Let’s learn more about expedite Windows security patch deployment and Intune reporting issues related to that. I have a post that talks about how to expedite Windows out of band security patch deployment. The option to expedite the deployment of Windows out of band updates using Intune policy is beneficial.
I have seen many discussions around reporting delays and errors concerning expedite Windows security patch deployment using Intune. The latest one I have seen is from the HTMD Forum thread. Hence I thought of putting a quick note across to clarify and document some of this information.
Microsoft Engineering Manager Gabe Frost explains the details about Intune reporting related to expedite Windows security patch deployment feature. He also explains the processing pipeline details of this reporting. Let’s dive into the details below.
Intune Reporting Issue
You have deployed the out-of-band/zero-day update using Intune Windows Expedited updates policy/feature. The expedite policy is getting applied on the devices. However, the report shows as an error or pending. You can check the reports with the following steps:
- Login to endpoint.microsoft.com portal.
- Navigate to Reports node.
- Click on Windows Updates node from reports.
Click on Windows 10 Expedited updates option to generate a report for Windows quality update status. As explained in the above section, the actual results are not reflecting in the report. Why? What is the reason?
Expedite Windows Security Patch Deployment Reporting Issue
The reason for variations in Windows 10 Expedited updates is the “some” complex pipeline process on Intune reporting (server-side). The Intune server-side troubleshooting is only available to the Microsoft support team.
As I mentioned above, Microsoft Engineering Manager Gabe Frost kindly explained the reporting process, particularly for Windows 10 Expedited updates reports in the Twitter thread (and this), how the reporting pipeline works in the background!
The basics:
- The devices need to be configured to connect to WU (Windows Update) and getting QU (Quality Updates). Active & Connected. Otherwise, they won’t scan WU, learn that an Expedite policy is configured, auto-install the Health Tools.
- Most often that a device is added to an Expedite policy, but it’s not configured to scan WU. Or, it’s configured to scan WU, but it’s in a drawer somewhere.
Details about Expedite Pipeline:
- The very first time a device is enrolled in a Feature Update deployment or Expedite policy, it can take 24hrs to connect all the pipes between all back end services. This is a good learning for us to update docs to show how to enroll devices even without assigning to a policy.
- Pre-enrollment postures you to respond quickly in emergency.
- Once successfully enrolled, and policy conditions are true, you should be seeing 90% configured, active and connected devices install the update and pending reboot within 2 business days. It’s not 100% because the #1 reason expedite isn’t successful is a low-active device.
Thoughts?
NOTE! – So, the recommendation is to enroll the devices to feature or expedite updates pipeline well before so that you don’t need to wait for 24 hours in an emergency.
Bigger Question? – This device enrollment to updates pipeline can be done just by configuring a feature update policy with Windows 10 old version? I don’t know! Let me know in the comments, what you think? The devices have to configure to scan against Windows Update (not against WSUS).
Question on the expedited updates, how do you get the Update Health Tools installed on your endpoints so that you can use the functionality of the expedited updates? We have the expedited update policy configured, but our devices are failing as it comes back saying it needs the Update Health Tools installed. Great blog as always!
Same question as Eugene – We have KB4023057 but the Microsoft Update Health Tools is missing…
You can manually install the same from the update catalog as well. If you like.