Take advantage of expedited quality updates in Intune and Windows Update for Business to address zero-day security vulnerabilities and fast-tracking installation of security updates. It works seamlessly if you are managing a mix of Windows 10 and 11 devices, ensuring quick deployment even in complex environments.
This feature is available to those enrolled in Windows Update for Business deployment service. Working closely with Intune users, we have invested in improving the experience by adding new and more intuitive alerts and notifications.
To help you get the very best out of the expedite capability, this blog explores:
To expedite quality updates, make sure you meet the following requirements for eligibility, joining your devices to Azure Active Directory (Azure AD), connecting them to Windows Update services, and equipping your devices with necessary tools.
See the Common alerts and resolution section for how to make sure you meet these prerequisites!
Prerequisite category |
Description |
Licensing |
|
Azure Active Directory (Azure AD) |
Note: Workplace joined devices are not supported for expedited updates. For details, see What is an Azure AD joined device? |
Windows Update services |
|
Update Health Tools Client |
Note: If the devices are configured to scan the Windows Update service, then the client should automatically be installed on the device. |
Recommended: Client/device data processing in Intune |
|
Please refer to the full and current list of prerequisites to qualify for installing expedited quality updates. Most needs in troubleshooting arise from not fully meeting these prerequisites. Thankfully, this post is here to help you!
Have you asked yourself where you can monitor and see any errors triggered for an expedite policy that you’ve created? After an expedite policy has been created, you can monitor the update status and view any errors using intuitive reports available in Intune: the summary report and the Windows expedited update failures report.
Access the summary report from Intune’s Reports > Windows updates. View the status of deployment by checking the Update Aggregated State column of the device-by-device portion of the report (see image below).
Review some important update states and substates that indicate successful progression of the policy below. For more information on all update states and substates, see the Update states section of Microsoft Intune documentation.
Update state |
Update substate |
Workflow state |
Pending |
Validation |
Device has been added to the expedited update policy and is being validated.
Note: The devices that do not meet the prerequisites will show this state. Resolve this by checking the Common alerts and resolutions tips below. |
Pending |
Scheduled |
Device has passed validation and will be expedited soon. |
Offering |
OfferReady |
The expedite instructions are ready for the device. The next time expedite client on the device scans for updates, these will be offered to the device. |
Installed |
UpdateInstalled |
Device has received the update successfully. |
Needs Attention |
Needs Attention |
Device has encountered an error. Please check the Windows Expedited update failures report in Intune, as shown next. |
The Windows Expedited update failures report provides a view of all devices within a policy that have encountered an error. Access the Windows Expedited update failures report from Intune (Home > Devices > Monitor) to troubleshoot expedite deployments.
Upon selecting the Alert message, you can view the details of each error and steps needed to remediate the error. The report also gives the capability to filter by a specific error type and see all impacted devices. About 57 alert types are included with detailed explanations and recommended remediation for each issue.
If the devices are active and meet the eligibility criteria for expedited updates, then you shouldn’t encounter any issues while using the service. Devices are considered active when they are connected to the internet and are operational for more than 6 hours a month in total, with continuous activity of at least 1 hour.
Let’s review some common error messages you can find in our reporting and how to remediate them.
Alert |
Description |
Windows Health Monitoring not enabled |
Windows Health Monitoring is not enabled for Windows Update scope for this device. Update status from the device will not be available. |
This issue is often related to the prerequisite of Windows health monitoring and will cause all your devices to only show the OfferReady status. Please make sure you have enabled the required Windows data processing settings in Intune. From Home, go to Devices > Windows 10 and later > Windows health monitoring.
Enable Health monitoring for Windows updates (see image below). For detailed guidance on how to do this, refer to Use Update Compliance reports for Windows Updates in Microsoft Intune.
The other possible reason for the devices to remain in this update substate is if they are not active or are experiencing issues while connecting to Windows Update.
Alert |
Description |
Missing E3 license (Not eligible to be updated) |
This device does not meet the licensing requirements and is not able to be updated. |
The easiest way to check if your tenant has the required license to use the service is to use Microsoft Graph.
Alert |
Description |
Expedite client missing |
The device does not have the expedite client needed to expedite. |
Another prerequisite is verifying that Update Health Tools are running on the device correctly:
$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property “Title”
foreach ($update in $list)
{
if ($update.Title.Contains(“4023057”))
{
return 1
}
}
return 0
Interpret the results as follows:
If it returns a 1, the device has UHS client. If it returns a 0, the device does not have UHS client. In this case, you can manually download and install Update Health Tools from the Microsoft Download Center.
Alert |
Description |
Not connected to Windows Update |
This device is not connected to Windows Update and therefore cannot download the update. |
Windows Update must be configured as the scan source for quality updates.
Most common policies, if configured alternatively from the default settings, could lead to devices not scanning Windows Updates correctly.
If your devices are receiving regular updates from Windows Update, then your devices have the correct configurations. Learn more at Use Windows Update for Business and Windows Server Update Services (WSUS) together.
On Windows 10:
Note: If you don't have a WSUS URL configured, ALL updates will come by default from Windows Update without you needing to configure scan source.
On Windows 11:
Note: If no scan source policy is configured, ALL updates will come by default from Windows Update.
If using Microsoft Intune co-management, ensure the Windows Update for Business workload slider is set to Intune or Pilot with the desired devices.
Alert |
Description |
Device Registration Invalid Azure AD Device ID |
Device is not able to register or authenticate properly with the Deployment Service due to having an invalid Azure AD Device ID. |
Leverage another API to help you assess whether the devices are Azure AD joined or not.
Alert |
Description |
Workplace joined devices not supported |
Workplace joined devices are not supported. |
Register your device to be Azure Active Directory joined or hybrid joined to update this device.
Alert |
Description |
In multiple Expedite profiles |
A device should only be in one expedite policy at once. When a device is in more than one expedite policy with different settings, it can lead to potential conflicts that the service can’t resolve automatically. As a result, the device will not be expedited. |
Review the policies that the device is assigned to and remove the device from all but the desired policy. Otherwise, change the policy settings to match. This can be done by reviewing the policies created in Intune via Select Devices > Windows > Quality updates for Windows 10 and later.
Alert |
Description |
Past end of servicing (Applying latest update) |
This device is on a Windows 10 or later build that is past the End of Servicing date. As a result, the specified update is not available for this device. This device does not have the latest update available for that build, so the latest update available is being expedited. This is a security measure to ensure that the device is as secure as possible. |
Update the device to a supported version of Windows to ensure the highest security of the device and your organization.
If you are not yet familiar with the Expedite feature of Windows quality updates in Intune, consider trying it out! Create and configure an Expedite policy in Microsoft Intune admin center.
If you select the August 2022 security updates for Windows in the policy, devices without the corresponding August quality update will get an expedited update. If a newer update is available, then that update gets installed on your device with all the added benefits of the intended update. To fully understand the behavior, please review Example of installing an expedited update.
To receive the best experience when expediting quality updates, we have these recommendations:
In summary, most issues that might prevent you from enjoying the expedite capability arise from a set of prerequisites. Thankfully, our reporting tools are here to help!
While this feature is focused on security updates, we are additionally working on a future functionality to expedite non-security quality updates and will soon be releasing the capability through both Graph APIs and Intune. Keep an eye on the Windows IT Pro Blog for updates! For example, check out Expediting updates in the real world to learn how the expedite capability is used in general IT services, education, and banking, as well as ways to get informed and engaged.
To learn about how to use expedite capability, please review Expedite Windows quality updates and Deploy an expedited security update using the Windows Update for Business deployment service.
Continue the conversation. Find best practices. Visit the Windows Tech Community.
Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.