Get tips to help you troubleshoot issues you might experience while expediting quality updates in Microsoft Intune.

Take advantage of expedited quality updates in Intune and Windows Update for Business to address zero-day security vulnerabilities and fast-tracking installation of security updates. It works seamlessly if you are managing a mix of Windows 10 and 11 devices, ensuring quick deployment even in complex environments.

This feature is available to those enrolled in Windows Update for Business deployment service. Working closely with Intune users, we have invested in improving the experience by adding new and more intuitive alerts and notifications.

To help you get the very best out of the expedite capability, this blog explores:

\n
• Prerequisites for expedited updates
\n
• Monitoring and reporting
\n
• Common alerts and resolutions
\n
• Best practices
\n

Prerequisites for expediting updates

To expedite quality updates, make sure you meet the following requirements for eligibility, joining your devices to Azure Active Directory (Azure AD), connecting them to Windows Update services, and equipping your devices with necessary tools.

See the Common alerts and resolution section for how to make sure you meet these prerequisites!

Please refer to the full and current list of prerequisites to qualify for installing expedited quality updates. Most needs in troubleshooting arise from not fully meeting these prerequisites. Thankfully, this post is here to help you!

Monitor and report on expedited updates in Intune

Have you asked yourself where you can monitor and see any errors triggered for an expedite policy that you’ve created? After an expedite policy has been created, you can monitor the update status and view any errors using intuitive reports available in Intune: the summary report and the Windows expedited update failures report.

Access the summary report from Intune’s Reports > Windows updates. View the status of deployment by checking the Update Aggregated State column of the device-by-device portion of the report (see image below).

A summary report view of Windows expedited updates in Intune. The bottom portion lists device by device, with its respective identifiers, update aggregate state, and other details.

Review some important update states and substates that indicate successful progression of the policy below. For more information on all update states and substates, see the Update states section of Microsoft Intune documentation.

The Windows Expedited update failures report provides a view of all devices within a policy that have encountered an error. Access the Windows Expedited update failures report from Intune (Home > Devices > Monitor) to troubleshoot expedite deployments.

Windows expedited update failures in Intune show error devices, along with full details

Upon selecting the Alert message, you can view the details of each error and steps needed to remediate the error. The report also gives the capability to filter by a specific error type and see all impacted devices. About 57 alert types are included with detailed explanations and recommended remediation for each issue.

Common alerts and resolutions

If the devices are active and meet the eligibility criteria for expedited updates, then you shouldn’t encounter any issues while using the service. Devices are considered active when they are connected to the internet and are operational for more than 6 hours a month in total, with continuous activity of at least 1 hour.

Let’s review some common error messages you can find in our reporting and how to remediate them.

Why do I not see detailed status and alert information for my devices?

This issue is often related to the prerequisite of Windows health monitoring and will cause all your devices to only show the OfferReady status. Please make sure you have enabled the required Windows data processing settings in Intune. From Home, go to Devices > Windows 10 and later > Windows health monitoring.

Enable Health monitoring for Windows updates (see image below). For detailed guidance on how to do this, refer to Use Update Compliance reports for Windows Updates in Microsoft Intune.

Windows health monitoring configuration settings in Intune set Health monitoring to Enable. Scope allows to select items like Windows updates and Endpoint analytics.

The other possible reason for the devices to remain in this update substate is if they are not active or are experiencing issues while connecting to Windows Update.

How to check if tenant has the appropriate license required to use Windows Update for Business deployment service?

The easiest way to check if your tenant has the required license to use the service is to use Microsoft Graph.

\n
\n
• Go to Microsoft Graph Explorer and log in to your tenant.
\n
• Run the API https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans
\n
• Check the response to see if there is “WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE” as a service plan name. If yes, then your tenant meets the licensing eligibility criteria.
  
  Microsoft Graph API shows that your tenant meets the licensing eligibility criteria under Service Plan Name.
  
  
\n
\n

How can I verify if the Update Health Tools client is installed on my device(s)?

Another prerequisite is verifying that Update Health Tools are running on the device correctly:

\n
• Look for the installation files at this location: C:\\Program Files\\Microsoft Update Health Tools.
\n
• Check if the Microsoft Update Health service is running on the device (illustrated below).
  
  Microsoft Update Health Tools shows a list of services running on the device. Microsoft Update Health Service is highlighted.
  
  
\n
• As an admin, run the following PowerShell script:
  
  

  $Session = New-Object -ComObject Microsoft.Update.Session\n$Searcher = $Session.CreateUpdateSearcher()\n$historyCount = $Searcher.GetTotalHistoryCount()\n$list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property “Title”\nforeach ($update in $list)\n{\nif ($update.Title.Contains(“4023057”))\n{\nreturn 1\n}\n}\nreturn 0\n

\n

Interpret the results as follows:

If it returns a 1, the device has UHS client. If it returns a 0, the device does not have UHS client. In this case, you can manually download and install Update Health Tools from the Microsoft Download Center.

How can I verify that my devices are configured to connect to Windows Update?

Windows Update must be configured as the scan source for quality updates.

Most common policies, if configured alternatively from the default settings, could lead to devices not scanning Windows Updates correctly.

If your devices are receiving regular updates from Windows Update, then your devices have the correct configurations. Learn more at Use Windows Update for Business and Windows Server Update Services (WSUS) together.

On Windows 10:

\n
• Configure scan source for quality updates from Windows Update.
\n
• Ensure Disable Dual Scan is Not Configured or is configured to Disabled.
\n

Note: If you don't have a WSUS URL configured, ALL updates will come by default from Windows Update without you needing to configure scan source.

On Windows 11:

\n
• Configure scan source for quality updates from Windows Update.
\n

Note: If no scan source policy is configured, ALL updates will come by default from Windows Update.

If using Microsoft Intune co-management, ensure the Windows Update for Business workload slider is set to Intune or Pilot with the desired devices.

How do I ensure that devices in my organization are Azure AD joined?

Leverage another API to help you assess whether the devices are Azure AD joined or not.

\n
• Go to Microsoft Graph Explorer and log in to your tenant.
\n
• Run the API https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/?$filter=isof(‘microsoft.graph.windowsUpdates.azureADDevice’).
\n
• Review all devices that are Azure AD joined in the returned list. Note: If a new device is added to the tenant, then it could take up to 24 hours to reflect in the response list
  
  Microsoft Graph API shows a list of three device IDs that are Azure AD joined.
\n

Additional alerts to explain why devices are not expedited

Register your device to be Azure Active Directory joined or hybrid joined to update this device.

Review the policies that the device is assigned to and remove the device from all but the desired policy. Otherwise, change the policy settings to match. This can be done by reviewing the policies created in Intune via Select Devices > Windows > Quality updates for Windows 10 and later.

Update the device to a supported version of Windows to ensure the highest security of the device and your organization.

Best practices

If you are not yet familiar with the Expedite feature of Windows quality updates in Intune, consider trying it out! Create and configure an Expedite policy in Microsoft Intune admin center.

If you select the August 2022 security updates for Windows in the policy, devices without the corresponding August quality update will get an expedited update. If a newer update is available, then that update gets installed on your device with all the added benefits of the intended update. To fully understand the behavior, please review Example of installing an expedited update.

To receive the best experience when expediting quality updates, we have these recommendations:

\n
• If you are using the expedite capability for the first time, then prior to reaching a zero-day vulnerability scenario, identify if your devices are eligible to receive expedited updates or not. If your devices are up to date and active, do a test run and expedite them to an older security update. For example, if your devices have the August security update, then you could test the expedite capability by using target release as June. The Summary and Device reports in Intune will notify you if there are devices that could not be expedited, along with reasons and mitigations. Note: We are exploring a future capability to test the expedite capability without having to create an expedite policy for a quality update.
\n
• Since the objective of expedited updates is to handle zero-day vulnerabilities, expedite to the latest security release.
\n
• Unless immediacy is absolutely required, we recommend setting the Days to Reboot to 1 or 2 days (see image below). This setting will avoid immediate forced reboot of devices and minimize disruption in work for the employees in your organization. It gives you 1 or 2 days to choose when to reboot the device, before the reboot requirement is enforced, possibly during working hours.
  
  Expedite settings in Microsoft Intune admin center. The options for the number of days to wait before forced reboot include 0, 1, and 2 days.
\n

To be continued

In summary, most issues that might prevent you from enjoying the expedite capability arise from a set of prerequisites. Thankfully, our reporting tools are here to help!

While this feature is focused on security updates, we are additionally working on a future functionality to expedite non-security quality updates and will soon be releasing the capability through both Graph APIs and Intune. Keep an eye on the Windows IT Pro Blog for updates! For example, check out Expediting updates in the real world to learn how the expedite capability is used in general IT services, education, and banking, as well as ways to get informed and engaged.

To learn about how to use expedite capability, please review Expedite Windows quality updates and Deploy an expedited security update using the Windows Update for Business deployment service.

Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

Take advantage of expedited quality updates in Intune and Windows Update for Business to address zero-day security vulnerabilities and fast-tracking installation of security updates. It works seamlessly if you are managing a mix of Windows 10 and 11 devices, ensuring quick deployment even in complex environments.

This feature is available to those enrolled in Windows Update for Business deployment service. Working closely with Intune users, we have invested in improving the experience by adding new and more intuitive alerts and notifications.

To help you get the very best out of the expedite capability, this blog explores:

\n
• Prerequisites for expedited updates
\n
• Monitoring and reporting
\n
• Common alerts and resolutions
\n
• Best practices
\n

Prerequisites for expediting updates

To expedite quality updates, make sure you meet the following requirements for eligibility, joining your devices to Azure Active Directory (Azure AD), connecting them to Windows Update services, and equipping your devices with necessary tools.

See the Common alerts and resolution section for how to make sure you meet these prerequisites!

Please refer to the full and current list of prerequisites to qualify for installing expedited quality updates. Most needs in troubleshooting arise from not fully meeting these prerequisites. Thankfully, this post is here to help you!

Monitor and report on expedited updates in Intune

Have you asked yourself where you can monitor and see any errors triggered for an expedite policy that you’ve created? After an expedite policy has been created, you can monitor the update status and view any errors using intuitive reports available in Intune: the summary report and the Windows expedited update failures report.

Access the summary report from Intune’s Reports > Windows updates. View the status of deployment by checking the Update Aggregated State column of the device-by-device portion of the report (see image below).

A summary report view of Windows expedited updates in Intune. The bottom portion lists device by device, with its respective identifiers, update aggregate state, and other details.

Review some important update states and substates that indicate successful progression of the policy below. For more information on all update states and substates, see the Update states section of Microsoft Intune documentation.

The Windows Expedited update failures report provides a view of all devices within a policy that have encountered an error. Access the Windows Expedited update failures report from Intune (Home > Devices > Monitor) to troubleshoot expedite deployments.

Windows expedited update failures in Intune show error devices, along with full details

Upon selecting the Alert message, you can view the details of each error and steps needed to remediate the error. The report also gives the capability to filter by a specific error type and see all impacted devices. About 57 alert types are included with detailed explanations and recommended remediation for each issue.

Common alerts and resolutions

If the devices are active and meet the eligibility criteria for expedited updates, then you shouldn’t encounter any issues while using the service. Devices are considered active when they are connected to the internet and are operational for more than 6 hours a month in total, with continuous activity of at least 1 hour.

Let’s review some common error messages you can find in our reporting and how to remediate them.

Why do I not see detailed status and alert information for my devices?

This issue is often related to the prerequisite of Windows health monitoring and will cause all your devices to only show the OfferReady status. Please make sure you have enabled the required Windows data processing settings in Intune. From Home, go to Devices > Windows 10 and later > Windows health monitoring.

Enable Health monitoring for Windows updates (see image below). For detailed guidance on how to do this, refer to Use Update Compliance reports for Windows Updates in Microsoft Intune.

Windows health monitoring configuration settings in Intune set Health monitoring to Enable. Scope allows to select items like Windows updates and Endpoint analytics.

The other possible reason for the devices to remain in this update substate is if they are not active or are experiencing issues while connecting to Windows Update.

How to check if tenant has the appropriate license required to use Windows Update for Business deployment service?

The easiest way to check if your tenant has the required license to use the service is to use Microsoft Graph.

\n
\n
• Go to Microsoft Graph Explorer and log in to your tenant.
\n
• Run the API https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans
\n
• Check the response to see if there is “WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE” as a service plan name. If yes, then your tenant meets the licensing eligibility criteria.
  
  Microsoft Graph API shows that your tenant meets the licensing eligibility criteria under Service Plan Name.
  
  
\n
\n

How can I verify if the Update Health Tools client is installed on my device(s)?

Another prerequisite is verifying that Update Health Tools are running on the device correctly:

\n
• Look for the installation files at this location: C:\\Program Files\\Microsoft Update Health Tools.
\n
• Check if the Microsoft Update Health service is running on the device (illustrated below).
  
  Microsoft Update Health Tools shows a list of services running on the device. Microsoft Update Health Service is highlighted.
  
  
\n
• As an admin, run the following PowerShell script:
  
  $Session = New-Object -ComObject Microsoft.Update.Session\n$Searcher = $Session.CreateUpdateSearcher()\n$historyCount = $Searcher.GetTotalHistoryCount()\n$list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property “Title”\nforeach ($update in $list)\n{\nif ($update.Title.Contains(“4023057”))\n{\nreturn 1\n}\n}\nreturn 0\n
\n

Interpret the results as follows:

If it returns a 1, the device has UHS client. If it returns a 0, the device does not have UHS client. In this case, you can manually download and install Update Health Tools from the Microsoft Download Center.

How can I verify that my devices are configured to connect to Windows Update?

Windows Update must be configured as the scan source for quality updates.

Most common policies, if configured alternatively from the default settings, could lead to devices not scanning Windows Updates correctly.

If your devices are receiving regular updates from Windows Update, then your devices have the correct configurations. Learn more at Use Windows Update for Business and Windows Server Update Services (WSUS) together.

On Windows 10:

\n
• Configure scan source for quality updates from Windows Update.
\n
• Ensure Disable Dual Scan is Not Configured or is configured to Disabled.
\n

Note: If you don't have a WSUS URL configured, ALL updates will come by default from Windows Update without you needing to configure scan source.

On Windows 11:

\n
• Configure scan source for quality updates from Windows Update.
\n

Note: If no scan source policy is configured, ALL updates will come by default from Windows Update.

If using Microsoft Intune co-management, ensure the Windows Update for Business workload slider is set to Intune or Pilot with the desired devices.

How do I ensure that devices in my organization are Azure AD joined?

Leverage another API to help you assess whether the devices are Azure AD joined or not.

\n
• Go to Microsoft Graph Explorer and log in to your tenant.
\n
• Run the API https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/?$filter=isof(‘microsoft.graph.windowsUpdates.azureADDevice’).
\n
• Review all devices that are Azure AD joined in the returned list. Note: If a new device is added to the tenant, then it could take up to 24 hours to reflect in the response list
  
  Microsoft Graph API shows a list of three device IDs that are Azure AD joined.
\n

Additional alerts to explain why devices are not expedited

Register your device to be Azure Active Directory joined or hybrid joined to update this device.

Review the policies that the device is assigned to and remove the device from all but the desired policy. Otherwise, change the policy settings to match. This can be done by reviewing the policies created in Intune via Select Devices > Windows > Quality updates for Windows 10 and later.

Update the device to a supported version of Windows to ensure the highest security of the device and your organization.

Best practices

If you are not yet familiar with the Expedite feature of Windows quality updates in Intune, consider trying it out! Create and configure an Expedite policy in Microsoft Intune admin center.

If you select the August 2022 security updates for Windows in the policy, devices without the corresponding August quality update will get an expedited update. If a newer update is available, then that update gets installed on your device with all the added benefits of the intended update. To fully understand the behavior, please review Example of installing an expedited update.

To receive the best experience when expediting quality updates, we have these recommendations:

\n
• If you are using the expedite capability for the first time, then prior to reaching a zero-day vulnerability scenario, identify if your devices are eligible to receive expedited updates or not. If your devices are up to date and active, do a test run and expedite them to an older security update. For example, if your devices have the August security update, then you could test the expedite capability by using target release as June. The Summary and Device reports in Intune will notify you if there are devices that could not be expedited, along with reasons and mitigations. Note: We are exploring a future capability to test the expedite capability without having to create an expedite policy for a quality update.
\n
• Since the objective of expedited updates is to handle zero-day vulnerabilities, expedite to the latest security release.
\n
• Unless immediacy is absolutely required, we recommend setting the Days to Reboot to 1 or 2 days (see image below). This setting will avoid immediate forced reboot of devices and minimize disruption in work for the employees in your organization. It gives you 1 or 2 days to choose when to reboot the device, before the reboot requirement is enforced, possibly during working hours.
  
  Expedite settings in Microsoft Intune admin center. The options for the number of days to wait before forced reboot include 0, 1, and 2 days.
\n

To be continued

In summary, most issues that might prevent you from enjoying the expedite capability arise from a set of prerequisites. Thankfully, our reporting tools are here to help!

While this feature is focused on security updates, we are additionally working on a future functionality to expedite non-security quality updates and will soon be releasing the capability through both Graph APIs and Intune. Keep an eye on the Windows IT Pro Blog for updates! For example, check out Expediting updates in the real world to learn how the expedite capability is used in general IT services, education, and banking, as well as ways to get informed and engaged.

To learn about how to use expedite capability, please review Expedite Windows quality updates and Deploy an expedited security update using the Windows Update for Business deployment service.

Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

Get tips to help you troubleshoot issues you might experience while expediting quality updates in Microsoft Intune.

I have devices with error  'In Multiple Expedite Profiles' and i have removed them from the other expedite profile, how long it will take to get updated in Expedite quality update report

Nir_Froimovici I get that - I'm namely identifying that if the client is missing it would prevent use of the expedite feature and it really ought to have an 'autofix/self-healing' type solution.
I've spotted a number of devces without the client for whatever reason but the majority of our estate has it.

as for \"surgical automated expedite actions\"; sounds good, will read up & thanks for the link

NickB , Expedite is meant to be used selectively by admins, when they have a good reason to fast track a security update, to address a zero-day vulnerability. Reading above, one of the best practices Surabhi_Calla mentions has to do with the grace period policy that controls the aggressiveness of the reboot experience that impacts end users. 

Having said that, what you are asking for is something we're already thinking about: how to help you proactively (hands free) achieve and remain compliant with security updates. Our deployment service (aka.ms/wufbds) plans to expand to approval and scheduling of security updates next year, so we'll have the ability to chain deployments with surgical automated expedite actions on those devices that don't reach the desired revision, should the admin choose to. Could we reach out to you for more feedback as we define the requirements for this scenario? 

Why dont you guys set this up as a proactive remediation script inside endpoint manager / intune like you have for update stale policies or restart C2R?
saves having to id which devices dont have it as well as creating a group to target them and deploy the fix and helps you and us keep devices updated - win win