Expedite Windows Update with Intune - Behind the Scenes Secret (2023)

Expedite Windows Update with Intune - Behind the Scenes Secret (1)

In my last blog post, we talked about how you can expedite the current July 6 out-of-band security update as released by MS to address PrintNightmare (CVE-2021-34527) security bug.

Today let’s get to see how the expediting process actually works. Also, we will talk about the possible reporting issue that you may encounter. So let’s get started.

Table of Contents

Expedite Windows Update with Intune – How it works

Expedite Windows Update with Intune - Behind the Scenes Secret (2)
  1. Microsoft releases the monthly B update or an Out-Of-Band security patch via the Windows Update.
  2. Admin creates Windows 10 quality update profile in Intune to expedite the deployment of the patch.
  3. The expedite policy is processed by the Windows Update for Business Deployment service.
  4. The client (Microsoft Update Health Tools) receives the expedite policy.
  5. The client sets the expedite restart deadline and triggers Windows Update client to perform a scan.
  6. Windows Update client on the endpoint performs the scan to discover Updates for the endpoint.
  7. The “Applicable Update” is downloaded and installed. [MS docs has explained this nicely already.]
  8. Windows Update client restarts the system to commit update action respecting the restart deadline as in the expedite policy. Windows Update settings are reverted back to the original settings as configured via Update Ring policy.
  9. The Microsoft Update Health Tools (expedite client) monitors the expedite update process and sends the actual status back via telemetry. [Requires Windows Health Monitoring to have Windows updates added in its scope!]
  10. Admin get to view the Expedite update report from Intune.

Optional: A push notification is triggered to notify the Microsoft Update Health Tools (which acts as the dedicated client for the expedite update process) present on the endpoint about the new expedite policy.

Expedite Windows Update with Intune - Behind the Scenes Secret (3)

If WNS channels are blocked due to network configuration, the device has to wait for the normal device sync cycle to get the expedite policy.

The Microsoft Update Health Tools (UHSSVC - Update Health Services) is installed by updateKB4023057 via Windows Updates on all eligible Windows 10 builds within thesupport lifecycle.

To confirm if the Update Health Tools is installed on your system, check for its folder inside the program files folder as shown below.

Expedite Windows Update with Intune - Behind the Scenes Secret (4)

What to do if Update Health Tools is missing?

If systems are configured to get updates from Windows Update, your device should already have received the updateKB4023057. However, for any reason, if the update is missing, or the Update Health Tools got uninstalled because of any reason, you can try the manual way.

But note that searching for the update on the Microsoft Update Catalog site, you will see that it is available till Windows 10 version 1803 only.

(Video) Modern Windows 10 management strategies, using Configuration Manager and Microsoft Intune

Expedite Windows Update with Intune - Behind the Scenes Secret (5)

Considering you are running anything above Windows 10 version 1909 and above (which you should be currently), how do you get the update manually?

If your Update Ring policy allows, you can check for updates manually from the Settings.

Expedite Windows Update with Intune - Behind the Scenes Secret (6)

But is it viable to ask users to check for updates manually?

Further, users may not be able to check for updates manually if the Windows 10 Update Ring policy restricts manual update checks.

Hence, the option that is left is to utilize PowerShell to trigger the Health Tools installation on the endpoint.

You can use the Install-UpdateHealthTools.ps1 script and deploy it from Intune. The devices should have the Update Health Tools installed post the script execution. (If not go check the log file for local error encountered at runtime.)

Expedite Windows Update with Intune – Basic Checks

First and foremost, confirm that the device(s) targeted with the expedite update policy is/are

  • Intune Managed exhibiting either AAD Join or Hybrid AAD Join state. WPJ (AAD registered/BYOD) devices are not supported. Further if the devices are co-managed, then Update workload needs to be set to Intune or Pilot Intune.
  • Configured to scan Windows Update services for getting updates (and not pointing to WSUS!)
Especially important for co-managed devices. Check that after switching Update workload to Intune (or Pilot Intune), the previous settings as managed via Group Policy are restored back to defaults (Not configured state) so as to not interfere.
  • In ACTIVE state for the Windows Update client on the device to function.
The device needs to be actively used connected to the Internet for the Windows Update agent to scan and download the update properly. Further, there should be enough free disk space (atleast 2GB for quality updates) on the device for Windows Update to work.

Further, you need to ensure that

  • Windows Health Monitoring includes Windows Updates in scope on the device.
Expedite Windows Update with Intune - Behind the Scenes Secret (7)
  • Notification update level is Not Set to Turn off all notifications, including restart warnings in the effective Update Ring policy for the device.
  • Devices are configured with correct telemetry settings.
Expedite Windows Update with Intune - Behind the Scenes Secret (8)
(Video) Tech Connect: Microsoft Intune and Autopilot Best Practices
 Allow Telemetry Value 1 = Required (Basic) 2 = Enhanced (Not used post 1903) 3 = Full (Optional)
  • Required services (Windows Update and Update Health Services) are not in a DISABLED state on the endpoint.

Get-Service | Where-Object {($_.Name -eq “wuauserv” -or $_.Name -eq “uhssvc”)} | fl

Expedite Windows Update with Intune - Behind the Scenes Secret (9)

Expedite Windows Update with Intune – Check Update Health Services log

You can find the logs (ETL trace files) generated by the Microsoft Update Health Tools here at C:\Program Files\Microsoft Update Health Tools\Logs

Expedite Windows Update with Intune - Behind the Scenes Secret (10)

How to read the ETL files?

One way is to open the trace file with the Windows Event Viewer.

Expedite Windows Update with Intune - Behind the Scenes Secret (11)
Expedite Windows Update with Intune - Behind the Scenes Secret (12)

The other way is a quick hack using the Get-WindowsUpdateLog cmdlet that merges and converts Windows Update ETL log files into a single readable WindowsUpdate.log (clear text) file.

But if you try to use the Get-WindowsUpdateLog cmdlet using the -ETLPath switch to point to the Logs directory of the Microsoft Update Health Tools generated ETL files instead, you will get the error as below.

Expedite Windows Update with Intune - Behind the Scenes Secret (13)

The Get-WindowsUpdateLog cmdlet is hardcoded to detect Windows Update ETL files (filename as “WindowsUpdate*.etl”) but the ETL files as generated by the Update Health Tools uses a different naming.

You can rename all the Update Health Tools generated ETL files to mimic the Windows Update ETL files.

Expedite Windows Update with Intune - Behind the Scenes Secret (14)

This rename hack actually makes the Get-WindowsUpdateLog command work and you get the readable clear text log file.

(Video) 🚀 A Year with Zenler 2022 - New Features and Stats for the Year 🚀

Expedite Windows Update with Intune - Behind the Scenes Secret (15)

However, reading the Update Health log file as generated, I could not find anything useful other than this particular entry with repeated occurrence.

2021-07-07 20:15:36.1099391 892 14172 UpdateHealthToolsServiceBlockedByNoDSSJoin 2147483648

But the most effective way of reading the Windows Update Health Tools log has to be via the Microsoft PerfView tool. This gives you way more information than any of the above methods.

Expedite Windows Update with Intune - Behind the Scenes Secret (16)

Expedite Windows Update Intune Reporting Issue?

If you have not used Expedite Update feature previously and this is the very first time you have used it to expedite an update, you may see all your devices reporting in Error state, like what I have in my tenant.

Expedite Windows Update with Intune - Behind the Scenes Secret (17)

However, if the targeted devices are ACTIVE and configured to get updates from Windows Update and meets the other checks as mentioned above, the devices may actually get patched with the expedited update policy even if the report states otherwise.

This is due to some complex pipeline process for Intune reporting. If you haven’t used the feature update policy or the expedite policy before, then it can take up to 24 hours for all the “pipes and services” to get connected.

Gabe Frost, Program Manager at Microsoft has explained this here in theTwitter thread. As per this Twitter thread, because of the 24 hours’ time requirement at the service end to let everything fall in place, pre-enrollment can help.

What this means is that you have created an expedite update policy for the first time in your tenant and targeted to devices (which are properly configured and ACTIVE), on this first attempt you are likely to encounter this Intune reporting issue. However, say there is another OOB security fix that gets released sometime after this and you create another expedite policy for the devices, this time you should not be facing the reporting issue.

For me, though the Intune Windows 10 Quality Update report shows the device update state in Error for KB5004945 (July 6 OOB Update to fix PrintNightmare), the above check locally on the endpoint reveals that the system actually has got the hotfix installed.

Note that this may not always be the case at your end and as such, you can check this excellent blog post from Rudy Ooms showing how you can use Proactive Remediation for this purpose.

Wrap Up

The reporting issue as noticed for expediting Windows Update with Intune is mostly because of the complex reporting architecture at the service end.

(Video) Disturbed - The Sound Of Silence [Official Music Video]

However, since it is at the MS end, hence any issues you are facing with the expedited update reporting, you may need to work it out with the MS support to get things sorted.

Note that this expedite windows update feature is still in preview and Microsoft is actively working to make it better and fix any niggling issues that the feature might have, as reported during the preview period!

That was all for today. Thanks for reading…

Joymalya Basu Roy( Senior Consultant - Architect )

Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.

(Video) Shakira - Can't Remember to Forget You (Official Video) ft. Rihanna

Other Artciles You May Like

FAQs

How do I force Windows updates through Intune? ›

In the admin center, go to Devices > Windows > Quality updates for Windows 10 and later and select the policy that you want to manage.

Can Intune push Windows updates? ›

When you save a policy, Intune passes the configuration details to Windows Update, which then determines which updates will be offered to each device. Devices access Windows Update directly for the updates.

Can a virus disguise as a Windows Update? ›

Yes, a virus can fake a Windows update. The most common way that viruses do this is by displaying a pop-up message that looks like a legitimate Windows update notification.

How can I make Windows Update immediately? ›

If you want to install the update now, select Start > Settings > Update & Security > Windows Update , and then select Check for updates. If updates are available, install them.

How often does Intune check for Windows updates? ›

Client-based data from Intune devices that are configured to send data to Intune – This data is processed in batches and refreshes every eight hours, but is only available after you configure data collection. The data contains information like when a client doesn't have enough disk space to install an update.

How do I trigger Windows Update remotely? ›

Remotely Installing Windows Updates on Multiple Computers, Simultaneously
  1. Add a list of computer names or IP addresses to a BatchPatch grid. Select 'Grid > Add hosts', and then enter your list and click OK.
  2. Select/highlight the desired target computers, and then choose the desired action. ...
  3. THAT'S IT!
Jan 27, 2021

Can Intune manage patching? ›

Intune helps configure Windows Update for Business (WUfB) policies to patch. The latest update guide for Intune monthly patching is available in the following Cloud PC Monthly Patching Process Using Intune. You can also configure Windows 10 and 11 Feature Update using Intune policies.

Can you automate Windows updates? ›

Automate software updates and policies to your Windows PCs and devices. Automation capabilities save time on updates across Windows, Microsoft 365 Apps, and Edge. Go make it run.

How do I push Windows 11 update from Intune? ›

Sign in to the Microsoft Endpoint Admin center (Intune Portal). In the portal, go to Devices > Features Updates for Windows 10 and later. Click Create Profile and define the required Windows 11 upgrade settings in the policy.

How long does Intune take to update? ›

Immediately after the deployment has taken place, Intune will attempt to notify the device that it should check-in with the Intune service. This process normally takes less than 5 minutes.
...
Policy refresh intervals for Devices managed by Microsoft Intune.
PlatformFrequency
AndroidEvery 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
3 more rows
Sep 29, 2015

Does Windows security tell you if you have a virus? ›

Windows Security continually scans for malware (malicious software), viruses, and security threats.

Does Windows have a built in virus scanner? ›

Windows Defender, also called Microsoft Defender Antivirus, provides real-time protection against: Malware. Spyware. Viruses.

Does updating Windows remove malware? ›

Viruses use the vulnerabilities in your operating system to access crucial parts of your PC. Updating Windows helps fix these vulnerabilities, making it impossible for malware to attack.

How do I force Windows server to update? ›

How
  1. Open an Administrative (elevated) command prompt.
  2. Run “sconfig” to launch the “Server Configuration” application.
  3. Select option “6” to “Download and Install Windows Updates”
  4. Choose “A” for all updates, or “R” for recommended updates, and a scan will start.
Jan 21, 2022

How do I force Windows 20H2 to update? ›

Upgrade to Windows 10 20H2 on version 2004
  1. Open Settings on Windows 10.
  2. Click on Update & Security.
  3. Click on Windows Update.
  4. Click the Check for updates button (if applicable).
  5. Under the “Optional updates available” section, click the Download and Install now button. ...
  6. Click the Restart now button.
May 9, 2022

Videos

1. Keane - Somewhere Only We Know (Official Music Video)
(Keane)
2. My Chemical Romance - Welcome To The Black Parade [Official Music Video] [HD]
(My Chemical Romance)
3. Dido - White Flag (Official Video)
(Dido)
4. Taylor Swift - We Are Never Ever Getting Back Together
(Taylor Swift)
5. S03E03 - Windows 365 First Look with Christiaan Brinkhoff (I.T)
(Intune Training)
6. This Illegal Car Mod Just Changed the Game
(Scotty Kilmer)
Top Articles
Latest Posts
Article information

Author: Zonia Mosciski DO

Last Updated: 01/27/2023

Views: 6673

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.