Blog Post

Windows IT Pro Blog
9 MIN READ

Get the most out of expedited Windows quality updates

Surabhi_Calla's avatar
Surabhi_Calla
Icon for Microsoft rankMicrosoft
Oct 24, 2022

Take advantage of expedited quality updates in Intune and Windows Update for Business to address zero-day security vulnerabilities and fast-tracking installation of security updates. It works seamlessly if you are managing a mix of Windows 10 and 11 devices, ensuring quick deployment even in complex environments.

This feature is available to those enrolled in Windows Update for Business deployment service. Working closely with Intune users, we have invested in improving the experience by adding new and more intuitive alerts and notifications.

To help you get the very best out of the expedite capability, this blog explores:

  • Prerequisites for expedited updates
  • Monitoring and reporting
  • Common alerts and resolutions
  • Best practices

Prerequisites for expediting updates

To expedite quality updates, make sure you meet the following requirements for eligibility, joining your devices to Azure Active Directory (Azure AD), connecting them to Windows Update services, and equipping your devices with necessary tools.

See the Common alerts and resolution section for how to make sure you meet these prerequisites!

Prerequisite category

Description

Licensing

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user
  • Microsoft 365 Business Premium

Azure Active Directory (Azure AD)

  • Joined
  • Hybrid joined

Note: Workplace joined devices are not supported for expedited updates. For details, see What is an Azure AD joined device?

Windows Update services

  • Devices must be configured to scan the Windows Update service and be receiving updates from it.

Update Health Tools Client

Note: If the devices are configured to scan the Windows Update service, then the client should automatically be installed on the device.

Recommended: Client/device data processing in Intune

Please refer to the full and current list of prerequisites to qualify for installing expedited quality updates. Most needs in troubleshooting arise from not fully meeting these prerequisites. Thankfully, this post is here to help you!

Monitor and report on expedited updates in Intune

Have you asked yourself where you can monitor and see any errors triggered for an expedite policy that you’ve created? After an expedite policy has been created, you can monitor the update status and view any errors using intuitive reports available in Intune: the summary report and the Windows expedited update failures report.

Access the summary report from Intune’s Reports > Windows updates. View the status of deployment by checking the Update Aggregated State column of the device-by-device portion of the report (see image below).

A summary report view of Windows expedited updates in Intune. The bottom portion lists device by device, with its respective identifiers, update aggregate state, and other details.

Review some important update states and substates that indicate successful progression of the policy below. For more information on all update states and substates, see the Update states section of Microsoft Intune documentation.

Update state

Update substate

Workflow state

Pending

Validation

Device has been added to the expedited update policy and is being validated.

 

Note: The devices that do not meet the prerequisites will show this state. Resolve this by checking the Common alerts and resolutions tips below.

Pending

Scheduled

Device has passed validation and will be expedited soon.

Offering

OfferReady

The expedite instructions are ready for the device. The next time expedite client on the device scans for updates, these will be offered to the device.

Installed

UpdateInstalled

Device has received the update successfully.

Needs Attention

Needs Attention

Device has encountered an error. Please check the Windows Expedited update failures report in Intune, as shown next.

The Windows Expedited update failures report provides a view of all devices within a policy that have encountered an error. Access the Windows Expedited update failures report from Intune (Home > Devices > Monitor) to troubleshoot expedite deployments.

Windows expedited update failures in Intune show error devices, along with full details

Upon selecting the Alert message, you can view the details of each error and steps needed to remediate the error. The report also gives the capability to filter by a specific error type and see all impacted devices. About 57 alert types are included with detailed explanations and recommended remediation for each issue.

Common alerts and resolutions

If the devices are active and meet the eligibility criteria for expedited updates, then you shouldn’t encounter any issues while using the service. Devices are considered active when they are connected to the internet and are operational for more than 6 hours a month in total, with continuous activity of at least 1 hour.

Let’s review some common error messages you can find in our reporting and how to remediate them.

Why do I not see detailed status and alert information for my devices?

Alert

Description

Windows Health Monitoring not enabled

Windows Health Monitoring is not enabled for Windows Update scope for this device. Update status from the device will not be available.

This issue is often related to the prerequisite of Windows health monitoring and will cause all your devices to only show the OfferReady status. Please make sure you have enabled the required Windows data processing settings in Intune. From Home, go to Devices > Windows 10 and later > Windows health monitoring.

Enable Health monitoring for Windows updates (see image below). For detailed guidance on how to do this, refer to Use Update Compliance reports for Windows Updates in Microsoft Intune.

Windows health monitoring configuration settings in Intune set Health monitoring to Enable. Scope allows to select items like Windows updates and Endpoint analytics.

The other possible reason for the devices to remain in this update substate is if they are not active or are experiencing issues while connecting to Windows Update.

How to check if tenant has the appropriate license required to use Windows Update for Business deployment service?

Alert

Description

Missing E3 license

(Not eligible to be updated)

This device does not meet the licensing requirements and is not able to be updated.

The easiest way to check if your tenant has the required license to use the service is to use Microsoft Graph.

    • Go to Microsoft Graph Explorer and log in to your tenant.
    • Run the API https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans
    • Check the response to see if there is “WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE” as a service plan name. If yes, then your tenant meets the licensing eligibility criteria.

      Microsoft Graph API shows that your tenant meets the licensing eligibility criteria under Service Plan Name.

How can I verify if the Update Health Tools client is installed on my device(s)?

Alert

Description

Expedite client missing

The device does not have the expedite client needed to expedite.

Another prerequisite is verifying that Update Health Tools are running on the device correctly:

  • Look for the installation files at this location: C:\Program Files\Microsoft Update Health Tools.
  • Check if the Microsoft Update Health service is running on the device (illustrated below).

    Microsoft Update Health Tools shows a list of services running on the device. Microsoft Update Health Service is highlighted.

  • As an admin, run the following PowerShell script:

    $Session = New-Object -ComObject Microsoft.Update.Session
    $Searcher = $Session.CreateUpdateSearcher()
    $historyCount = $Searcher.GetTotalHistoryCount()
    $list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property “Title”
    foreach ($update in $list)
    {
    if ($update.Title.Contains(“4023057”))
    {
    return 1
    }
    }
    return 0
    


Interpret the results as follows:

If it returns a 1, the device has UHS client. If it returns a 0, the device does not have UHS client. In this case, you can manually download and install Update Health Tools from the Microsoft Download Center.

How can I verify that my devices are configured to connect to Windows Update?

Alert

Description

Not connected to Windows Update

This device is not connected to Windows Update and therefore cannot download the update.

Windows Update must be configured as the scan source for quality updates.

Most common policies, if configured alternatively from the default settings, could lead to devices not scanning Windows Updates correctly.

If your devices are receiving regular updates from Windows Update, then your devices have the correct configurations. Learn more at Use Windows Update for Business and Windows Server Update Services (WSUS) together.

On Windows 10:

  • Configure scan source for quality updates from Windows Update.
  • Ensure Disable Dual Scan is Not Configured or is configured to Disabled.

Note: If you don't have a WSUS URL configured, ALL updates will come by default from Windows Update without you needing to configure scan source.

On Windows 11:

  • Configure scan source for quality updates from Windows Update.

Note: If no scan source policy is configured, ALL updates will come by default from Windows Update.

If using Microsoft Intune co-management, ensure the Windows Update for Business workload slider is set to Intune or Pilot with the desired devices.

How do I ensure that devices in my organization are Azure AD joined?

Alert

Description

Device Registration Invalid Azure AD Device ID

Device is not able to register or authenticate properly with the Deployment Service due to having an invalid Azure AD Device ID.

Leverage another API to help you assess whether the devices are Azure AD joined or not.

 

Additional alerts to explain why devices are not expedited

Alert

Description

Workplace joined devices not supported

Workplace joined devices are not supported.


Register your device to be Azure Active Directory joined or hybrid joined to update this device.

 

Alert

Description

In multiple Expedite profiles

A device should only be in one expedite policy at once. When a device is in more than one expedite policy with different settings, it can lead to potential conflicts that the service can’t resolve automatically. As a result, the device will not be expedited.

Review the policies that the device is assigned to and remove the device from all but the desired policy. Otherwise, change the policy settings to match. This can be done by reviewing the policies created in Intune via Select Devices > Windows > Quality updates for Windows 10 and later.

Alert

Description

Past end of servicing (Applying latest update)

This device is on a Windows 10 or later build that is past the End of Servicing date. As a result, the specified update is not available for this device. This device does not have the latest update available for that build, so the latest update available is being expedited. This is a security measure to ensure that the device is as secure as possible.

Update the device to a supported version of Windows to ensure the highest security of the device and your organization.

Best practices

If you are not yet familiar with the Expedite feature of Windows quality updates in Intune, consider trying it out! Create and configure an Expedite policy in Microsoft Intune admin center.

If you select the August 2022 security updates for Windows in the policy, devices without the corresponding August quality update will get an expedited update. If a newer update is available, then that update gets installed on your device with all the added benefits of the intended update. To fully understand the behavior, please review Example of installing an expedited update.

To receive the best experience when expediting quality updates, we have these recommendations:

  • If you are using the expedite capability for the first time, then prior to reaching a zero-day vulnerability scenario, identify if your devices are eligible to receive expedited updates or not. If your devices are up to date and active, do a test run and expedite them to an older security update. For example, if your devices have the August security update, then you could test the expedite capability by using target release as June. The Summary and Device reports in Intune will notify you if there are devices that could not be expedited, along with reasons and mitigations. Note: We are exploring a future capability to test the expedite capability without having to create an expedite policy for a quality update.
  • Since the objective of expedited updates is to handle zero-day vulnerabilities, expedite to the latest security release.
  • Unless immediacy is absolutely required, we recommend setting the Days to Reboot to 1 or 2 days (see image below). This setting will avoid immediate forced reboot of devices and minimize disruption in work for the employees in your organization. It gives you 1 or 2 days to choose when to reboot the device, before the reboot requirement is enforced, possibly during working hours.

    Expedite settings in Microsoft Intune admin center. The options for the number of days to wait before forced reboot include 0, 1, and 2 days.

To be continued

In summary, most issues that might prevent you from enjoying the expedite capability arise from a set of prerequisites. Thankfully, our reporting tools are here to help!

While this feature is focused on security updates, we are additionally working on a future functionality to expedite non-security quality updates and will soon be releasing the capability through both Graph APIs and Intune. Keep an eye on the Windows IT Pro Blog for updates! For example, check out Expediting updates in the real world to learn how the expedite capability is used in general IT services, education, and banking, as well as ways to get informed and engaged.

To learn about how to use expedite capability, please review Expedite Windows quality updates and Deploy an expedited security update using the Windows Update for Business deployment service.


Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

Updated Jul 14, 2023
Version 2.0
  • NickB's avatar
    NickB
    Brass Contributor

    Why dont you guys set this up as a proactive remediation script inside endpoint manager / intune like you have for update stale policies or restart C2R?
    saves having to id which devices dont have it as well as creating a group to target them and deploy the fix and helps you and us keep devices updated - win win

  • NickB , Expedite is meant to be used selectively by admins, when they have a good reason to fast track a security update, to address a zero-day vulnerability. Reading above, one of the best practices Surabhi_Calla mentions has to do with the grace period policy that controls the aggressiveness of the reboot experience that impacts end users. 

     

    Having said that, what you are asking for is something we're already thinking about: how to help you proactively (hands free) achieve and remain compliant with security updates. Our deployment service (aka.ms/wufbds) plans to expand to approval and scheduling of security updates next year, so we'll have the ability to chain deployments with surgical automated expedite actions on those devices that don't reach the desired revision, should the admin choose to. Could we reach out to you for more feedback as we define the requirements for this scenario? 

  • NickB's avatar
    NickB
    Brass Contributor

    Nir_Froimovici I get that - I'm namely identifying that if the client is missing it would prevent use of the expedite feature and it really ought to have an 'autofix/self-healing' type solution.
    I've spotted a number of devces without the client for whatever reason but the majority of our estate has it.

    as for "surgical automated expedite actions"; sounds good, will read up & thanks for the link

  • Mahamadali's avatar
    Mahamadali
    Copper Contributor

    I have devices with error  'In Multiple Expedite Profiles' and i have removed them from the other expedite profile, how long it will take to get updated in Expedite quality update report