Today’s topic is Zero Day Out Of Band Patch Deployment using Intune. Let’s check how quickly you can deploy patches with Intune. One of the OOB patches examples is shared in the post Fix Windows Print Spooler service Issue Out of Band Update Options. You can expedite installing the most recent Windows 10 and Windows 11 OOBE security updates as quickly as possible on devices you manage with Microsoft Intune using the following method.
I’m still not sure whether this OOB patch/hotfix resolves the issue of print spooler vulnerability or not. There are some reports in public forums that the issue still exists even after installing the OOBE hotfix. I will wait for Microsoft’s confirmation on this point. In this post, you will see more details about Windows 10 quality updates policies.
I thought of quickly sharing Windows 10 quality updates policies because of the HTMD Forum question. There are two ways to deploy out of band patches immediately to Intune managed devices. The end-user can be a seeker, and then the user will get the out of band hotfix immediately. Let’s understand how a user can be a seeker.
NOTE! – Expedite Update is part of the Windows update for business(WUfB) deployment service. This Expedite feature is an Azure service that sits in between the Management application and Windows update for business.
End-User can be a seeker
Let’s understand how to be an update seeker. The update seeker’s device will get into a priority queue within the Microsoft update mechanism. Hence the new Microsoft updates will get delivered to the seeker’s device on high priority if applicable.
- Launch Settings application from Start menu.
- Click on Update and Security tab.
- Click on Windows Update tab.
- Click on Check for Updates button to seek the updates.
Zero Day Out Of Band Patch Deployment using Intune
Let’s understand zero day and out of band patch deployment using Intune. You can create a software update policy to deploy Zero Day/Out Of Band Patches using Intune. You can speed up the installation of quality updates like the most recent patch Tuesday release or an out-of-band security update for a zero-day flaw using the following expedite policy.
- Open https://endpoint.microsoft.com/
- Navigate Device -> Windows 10 quality Updates (preview).
- Click on + Create Profile
- You can go to Settings.
- Enter the Name – Zero-Day Out Of Band Patch Software Update.
- Enter Description if needed.
NOTE! – While expediting software updates can help decrease the time to get to compliance when necessary, it has a larger impact on end-user productivity. The chances that they will experience a restart during business hours are significantly increased.
NOTE! – The only dedicated quality update control currently available other than the existing Windows 10 Update Rings policy is the ability to expedite quality updates for devices that fall behind a specified patch level. Additional controls will be available in the future.
Select the following option – Expedite installation of quality updates if device OS version less than: 07/06/2021 – 2021.07 OOB Security Updates for Windows 10 to deploy Zero Day Out Of Band Patch using Intune.
You can have an options to select Number of days to wait before the restart is enforced:
- 0 days
- 1 day
- 2 days
NOTE! – The default value is 1 day.
You have an option to select scope and assignment options. You can complete the WUfB policy by going through Next, Next, Next, & close.
You can wait for Intune MDM policy sync to happen on Windows client side. You can see the results in the below.
- Difference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates
- Expedite Windows 10 quality updates in Microsoft Intune