As we work through the Public Preview of expedited updates in Microsoft Endpoint Manager, we wanted to share troubleshooting tips based on the feedback we've received to date.
We are continuing to build and enhance the expedited update capabilities currently available in public preview. We investigate issues and feedback. We update documentation. We make improvements. For those eager to utilize this feature, but who may be experiencing issues, we wanted to share some information to help efficiently troubleshoot your devices independently. Most of the tips included in this post are based on the assumption that you are using Microsoft Intune to create and manage an expedited update policy, if you are using the expedited updates feature through the Microsoft Graph APIs or PowerShell, most of the steps remain the same, but you'll be able to see reporting in Update Compliance if you are a current Update Compliance customer.
The two most common errors we've seen are related to not meeting the prerequisites or not having diagnostic data turned on. Our reporting and logs don't currently distinguish between some causes; however, we have heard this feedback and are working on reporting improvements for these cases.
Issue |
Error in Intune |
Error in client logs (see advanced troubleshooting techniques) |
The licensing for your tenant must include the expedited updates feature, which means that you need one of the following: Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5) Windows 10 Virtual Desktop Access (VDA) per user Microsoft 365 Business Premium See prerequisites for more detail. |
Not Registered |
UpdateHealthToolsServiceBlockedByNoDSSJoin |
Windows Update must be configured as the scan source for quality updates You must be enrolled in Intune MDM or utilizing co-management with the Windows Update policies workload set to Intune or Pilot Intune. |
Not Registered |
UpdateHealthToolsServiceBlockedByNoDSSJoin |
The system must be Azure AD joined or Hybrid Azure AD joined. Workplace Join machines are not supported. |
Not Registered |
UpdateHealthToolsServiceBlockedByNoDSSJoin |
Update Health Tools (KB4023057 and its successors) are installed. See below on how to check for this. |
Not Registered |
Client isn't installed, so there are no client logs to look at. See the section below about how to check whether the client is installed. |
You much turn on Windows Health Monitoring to see reporting. See below for instructions. |
Won't see Update State and Substate in the Intune reports. |
Client logs will look normal, but won't upload the client telemetry to Intune, so the client data won't show up in the reports. |
Here is a subset of Update States within the expedited updates workflow as the policy progresses, with a focus on what you'll see in the common error cases noted above. For more information, see the Update states section of the documentation on Expedite Windows 10 quality updates in Microsoft Intune.
Update State |
Update Substate |
Comments |
Pending |
Validation |
The device has been added to the expedited updates policy and is being validated. Note: You might see devices stuck in this state if any of the prerequisites mentioned above are not met. So please double-check the requirements. |
Pending |
Scheduled |
The device has passed validation and will be expedited soon. |
Offering |
OfferReady |
The expedite instructions have been sent to the device. Device should start scan of Windows Update shortly. |
Installed |
UpdateInstalled |
Update has successfully been expedited. This is the final state in the workflow. |
If you meet the prerequisites, one other possibility for a Not Registered error is that the Update Health Tools client is not running on the device.
Normally, these are installed automatically when the device is eligible, so no action is required. This client is deployed through Windows Update as a small, separate KB. However, if the device isn't receiving quality updates from Windows Update (or it just switched it over recently to scan Windows Update), it may not have the client. Also, if your device isn't regularly receiving quality updates, whatever is causing that (for example, low disk space or not enough time active and connected to the internet) may have also prevented the device from installing the Update Health Tools.
If you currently don't have the client installed, you can then try forcing a normal Windows Update scan on an example device to see if there are any problems. Alternatively, you can manually download and install Update Health Tools from the Microsoft Download Center.
To verify that Update Health Tools are running on the device correctly:
The client saves useful information about the execution of that policy at that location.
Make sure the Windows Health Monitoring policy is enabled in Intune. Windows Health Monitoring is an important prerequisite for Windows diagnostic data events to flow through and show in Intune. Without it being set, you will get status from the cloud service, but not client status. If there are existing policies, make sure that Windows Health Monitoring is enabled and targeted to the Intune group being used to create the expediated update policy.
For detailed documentation explaining the steps, see Create a Windows Health Monitoring profile in Microsoft Intune .
Here is a summary:
This is advanced troubleshooting for what's happening to a particular client. Should you require use of these steps to determine what is happening, and it is not one of the common errors above, please let us know because we'd like to improve future reporting.
The ETL files for Microsoft Update Health Tools are in the following folder:
C:\Program Files\Microsoft Update Health Tools\Logs (reference your device program files folder using %ProgramFiles% if your system drive is not C:)
In order to read the ETL files, you can use the Microsoft application Perfview.
We'd love to hear your feedback on how expedited updates are working for you, including challenges and opportunities. Should you find an issue that you'd like us to investigate, or if you encounter any of the issues documented here, please reach out directly to our team at askwufb@microsoft.com. Please include your tenant ID, your policy ID, and the Azure AD IDs of any devices you'd like us to look at.
Microsoft formal customer support channels also work, but we welcome your emails during this public preview period if you'd like to discuss your ideas with us directly.
If more troubleshooting is required on a specific client, one of the best ways is to submit feedback using the Feedback Hub. If you're on a commercial device, you may have to install Feedback Hub from the Microsoft Store if it's not already present on the device. Once you have feedback hub installed, navigate to: Start > Feedback Hub > Report a problem and select category for Downloading, installing, and configuring Windows Updates.
In the summary text, please use the word “Expedite” along with a few words about what is going wrong. This makes it easier and faster to get the issue to the right part of the team. For example, you could type “Expedite: Device not registered even though it has the Update Health Tools running” and provide some basic information about your issues.
After you submit your feedback, you will see a Share my feedback link. If you are also contacting Microsoft Support or sending us an email about the same issue, please select that option so that you can copy and include a link to your Feedback Hub entry in your communications.
To learn more about expediting updates, please see Expedite Windows 10 quality updates in Microsoft Intune. While the documentation for Use Update Compliance reports for Windows Updates in Microsoft Intune doesn't specifically discuss expedited updates, much of the information around Windows 10 feature updates reporting applies to this scenario. For example, there is good information concerning data latency from cloud service components and client components.
Thank you for trying our feature – we're really excited about this feature and your feedback during this Public Preview is critical to making it even better!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.