Expedite built from Windows Update for Business (WUfB)
I first want to provide some background to this blog topic. If you’re familiar with the Windows Update for Busines (WUfB) service you’ll know this is the main channel for updating your Windows 10 or later devices with the latest security defenses, bug fixes and Windows features. Once you switch from Configuration manager workloads to WUfB your devices can be updated with policies defined with cloud-based management using Intune. There are four key management policies provided by WUfB which include:
- Feature Updates
- Quality Updates
- Driver Updates
- Microsoft product updates
Microsoft have continuously updated the capability of WUfB and in this post I will concentrate on the changes introduced with Quality updates using the Expedite option. Quality updates are traditionally released on the second tuesday of each month and include security, critical and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as “Microsoft updates” and you can set devices to receive such updates (or not) along with their Windows updates.
So What is Expedite for Quality updates
Expedite for quality updates were introduced to quickly maintain the productivity of devices. Originally released in May 2021 this option is still in preview at the time of writing, so please be aware of this when deploying on your production paltform.
PLEASE NOTE: Its important to know also that Expedite only includes security updates right now but could see this being expanded in the future.The main power behind expedite comes in its ability to deploy and install the most recent Windows 10/11 security updates as quickly as possible on to the devices you manage with Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies. For example, you might expedite a specific update to mitigate any recent security threats especially when your normal scheduled update isnt due to deploy the update for some time.
The regular way to manage updates is through an update ring for Windows 10 and later defined within MEM. Expedite should ideally be used for special cases and is not the recommended approach for your normal monthly quality updates. It makes use of available services like WNS and push notification channels to make devices aware that an expedited update can be installed. The notification then allows the device to act by first downloading then installing the update as soon as possible meaning a wait for checking in for updates is not necessary. Be aware that there could still be a delay though which will depend on the time for the device to carry out a scan and is reliant on the device being online and having open communication channels.
From a personal experience, I found in working through the configuration for Expedite that the policy setup is the simple step. The real time needed to ensure there’s a successful deployment comes in understanding and making sure the pre-requisites are in place and that these are checked through.
PrerequisitesIt’s worth noting that there are some fairly strict requirements needed to qualify for installing expedited quality updates using Intune which are:
Intune Licensing and one of the below:
- Windows 10/11 Enterprise E3 or E5
- Windows 10/11 Education A3 or A5
- Windows 10/11 Virtual Desktop Access (VDA) per user
- Microsoft 365 Business Premium
Supported Windows 10/11 versions:
Windows 10/11 versions that remain in support for Servicing, on x86 or x64 architectureOnly update builds that are generally available are supported. Preview builds, including the Beta and Dev channels, are not supported with expedited updates.
Expedite is supported on Windows 10/11 Professional/Enterprise/ Pro Education and Education
Devices must be:
- Enrolled in Intune / Co-managed
- Azure AD Joined or Hybrid Azure AD Joined
Devices have access / Enabled for:
- Windows Update
- Windows Update for Business – DS
- Windows push notification services
- Be configured to recieve quality updates from Windows update services using an update ring
- Have the Update Health Tools installed
(See more detail on the Microsoft web page : https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates#prerequisites)
Stages to Deployment
- Check through and verify the pre-requisites
- Select a single update to deploy for each expedite update policy
- Applicable devices are notified of the update
- The Device scans to evaluate the build and architecture and assigns appropriate version
- Updates only proceed for those devices that need the update
- Ignore and override existing quality update deferral periods (Some cases will see a later update take place)
- Expedite policy will manage the device restart
Device Settings: To help avoid conflicts or configurations that can block installation of expedited updates, configure devices with the suggested settings as per the microsoft website. ( https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates#prerequisites) . These are configured using Intune Update rings for Windows 10 and later policies.PLEASE NOTE: Group Policy settings will override MDM policies, and the following list of Group Policy settings can interfere with Expedited policies. The Microsoft recommended approach for devices in this state is to restore them to their device defaults (Not configured):
- CorpWuURL – Specify intranet Microsoft update service location.
- AutoUpdateCfg – Configure Automatic Updates.
- DeferFeatureUpdates – Select when Preview Builds and Feature Updates are received.
- Disable Dual Scan – Don’t allow update deferral policies to cause scans against Windows Update
Phew, with these considerations addressed you can start configuring for deployment within Intune so lets get started…
The first thing we will do is check that a Windows Update for Business update ring exists for the devices we want to expedite to. By selecting the settings highlighted this will help avoid any conflicts or update blocks.
Before we actually setup and deploy a Quality update we then need to ensure the devices concerned have been setup for Windows Health monitoring. Windows Health monitoring collects event data and provides recommendations in improving performance and where necessary can fix common support issues. While Microsoft specify this should be setup in order to enable the monitoring and reporting of the devices, I performed this step before deploying the Quality update to ensure the devices are already setup to transmit the telemetry data. Obviously depending on the urgency you can configure this after deploying the Expedite quality update.
MEM Home > Devices > Configuration profiles > Create profile > Windows 10 and later > Templates > Windows Health monitoring
Once created make sure that you select the ‘Windows Updates’ scope Then move on to configuring a new Quality update policy.
MEM Home > Devices > Quality updates for Windows 10 and later (preview)
As highlighted this configuration option is still in preview at the time of writing. Complete the fields as required:
Name: Name of your policy
Description: Add a description which meets your policy creation standards
Expedite Installation of quality updates if device OS version less than: Within the drop down box select the version you want to expedite. It is recommended to use the latest option where possible.
Number of days to wait for before restart is enforced: For this setting, select how soon after installing the update a device will automatically restart to complete the update installation. A restart will only occur where the specific updates enforce this.
Complete the group assignment , review and cretae the policy.
End User / Admin ExperienceSo to set the scene with the scenario Im testing here these are the details of my personal test. I used a Windows Virtual machine which hadn’t been turned on for a little while so therefore was in need of a checkin with Intune. In some ways this is a good check as there would be a few updates to apply and I can see where and when the Quality update kicks in. This was my starting point for my Virtual machine:
You can see the device was enrolled and managed by Intune below, albeit it was non-compliant. We wont worry about this for now though.
I can also see that the Microsoft Health tools had already been deployed to it. Check out
MEM Home > Devices > Windows > Selct the device > Discovered Apps
And by checking the assigned licenses for the end user account Im testing with, I see Megan has a Windows and Intune License.
MEM Home > Users > Megan Bowen > Licenses
The device I log on with to my VM has been assigned to the Expedite assigned device group so now I just wait and monitor the progress. I initially see that the device is checking for updates and goes through some updates which seems to be those prior to the expedited update I have assigned.
Upon completion Windows has updated so at this point I still haven’t seen my expedited update come through which If I’m honest surprised me.
But after about 15 minutes I can see that the Qulaity update I expedited is now being registered. When researching this topic I did see from other blog posts that the initial communication necessary to allow quality updates can take a little time so Im not concerned about this but it is worth noting when doing this for yourself.
I see the updates come through in two ways. Firstly on the device I am notified that KB5016616 needs to be installed and I have 1 day to restart the device. If you remember above I set the restart to 1 day and not 0 or 2 days.
When I check the Intune reports for the quality update I also see that progress is being made. Navigate to:
MEM Home> Reports > Windows Updates (preview) > Refresh the Windows Expedited Quality updates
You will see the report below shows the update is in progress and is offering this to my device.
There are a number of stages the update can go through which may be reported back but you will have to watch these closely to notice the changes. These include:
Reports status above taken from Microsoft website: docs.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates#update-states At the top of the same Intune page select ‘Reports‘ then ‘Windows 10 and later Expedited updates‘ and you will see something like the report below.
At this point I need to restart my machine and allow the update to be installed and the results are the below. Windows shows as being updated and the device is up to date. As I picked the latest update there are no other updates to discover and apply.
On the machine I can also check through the update history to confirm the update I added to the Expedite quality update policy.
To finish up If you look back on the Intune portal within reports you should see the updates. Now to be honest this wasn’t immediate as you might expect but the important thing is the update is installed.
Thanks for reading through the post and obviously reach out to me if there are any questions and I will attempt to answer these in the best way I can.