy, the service will contact devices to start the update deployment without waiting for the next scan for updates.
Profile settings will give you some control over the familiar restart behavior which builds on the Windows Update Compliance Deadline (you can learn more about enforcing compliance deadlines for updates). The restart experience will allow end users to manage when the restart occurs by scheduling the restart, restarting right away, or asking to be reminded later. When the restart deadline is reached, the restart will be enforced. Users will get two warning dialogs before their device automatically restarts. The enforced restart does not wait until outside of active hours to provide reliable update compliance.
Due to the short window of restart control for end users, organizations should only want to use expedited updates when they have a special need to go faster than normal. For fast, steady state patch compliance, we encourage you to use the compliance deadline with a 3-day deadline and a 2-day grace period. If you need to go even faster, use the expedite profile.
Reports to monitor expedited updates will also be entering Public Preview. The summary report will show device states, including Success, In Progress, and Errors. The error report will provide insight into errors to enable you to fix devices that need help.
Support for expediting updates in the Microsoft Endpoint Manager admin center will be available to all Windows 10 devices on builds that have not yet reached end of service (see the Microsoft Lifecycle Policy for dates and details). In addition, devices must be Azure Active Directory joined. (Note that workplace joined devices are not supported.)
How does it work?
The demo below shows you how to create a new expedited quality update in Intune and gives you an overview of the available settings. It also shows the restart experience and mockups of the summary and error reports.
To learn more
Once the expedite profile is released in Microsoft Endpoint Manager admin center, see the online Microsoft Intune documentation for more details, or watch the below video for further in-depth information: