Skip to content
Posted by Ronny de Jong Microsoft Endpoint Manager

Windows Updates in the Fast Lane: Expedite Windows 10 Quality Updates with Microsoft Endpoint Manager


Over the past years has underscored the critical importance of keeping your systems up to date. As we are working from home and thus more often outside corporate boundaries, updates are more essential than ever to protect us from bad actors, vulnerabilities and keep us productive. In addition to Windows Update rings and Feature Update rings, we now also have the ability to expedite Windows 10 Quality Updates.

Create a quality update policy via Microsoft Endpoint Manager Admin Center.

Expediting quality updates is a great feature which ideally suites the infinite game of staying current. Expedite provides a fast lane to get out Windows 10 quality updates (patch Tuesday or out-of-band security update) way more faster while respecting your regular update deployments.

Expending the Windows Updates for Business gear

Earlier this year at Microsoft Ignite (21H1) Windows Updates for Business (WUfB) gear got expended including but not limited with some great enhancements like Deployment Services, Drivers & Firmware, Known Issue Rollback (KIR) and thus Expediting Windows Quality Updates. For completeness checkout the complete lineup of announcements made at Ignite regarding Windows & Devices here.

So what expedite entails?

With Windows 10 quality updates policy you can expedite the install of the most recent Windows 10 security updates (also known as “B” release) as quickly as possible on devices you manage with Microsoft Endpoint Manager (Configuration Manager). Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies. For example, you might expedite a specific update to mitigate a security threat when your normal update process wouldn’t deploy the update for some time.

A great benefit of expediting quality updates is that you won’t need to modify existing configuration of your Windows 10 update rings. An expedite profile will temporarily override the necessary (update ring) settings to ensure the expedited quality update is installed as quickly as possible. The settings will be automatically restored to their original state after the update successfully installs. In addition, expedited updates can be targeted to your whole organization or limited to a specific subset of users or devices. Once you create an expedite policy, the deployment service will contact devices to start the update deployment without waiting for the next scan for updates.

Creating a quality update policy is straight forward process which is well described here on Microsoft Docs. How expediting relates to regular update rings including behavior is described here.

Good to know is the fact expedite update policies ignore and override any quality update deferral periods for the update version configured by regular update rings.

How does expedite works?

When you expedite a quality update, devices can start the download and install of the update as soon as possible, without having to wait for the device to check in for updates by the regular windows update scan. Other than expediting the install of the update, expedite leaves your existing update deployment (aka update rings) and processes untouched.

As mentioned before expedite works alongside with the windows update process and requires a dedicated agent which is automatically deployed to your Windows 10 endpoints via Windows Update. For better understanding please find below a brief description of how expedite works.

Overview of the expedite quality update workflow.
  1. Create a Windows Quality update policy in Microsoft Endpoint Manager Admin center.
  2. The policy will be processed by the Windows Update for Business deployment service.
  3. A notification will be picked up by the Update Health Service (Windows Update for Business deployment service client)
  4. The Update Health Service processes the expedite policy, set a deadline policy and triggers Windows Update client to perform a regular scan.
  5. A regular Windows Update scan is performed.
  6. After the update scan is completed, applicable update(s) will be installed.
  7. The installation is followed by a restart which respects your restart deadline configured in the Windows Quality update expedite policy.
  8. The Update Health Service is monitoring the expedite process and send the actual status back via telemetry. This includes various stages of pending, in progress, completed or failure.
  9. Once the expedite process is completed the original Windows Update settings on the endpoint is restored to the original state.

Under the hood

The expedite process uses a dedicated client (Microsoft Update Health service) which is installed by update KB4023057 “Update for Windows 10 Update Service components” via Windows Updates on all eligible Windows 10 builds which are within the support lifecycle. The Update Health Service is a dedicated client (service) which works alongside with the Windows Update client service.

Microsoft Update Health Service and Windows Update service operates side by side.

For completeness, the Update Health Tool binaries can be found in “C:\Program Files\Microsoft Update Health Tools“.

Microsoft Update Health binaries at the Windows 10 client side.

Keep an eye on it with ‘new style’ reports

Windows Quality Updates comes with a set of new reports which provides detailed information of the various stages of expediting quality updates.

  • Reports | Windows quality update status (deployment, progress)
  • Monitor | Windows expedited update failures (troubleshooting)

Windows quality update status. This report (located in the report section) is relevant to keep track on the deployment of the expedite policies since it is not processed via the OMA-DM client. As mentioned, expedite uses it’s own agent (Microsoft Update Health service). Therefore the deployment of expedite policies cannot be tracked/monitored (e.g. user- or device based policy targeting) as we used to with regular configuration policies.

The Update State and Update SubState columns show the devices received by the service, and the states through validation, and preparing the offer to devices, and then transition to client-side states for download and install. So these service side states of Pending Validation and Offering OfferReady are the indicators the policy was successfully submitted. Then Installing DownloadStart is the way to see the offer has made it to the client.

The complete list of expedite update states can be found here.

The expedite quality update report provides a detailed overview of the various states.

Important! Before you can monitor results and update status for expedited updates, please make sure you have enabled Windows Health Monitoring (at least select the Windows Update scope) in your tenant. If not, no data/update status are showing up in the reports.

Make sure Windows Health Monitoring is enabled in your tenant.

Windows expedited update failures. This report (located in Devices\Monitor section) is used for troubleshooting expedite deployments with a broad variety of alerts (52) and detailed explanation.

The monitoring section provides a broad variety of possible alerts (52).

By selecting the alert message your are able to drill down to the full details of the error which provides a good starting point to take the necessary actions to mitigate the reported issue(s).

Drill down on the alert you get a detailed explanation of the alert, severity and recommendation to mitigate.

In case you need more detailed information provided by the default reports, you can go a step further and find detailed configuration and logging on the client side. The log directory contains ETL log files which can be opened with PerfView or any other ETL reader of choice.

Log file of the Microsoft Update Health Services opened with PerfView.

Informational: the ETL logs includes the configuration of Windows Quality Updates which can be found in the following registry hive: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\settings

Recap

For these faster-than-normal scenarios, especially in quality updates or out-of-band updates, expedite will help you step on the gas and go faster than your steady state configuration. It helps organizations in the ongoing effort to manage security risks and helps to keep systems protected at glance.

At time of writing the scope of expediting updates is currently available for security updates, also known as quality “B” release. For more details of the monthly quality updates release cadence managed by Windows Updates for Business read this post.

  • Make sure you met the prerequisites to qualify for installing expedited quality updates with Microsoft Endpoint Manager
  • Make sure windows update KB4023057 is installed on your endpoints
  • Make sure Windows Health Monitoring is enabled for your tenant

Please do understand expedite is not recommended for normal monthly quality update servicing. Instead, consider using the deadline settings from a Windows 10 update rings policy. For information, see Use deadline settings under the user experience settings in Windows update settings.

In this recording David Guyer (Program Manager at Microsoft) explains how expedite works.

Sources

Categories

Microsoft Endpoint Manager, Modern Management, Windows 10, Windows Updates for Business

Tags

, , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: