During Microsoft Ignite, Microsoft announced the option to bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise as part of their Windows Update for Business deployment service.
Today, Microsoft has made available a preview of possibility to expedite the installation security patches as part of Windows 10 Quality Updates as announced in the What’s new for the week of May 10,2021. Expedite which means “make (an action or process) happen sooner or be accomplished more quickly.” allows us to speed up the installation of a specific quality update to your Microsoft Endpoint Manager managed Windows 10 machines. The update is currently rolling out across tenants and might not be available in your tenant yet.
Within the Workplace Ninja User Group Netherlands we recently interviewed David Guyer (Principal Program Manager at Microsoft) about this functionality, you can re-watch the recording over here: WPNinjasNL Live Ask us Anything about expedite Windows 10 Updates.
The use case here is that you can use this functionality to install a specific update in order to mitigate a security threat when the normal update process (Windows 10 Update Rings) wouldn’t deploy the update for some time due to its settings. Not all updates can be expedited, you can only expedite security updates supporting this functionality. So you could up the installation of quality updates or an out-of-band security update for a zero-day flaw.
As mentioned in my article: “Configuring Windows Update for Business settings for your Microsoft Endpoint Manager managed Modern Workplace” a client by default checks every 22 hours for updates being available, and it’s not supported to modify this to a more frequent interval. For expediting the installation services like Windows Push Notification Services (WNS) are used to notify the client that an update which must be installed is available for installation. The actual time that a device starts to update depends on the device being online, its scan timing, whether communication channels to the device are functioning, and other factors like cloud-processing time.
Based on the documentation your organization must have a Windows 10 Enterprise/Education or WVD Access subscription, but Windows 10 versions supported are Enterprise, Education but also Professional. You must also have the Microsoft Update Health Tools installed as described in the following article: KB4023057: Update for Windows 10 Update Service components and there are some other network requirements and recommended settings for Windows 10 update rings as well
Configuration of expediting Windows 10 Quality Updates is available in the Microsoft Endpoint Manager Admin Center under Devices -> Policy -> Windows 10 quality updates (Preview). You can create a new quality update profile by clicking on + Create Profile.
Besides providing a name and description for the quality update profile you can configure the following settings:
- Expedite installation of quality updates if device OS version less than
- Number of days to wait before restart is enforced
The Expedite installation of quality updates if device OS version less than option provides a drop-down list with several options, at time of writing 3 options are available:
So, if you would configure the 05/11/2021 – 2021.05 B Security Updates for Windows 10 setting in the policy, deploy it to your (subset) of users/devices. Devices which don’t have Quality Update released on May 11th (patch Tuesday, May 2021) installed will use the expedite functionality.
If the clients checks in and a newer update includes and surpasses the specified update, that update gets installed. To fully understand the behavior I recommend to read the following example of a possible scenario: Example of installing an expedited update
The other setting “Number of days to wait before restart is enforced” allows you to specify if a restart is enforced on the day of installation (0 days) or after 1 (default) or 2 days.
You can monitor the policy you must have enabled the Windows Updates option as part of your Windows Health Monitoring configuration profile.
After enabling this option you should receive data in the Windows 10 quality updates report available under Reports -> Windows Updates.
Expediting Windows 10 Quality updates is a welcome addition to the configuration options we have for leveraging Windows Update for Business (WUfB). With the addition of the Quality update profile functionality as part of the Windows 10 Quality Updates policy we can act faster in case Microsoft releases a security update for a zero-day which must be installed directly and can’t wait for the normal update configuration you created using your Windows 10 update rings.