Use Intune to expedite Windows quality updates (2023)

  • Article
  • 14 minutes to read

With Quality updates for Windows 10 and Later policy, you can expedite the install of the most recent Windows 10/11 security updates as quickly as possible on devices you manage with Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies. For example, you might expedite a specific update to mitigate a security threat when your normal update process wouldn’t deploy the update for some time.

Not all updates can be expedited. Currently, only Windows 10/11 security updates that can be expedited are available to deploy with Quality updates policy. To manage regular monthly quality updates, use Update rings for Windows 10 and later policies.

How expedited updates work

With expedited updates, you can speed installation of quality updates like the most recent patch Tuesday release or an out-of-band security update for a zero-day flaw.

To speed installation, expedite updates uses available services, like WNS and push notification channels, to deliver the message to devices that there's an expedited update to install. This process enables devices to start the download and install of an expedited update as soon as possible, without having to wait for the device to check in for updates.

The actual time that a device starts to update depends on the device being online, its scan timing, whether communication channels to the device are functioning, and other factors like cloud-processing time.

  • For each expedite update policy you select a single update to deploy based on its release date. By using the release date, you don’t have to create separate policies to deploy different instances of that update to devices that have different versions of Windows, like Windows 10 version 1809, 1909, and so on.

  • Windows Update evaluates the build and architecture of each device, and then delivers the version of the update that applies.

  • Only devices that need the update receive the expedited update:

    • Windows Update doesn’t try to expedite the update for devices that already have a revision that’s equal to or greater than the update version.
    • For devices with a lower build version than the update, Windows Update confirms that the device still requires the update before installing it.

    Important

    In some scenarios, Windows Update can install an update that is more recent than the update you specify in expedite update policy. For more information about this scenario, see About installing the latest applicable update, later in this article.

  • Expedite update policies ignore and override any quality update deferral periods for the update version you deploy. You can configure quality updates deferrals by using Intune Windows update rings and the setting for Quality update deferral period.

  • When a restart is required to complete installation of the update, the policy helps to manage the restart. In the policy, you can configure a period that users have to restart a device before the policy forces an automatic restart. Users can also choose to schedule the restart or let the device try to find the best time outside of the devices Active Hours. Before reaching the restart deadline, the device displays notifications to alert device users about the deadline and includes options to schedule the restart.

    If a device doesn’t restart before the deadline, the restart can happen in the middle of the working day. For more information on restart behavior, see Enforcing compliance deadlines for updates.

  • Expedite is not recommended for normal monthly quality update servicing. Instead, consider using the deadline settings from an Update ring for Windows 10 and later policy. For information, see Use deadline settings under the user experience settings in Windows update settings.

Prerequisites

Important

This feature is not supported on GCC and GCC High/DoD cloud environments.

The following are requirements to qualify for installing expedited quality updates with Intune:

Licensing:

(Video) PrintNightmare OOB - Expedite Windows 10 Quality Updates in Microsoft Intune - (I.T)

In addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Update for Business deployment service:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

Beginning in November of 2022, the Windows Update for Business deployment service (WUfB DS) license will be checked and enforced.

If you’re blocked when creating new policies for capabilities that require WUfB DS and you get your licenses to use WUfB through an Enterprise Agreement (EA), contact the source of your licenses such as your Microsoft account team or the partner who sold you the licenses. The account team or partner can confirm that your tenants licenses meet the WUfB DS license requirements. See Enable subscription activation with an existing EA.

Supported Windows 10/11 versions:

  • Windows 10/11 versions that remain in support for Servicing, on x86 or x64 architecture

Only update builds that are generally available are supported. Preview builds, including the Beta and Dev channels, are not supported with expedited updates.

Supported Windows 10/11 editions:

  • Professional
  • Enterprise
  • Education
  • Pro Education
  • Pro for Workstations

Devices must:

  • Be enrolled in Intune MDM, or be co-managed with the Windows Update policies workload set to Intune or Pilot Intune.

  • Be Azure Active Directory (AD) Joined, or Hybrid Azure AD Joined. Workplace Join isn't supported.

  • Have access to the following endpoints:

    • Windows Update

      • *.prod.do.dsp.mp.microsoft.com
      • *.windowsupdate.com
      • *.dl.delivery.mp.microsoft.com
      • *.update.microsoft.com
      • *.delivery.mp.microsoft.com
      • tsfe.trafficshaping.dsp.mp.microsoft.com
    • WUfB-DS

      • devicelistenerprod.microsoft.com
      • login.windows.net
      • payloadprod*.blob.core.windows.net
    • Windows Push Notification Services: (Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)

      • *.notify.windows.com
  • Be configured to get Quality Updates directly from the Windows Update service.

  • Have the Update Health Tools installed, which are installed with KB 4023057 - Update for Windows 10 Update Service components. To confirm the presence of the Update Health Tools on a device:

    • Look for the folder C:\Program Files\Microsoft Update Health Tools or review Add Remove Programs for Microsoft Update Health Tools.
    • As an Admin, run the following PowerShell script:
    $Session = New-Object -ComObject Microsoft.Update.Session$Searcher = $Session.CreateUpdateSearcher()$historyCount = $Searcher.GetTotalHistoryCount()$list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property "Title"foreach ($update in $list){ if ($update.Title.Contains("4023057")) { return 1 }}return 0 

    If the script returns a 1, the device has UHS client. If the script returns a 0, the device doesn’t have UHS client.

Device settings:

To help avoid conflicts or configurations that can block installation of expedited updates, configure devices as follows. You can use Intune Update rings for Windows 10 and later policies to manage these settings.

Update ring settingRecommended value
Enable pre-release buildsThis setting should be set to Not configured. Preview builds, including the Beta and Dev channels, are not supported with expedited updates.
Automatic update behaviorReset to default

Other values might cause a poor user experience and slow the process to expedite updates.

Change notification update levelUse any value other than Turn off all notifications, including restart warnings

For more information about these settings, see Policy CSP – Update.

Group Policy settings override mobile device management policies, and the following list of Group Policy settings can interfere with Expedited policy. On devices where these settings were managed by Group Policy, restore them to their device defaults (Not configured):

  • CorpWuURL - Specify intranet Microsoft update service location.
  • AutoUpdateCfg - Configure Automatic Updates.
  • DeferFeatureUpdates - Select when Preview Builds and Feature Updates are received.
  • Disable Dual Scan - Don't allow update deferral policies to cause scans against Windows Update.

Enable Windows Health Monitoring:

Before you can monitor results and update status for expedited updates, your Intune tenant must enable Windows Health Monitoring. While configuring Windows Health Monitoring, be sure to set the Scope to Windows updates.

(Video) S03E01 - Deep Dive - Expedite Windows 10 Quality Updates in Intune w/ Gabe Frost - (I.T)

Create and assign an expedited quality update

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Quality updates for Windows 10 and later > Create profile.

    Use Intune to expedite Windows quality updates (1)

  3. In Settings, enter the following properties to identify this profile:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.

    • Description: Enter a description for the profile. This setting is optional but recommended.

  4. In Settings, configure Expedite installation of quality updates if device OS version less than. Select the update that you want to expedite from the drop-down list. The list includes only the updates you can expedite.

    Tip

    Optional Windows quality updates can’t be expedited and won’t be available to select.

    Use Intune to expedite Windows quality updates (2)

    When selecting an update:

    • Updates are identified by their release date, and you can select only one update per policy.

    • Updates that include the letter B in their name identify updates that released as part of a patch Tuesday event. The letter B identifies that the update released on the second Tuesday of the month.

    • Security updates for Windows 10/11 that release out of band from a patch Tuesday can be expedited. Instead of the letter B, out-of-band patch releases have different identifiers.

    • When the update deploys, Windows Update ensures that each device that receives the policy installs a version of the update that applies to that devices architecture and its current Windows version, like version 1809, 2004, and so on.

    Tip

    For more information, see the blog Windows 10 update servicing cadence - Microsoft Tech Community.

  5. In Settings, configure Number of days to wait before forced reboot. For this setting, select how soon after installing the update a device will automatically restart to complete the update installation. You can select from zero to two days. The automatic restart is canceled if a device manually restarts before the deadline. If an update doesn’t require a restart, this setting isn’t enforced.

    • A setting of 0 days means that as soon as the device installs the update, the user is notified about the restart and has limited time to save their work.

    Important

    (Video) Microsoft Intune -Module5.4- Configure and Expedite Windows Quality Updates ( OOB ) Policy In Intune

    This experience can impact user productivity. Consider using it for those devices or updates that must complete and restart the device as soon as possible.

    • A setting of 1 day or 2 days provides device users flexibility to manage a restart before it’s forced. These settings correspond to an automatic restart delay of 24 or 48 hours after the update installs on the device.

      Use Intune to expedite Windows quality updates (3)

  6. In Assignments, select Add groups and then select device or user groups to assign the policy.

  7. In Review + create, select Create. After the policy is created, it deploys to assigned groups.

Identify the latest applicable update

There are some scenarios when your policy to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. A detailed example of this scenario is provided later in this article.

Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots.

A more recent update is deployed when the following conditions are met:

  • The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install.

  • During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of:

    • When the device restarts to complete installation
    • When the device runs its daily scan
    • When a new update becomes available

    When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update.

While expedite update policies will override an update deferral for the update version that’s specified in the policy, they don’t override deferrals that are in place for any other update version.

Example of installing an expedited update

The following sequence of events provides an example of how two devices, named Test-1 and Test-2, install an update based on a Quality updates for Windows 10 and Later policy that's assigned to the devices.

  1. Each month, Intune administrators deploy the most recent Windows 10 quality updates on the fourth Tuesday of the month. This period gives them two weeks after the patch Tuesday event to validate the updates in their environment before they force installation of the update.

  2. On January 19, 2021, device Test-1 and Test-2 install the latest quality update from the patch Tuesday release on January 12. The next day, both devices are turned off by their users who are each leaving on vacation.

  3. On the February 9, the Intune admin creates policy to expedite installation of the patch Tuesday release 02/09/2021 – 2021.02 B Security Updates for Windows 10 to help secure company devices against a critical threat that the update resolves. The expedite policy is assigned to a group of devices that includes both Test-1 and Test-2. All devices in that group that are active receive and install the expedited update policy.

  4. On the March 9 patch Tuesday event, a new quality update releases as 03/09/2021 – 2021.03 B Security Updates for Windows 10. There are no critical issues that require an expedited deployment of this update, but admins do find a possible conflict. To provide time to review the possible issue, admins use a Windows update ring policy to create a seven-day deferral policy. All managed devices are prevented from installing this update until March 14.

  5. Now consider the following results for Test-1 and Test-2, based on when each is turned back on:

    • Test-1 - On March 12, Test-1 is powered back on, connects to the network, and receives expedited update notifications:

      1. Windows Update determines that Test-1 still needs to expedite the update installation, per policy.
      2. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update.
      3. There's an active deferral for the March update that won't expire until March 14.

      Result: With the deferral policy for the March update still active and blocking installation of that update, Device-1 installs the February update as configured in policy.

    • Test-2 - On March 20, Test-2 is powered back on, connects to the network, and receives expedited update notifications:

      1. Windows Update determines that Test-2 still needs to expedite the update installation, per policy.
      2. Because the March 9 update supersedes the February update, Windows Update could install the March 9 update.
      3. There's no longer an active deferral for the March update.

      Result: With the deferral policy for the March update having expired, Test-2 installs the more recent March update, skipping over the February update and installing a later update than was specified in policy.

      (Video) Microsoft Intune - Update Rings Vs Feature Updates Vs Quality Updates Back End Process for Win 10/11

Manage policies to expedite quality updates

In the admin center, go to Devices > Windows > Quality updates for Windows 10 and later and select the policy that you want to manage. The policy opens to its Overview pane.

From this pane, you can:

  • Select Delete to delete the policy from Intune. Deleting a policy removes it from Intune but won’t result in the update uninstalling if it has already completed installation. Windows Update will attempt to cancel any in-progress installations, but a successful cancellation of an in-progress install can’t be guaranteed.

  • Select Properties to modify the deployment. On the Properties pane, select Edit to open the Settings, Scope tags, or Assignments, where you can then modify the deployment.

Monitoring and reporting

Before you can monitor results and update status for expedited updates, your Intune tenant must enable Windows Health Monitoring.

Important

When you configure the Windows Health Monitoring profile, during step seven you must set the Scope to Windows updates.

After a policy has been created you can monitor results, update status, and errors from the following reports.

Summary report

This report shows the current state of all devices in the profile and provides an overview of how many devices are in progress of installing an update, have completed the installation, or have an error.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Reports > Windows updates. On the Summary tab you can view the Windows Expedited Quality updates table.

  3. To drill in for more information, select the Reports tab, and then Windows Expedited Update Report.

  4. Click the link Select an expedited update profile.

  5. From the list of profiles that is shown on the right side of the page, select a profile to see results.

  6. Select the Generate report button.

Device report

This report can help you find devices with alerts or errors and can help you troubleshoot update issues.

  1. Sign in to the Microsoft Endpoint Manager admin center

  2. Select Devices > Monitor.

  3. In the list of monitoring reports, scroll to the Software updates section and select Windows Expedited update failures.

  4. From the list of profiles that is shown on the right side of the page, select a profile to see results.

    Use Intune to expedite Windows quality updates (4)

    (Video) Configure Windows Updates in Intune

Update states

Update StateUpdate SubStateDefinition
PendingValidatingThe device has been added to the policy in the service and validation that the device can be expedited has begun.
PendingScheduledDevice has passed validation and will be expedited.
OfferingOfferReadyThe expedite instructions have been sent to the device.
InstallingOfferReceivedDevice scanned against Windows Update and the update is applicable but hasn't yet begun to download.
InstallingDownloadStartThe device has begun to download the update.
InstallingDownloadCompleteThe device has downloaded the update.
InstallingInstallStartThe device has begun to install the update.
InstallingInstallCompleteThe device has completed installing the update. Unless the update has an update error, the device should move quickly to RestartRequired or UpdateInstalled.
InstallingRestartRequiredThe installation is complete and requires a restart.
InstallingRestartInitiatedThe device has begun a restart.
InstallingRestartCompleteThe device has completed the restart.
InstalledUpdateInstalledUpdate has successfully completed.

Next steps

  • Configure Update rings for Windows 10 and later
  • Configure Feature updates for Windows 10 and later
  • Use Windows update compatibility reports
  • View Windows release information

FAQs

Can Intune control Windows updates? ›

With Intune, you can configure update settings on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security.

How often does Intune check for Windows updates? ›

Client-based data from Intune devices that are configured to send data to Intune – This data is processed in batches and refreshes every eight hours, but is only available after you configure data collection. The data contains information like when a client doesn't have enough disk space to install an update.

What is deferral period of quality updates with Windows Update rings Intune? ›

Select Pause to prevent assigned devices from receiving feature or quality updates for up to 35 days from the time you pause the ring. After the maximum days have passed, pause functionality automatically expires and the device scans Windows Updates for applicable updates.

How long should it take to configure Windows updates? ›

Depending on the performance and capacity of your PC, this process could take several hours. How long it takes depends on your device. However, if the configuration takes more than three hours, there may be an error. Regularly back up your Windows system to avoid losing important data in case of update errors.

Can Intune manage patching? ›

You can configure, deploy, and pause update installation with Windows Update for Business settings using Microsoft Intune.

Can Intune push patches? ›

Intune helps configure Windows Update for Business (WUfB) policies to patch. The latest update guide for Intune monthly patching is available in the following Cloud PC Monthly Patching Process Using Intune. You can also configure Windows 10 and 11 Feature Update using Intune policies.

What is the difference between quality update and feature update? ›

Feature updates are released as soon as they become available. Quality updates: Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.

What is the maximum number of days you can defer installing quality updates? ›

You can defer quality updates for up to 30 days.

How Long Can Windows updates be deferred? ›

Select either Pause updates for 7 days or Advanced options. Then, in the Pause updates section, select the drop-down menu and specify a date for updates to resume. Note: After the pause limit is reached, you'll need to install the latest updates before you can pause updates again.

Are quality updates necessary? ›

Quality updates (also are referred to as "cumulative updates" or "cumulative quality updates") are the mandatory updates that your computer downloads and installs automatically every month through Windows Update.

Why is my Windows 10 Update taking forever? ›

Why does Windows 10 update take so long? Windows 10 updates take so long to complete because Microsoft is constantly adding larger files and features to them. The biggest updates, released in the spring and fall of every year, usually take upwards of four hours to install.

How long should it take to update Windows 10 version 20h2? ›

An upgrade can take LONG time. And don't use the computer, while it's updating/upgrading. This may also speed it a bit up... An upgrading can take more than just 2 hours sometimes up to 4 or 5 hours.

Why does it take so long to configure Windows updates? ›

If your computer or laptop is stuck on "Preparing to configure Windows," it may imply that your Windows system is installing the updates. If a long time has passed before you installed your Windows updates, it may take more time to install all the updates than usual.

What happens if I turn off my computer while configuring Windows? ›

it depends on what phase of the installation operation your PC was in when your turned off the PC, usually, turning off a PC when installing Windows will corrupt the operating system and you would need to start the installation again.

Why is Intune better than SCCM? ›

Microsoft identifies Intune as a “cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).” Being a cloud-based application, Intune has a simpler architecture than SCCM because it does not require on-premises infrastructure to operate.

Which two tasks can be performed by using Intune? ›

Microsoft Intune, a cloud-based tool, part of Microsoft's Enterprise Mobility + Security Suite (EMS), performs Mobile Device Management (MDM) as well as Mobile Application Management (MAM) to protect data on mobile devices.

How do I manually push Windows updates? ›

Select Start > Control Panel > System and Security > Windows Update. In the Windows Update window, select either important updates are available or optional updates are available.

Does Intune do 3rd party patching? ›

Automated publishing of third-party patches in Intune

Patch Connect Plus identifies third-party applications that have been created within Intune and automatically publishes updates, as they get released by vendors.

Can I replace SCCM with Intune? ›

You can use both Intune and SCCM to manage Windows 10 systems using a configuration Microsoft calls co-management. The tools have some capabilities that overlap, but you will most likely use them in a complementary fashion.

Does Intune override GPO? ›

Result – Intune Policies Override Group Policy Settings – The winner is here Group Policy Vs. Intune Policy. Finally, MDM CSP wins over GP. As shown below, MDM CSP configures the “Home Page” value.

What replaced Microsoft Intune? ›

Microsoft Intune still exists -- both in name and product -- and is now part of MEM. Even as part of Microsoft Endpoint Manager, IT administrators can still use Intune as a separate management platform for mobile device management (MDM) and unified endpoint management (UEM).

What is a latest quality update? ›

Quality updates (also called “cumulative updates”) are updates that Windows 10 downloads and installs every month automatically through Windows Update. These updates are cumulative and include new fixes, improvements, and previously available patches.

Is 20H2 a quality or feature update? ›

The update is named Feature Update to Windows 10, version 20H2. This update is only available through the other release channels.

What is Windows optional quality update? ›

For those unversed, an optional update means your system won't download and install it automatically. You will have to manually check for the update and install it from the Windows update page. It will appear on Windows 10 21H2, 21H1, and Windows Server 20H2.

Why would a company choose to use Microsoft Intune? ›

Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.

Is Intune being replaced? ›

The rebranding Intune as Endpoint Manager initially caused some confusion because of the tools' overlap. However, companies that use Endpoint Manager now understand the full suite of capabilities available to them, said Dan Wilson, senior director analyst at Gartner.

How good is Microsoft Intune? ›

Microsoft Intune is a great solution for businesses especially in a mobile workspace world. It provides a great solution in the form of mobile application management and mobile device management wherein IT team can easily manage licensing and deploying of applications on devices.

What are quality updates in Intune? ›

With Quality updates for Windows 10 and Later policy, you can expedite the install of the most recent Windows 10/11 security updates as quickly as possible on devices you manage with Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies.

Why is my Windows taking forever to update? ›

Why does Windows 10 update take so long? Windows 10 updates take so long to complete because Microsoft is constantly adding larger files and features to them. The biggest updates, released in the spring and fall of every year, usually take upwards of four hours to install.

Can I turn off computer while updating? ›

So, you can always restart the updates if your PC shuts down. Sometimes you may experience crashes and data loss if you force a shut down. These crashes occur when the operating system gets corrupted, which increases the chances of your PC developing some malfunctions.

What affects Windows Update speed? ›

Windows update often takes certain storage space on the system C drive. And if the system C drive is out of space after Windows 10 update, the computer running speed will slow down. Extending the system C drive will effectively fix this issue.

Do updates download faster in rest mode? ›

Yeah, it does . If u close all the running apps and put it in rest mode it will focus on downloading and boost the speed.

Can you force Windows to update? ›

If you want to install the update now, select Start > Settings > Update & Security > Windows Update , and then select Check for updates. If updates are available, install them.

Why is my Windows 10 update version 21h2 stuck at 100 %? ›

This will take a while.” There are many reasons for the issue, but in most cases, it is caused by conflicts with software or drivers. Check if there is a lack of free space situation in your C drive. If so, clean up your C drive, make sure it has at least 8GB of space.

Why is my computer stuck on 100% update? ›

There have been reports by users that the system updates get stuck at 100% and prevent the PC from restarting automatically. This issue can be caused by a number of reasons such as unexpected hardware changes, malware, interference of a third-party program, and corruption errors.

Videos

1. Configure Intune patching windows 10 | Windows Update Ring Patching and Feature Updates Intune
(Paddy Maddy)
2. Windows Autopatch, How it Works | Automate updates to Windows PCs and devices
(Microsoft Mechanics)
3. #IntuneNugget 30- Managing Windows updates via Intune(DeepDive)
(EverythingAboutIntune)
4. Using Intune to Manage Windows 10 Feature Updates - Enterprise Feature Update Management
(Intune Training)
5. Microsoft Endpoint Manager Intune. Windows Update Ring Patching and Feature Updates - Step by Step
(Cloud Inspired)
6. Expedite installation of quality updates - IntuneTraining in Telugu
(Paddy Maddy)
Top Articles
Latest Posts
Article information

Author: Rev. Leonie Wyman

Last Updated: 01/03/2023

Views: 6158

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Rev. Leonie Wyman

Birthday: 1993-07-01

Address: Suite 763 6272 Lang Bypass, New Xochitlport, VT 72704-3308

Phone: +22014484519944

Job: Banking Officer

Hobby: Sailing, Gaming, Basketball, Calligraphy, Mycology, Astronomy, Juggling

Introduction: My name is Rev. Leonie Wyman, I am a colorful, tasty, splendid, fair, witty, gorgeous, splendid person who loves writing and wants to share my knowledge and understanding with you.