Deploying emergency zero-day patches is crucial for securing your organization’s devices and networks against cyber threats. Given the rising frequency and complexity of cyber attacks, swift action is essential to address zero-day vulnerabilities and reduce the chances of data breaches and system outages.
In the Intune admin center, you can create a Quality update profile to speed up the deployment of updates on Windows devices managed by Intune. After the expedited process finishes, the update process returns to the regular cycle configured in the Update ring profile.
Contents
Key Aspects of Quality Update Profile
- When you expedite the Quality Update installation for Windows 10/11 devices, the update will be quickly downloaded, bypassing the usual wait time for them to check for updates.
- Only one Quality Update profile is required for all Windows versions. Windows Update will assess update eligibility and initiate patch downloads accordingly.
- Devices with up-to-date quality updates won’t be able to redownload or reinstall the updates.
- Creating a Quality update profile to expedite the deployment of the latest patches will override any deferral periods you’ve defined in Update ring policies for regular patch deployment cycles.
- Quality update profile requires the following licenses:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
Step 1: Create a Quality Update Profile
Here are the steps to create a Quality update profile:
- Sign in to the Intune admin center > Devices > Windows updates > Quality updates.
Settings tab
In the Settings tab, provide below details:
- Name: Provide a Name of the Profile.
- Description: Provide a useful description.
- Expedite Installation of quality update if device OS version less than: Choose the most recent date for the current patches, For Example: 02/14/2023 – 2023.02 B Security Updates for Windows 10 and later, will expedite the installation of the February security patches [refer to the screenshot].
Updates labeled with the letter B in their name indicate that they were released as part of a Patch Tuesday event. (Usually second Tuesday of the month)
Security updates for Windows 10/11 that are released out of the regular Patch Tuesday schedule can also be expedited. Unlike the updates with the letter B, out-of-band patch releases have different identifiers.
Note
- Number of days to wait before restart is enforced: You can choose the number of days before the device is automatically restarted. If you select 0, the device will be restarted after the patches are installed. However, if users are actively working on the devices, an immediate restart can disrupt their work. While the user will be notified, they will have less time to save their work.
- Assignments tab: Click on Add group to add an Entra security group containing Windows 10/11 devices.
- Review and create: Review the deployment and click on Create.
Step 2: Monitor Expedited Quality Updates Deployment
Now that you’ve created a Quality update profile and assigned it to the devices, it’s important to regularly monitor its performance to ensure that expedited updates are successfully downloaded and installed. Let’s check the steps:
Option 1: Windows Expedited Update Report
- Sign in to the Intune admin center > Reports > Windows updates > Reports tab.
- Click on Windows Expedited Update Report.
- Click on Select an expedited update profile and then select the Quality update profile, for example, Feb Quality Updates Expedited. Then, click on Generate report to generate a report on the deployment progress.
Option 2: Using Microsoft Apps admin center
Microsoft 365 App admin center can provide useful information about the devices along with the security and feature update version. You first have to onboard devices to Microsoft 365 apps admin center before you can view device inventory. Refer to the link for Onboarding devices to M365 Apps admin center.
Inventory report on the Microsoft 365 Apps admin center includes OS build number. This information can help you determine the current patch level of your Windows 10/11 devices. You can then use VLOOKUP in Excel to identify the targeted devices and their patch level.
You’ll need to wait for the data to be refreshed, which also depends on the Number of days to wait before a restart is enforced setting in the Quality update profile.
- Sign in to the Microsoft 365 apps admin center.
- Click on Inventory and then click on Show all devices.
- Click on any device to open a pane on the right-hand side. This page will display details about that device, including the OS build, which is indicated as 10.0.19044.2604 (x64) – representing the patch level for February 2023.
- You can also export the list of devices using the Export button on the Devices page.
Conclusion
In this blog post, we’ve explored how to expedite the deployment of security patches on Windows 10/11 devices by creating a Quality update profile. This enables you to swiftly address zero-day threats by installing Microsoft’s latest and most recent Windows patches.
Microsoft may also release a single out-of-band patch, which will be visible when creating a Quality update profile. Instead of B Security Update, it may have a different letter, such as A Security Update.