Tuesday, January 25, 2022

A first look at expediting Windows 10 Quality Updates when using Windows Update for Business and Microsoft Endpoint Manager

Must read

Kenneth van Surksumhttps://www.vansurksum.com/
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

During Microsoft Ignite, Microsoft announced the option to bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise as part of their Windows Update for Business deployment service.

Today, Microsoft has made available a preview of possibility to expedite the installation security patches as part of Windows 10 Quality Updates as announced in the What’s new for the week of May 10,2021. Expedite which means “make (an action or process) happen sooner or be accomplished more quickly.” allows us to speed up the installation of a specific quality update to your Microsoft Endpoint Manager managed Windows 10 machines. The update is currently rolling out across tenants and might not be available in your tenant yet.

Within the Workplace Ninja User Group Netherlands we recently interviewed David Guyer (Principal Program Manager at Microsoft) about this functionality, you can re-watch the recording over here: WPNinjasNL Live Ask us Anything about expedite Windows 10 Updates.

The use case here is that you can use this functionality to install a specific update in order to mitigate a security threat when the normal update process (Windows 10 Update Rings) wouldn’t deploy the update for some time due to its settings. Not all updates can be expedited, you can only expedite security updates supporting this functionality. So you could up the installation of quality updates or an out-of-band security update for a zero-day flaw.

As mentioned in my article: “Configuring Windows Update for Business settings for your Microsoft Endpoint Manager managed Modern Workplace” a client by default checks every 22 hours for updates being available, and it’s not supported to modify this to a more frequent interval. For expediting the installation services like Windows Push Notification Services (WNS) are used to notify the client that an update which must be installed is available for installation. The actual time that a device starts to update depends on the device being online, its scan timing, whether communication channels to the device are functioning, and other factors like cloud-processing time.

Based on the documentation your organization must have a Windows 10 Enterprise/Education or WVD Access subscription, but Windows 10 versions supported are Enterprise, Education but also Professional. You must also have the Microsoft Update Health Tools installed as described in the following article: KB4023057: Update for Windows 10 Update Service components and there are some other network requirements and recommended settings for Windows 10 update rings as well

Configuration of expediting Windows 10 Quality Updates is available in the Microsoft Endpoint Manager Admin Center under Devices -> Policy -> Windows 10 quality updates (Preview). You can create a new quality update profile by clicking on + Create Profile.

Quality update profile

Besides providing a name and description for the quality update profile you can configure the following settings:

  • Expedite installation of quality updates if device OS version less than
  • Number of days to wait before restart is enforced

The Expedite installation of quality updates if device OS version less than option provides a drop-down list with several options, at time of writing 3 options are available:

Expedite options

So, if you would configure the 05/11/2021 – 2021.05 B Security Updates for Windows 10 setting in the policy, deploy it to your (subset) of users/devices. Devices which don’t have Quality Update released on May 11th (patch Tuesday, May 2021) installed will use the expedite functionality.

If the clients checks in and a newer update includes and surpasses the specified update, that update gets installed. To fully understand the behavior I recommend to read the following example of a possible scenario: Example of installing an expedited update

The other setting “Number of days to wait before restart is enforced” allows you to specify if a restart is enforced on the day of installation (0 days) or after 1 (default) or 2 days.

You can monitor the policy you must have enabled the Windows Updates option as part of your Windows Health Monitoring configuration profile.

Windows health monitoring configuration profile

After enabling this option you should receive data in the Windows 10 quality updates report available under Reports -> Windows Updates.

Still empty Windows 10 quality updates report

Expediting Windows 10 Quality updates is a welcome addition to the configuration options we have for leveraging Windows Update for Business (WUfB). With the addition of the Quality update profile functionality as part of the Windows 10 Quality Updates policy we can act faster in case Microsoft releases a security update for a zero-day which must be installed directly and can’t wait for the normal update configuration you created using your Windows 10 update rings.

Configuring Windows Update for Business settings for your Microsoft Endpoint Manager managed Modern Workplace

Expedite Windows 10 quality updates in Microsoft Intune

WPNinjasNL Live Ask us Anything about expedite Windows 10 Updates.

Announcing the Windows Update for Business deployment service

More articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest articles