Deploying emergency zero-day patches is critical to securing your organization’s devices and networks from cyber threats. With the increase in frequency and sophistication of cyber attacks, organizations need to respond quickly to zero-day vulnerabilities to minimize the risk of data breaches and system downtime.
Microsoft Intune, a cloud-based mobile device management and endpoint protection solution, provides a centralized platform for deploying emergency patches to devices running Windows 10, iOS, Android, and macOS operating systems.
This article will explore how to use Microsoft Intune to deploy emergency zero-day patches, ensuring that your organization stays protected against cyber threats.
Recently Microsoft released security patches to fix 75 vulnerabilities which included 66 Important and below 3 Zero day exploits.
- CVE-2023-21715 (CVSS score: 7.3) – Microsoft Office Security Feature Bypass Vulnerability
- CVE-2023-21823 (CVSS score: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2023-23376 (CVSS score: 7.8) – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
As an Intune Administrator, your job is to protect the organization from these Zero day threats and also from other Critical threats. By researching on this further, I found that Microsoft has fixed all these Vulnerabilities including Zero day threats in February month quality updates.
Microsoft releases the quality updates second tuesday of every month. For example, for February month the quality update patches were released on 14th Feb 2023.
If you have already configured Update rings which deploys patches to all the devices using deferral settings which defines when the patches will be deployed to production devices after testing the patches on test devices. This process may take some time which could be upto 2 weeks after the patches are released.
We want to make sure that February Security Updates / Quality updates are pushed to end user’s devices as soon as possible to mitigate the Zero day threats. Let’s check the Steps to Expedite the patching cycle / out-of band patches using Intune for Windows 10/11 devices.
Create a Quality Update profile to Expedite Installation of Security Patches
You will need to create a quality update profile from Microsoft Endpoint manager admin center for Expediting the Installation of most recent Windows 10/11 security updates.
When you expedite the Quality update Installation for a windows 10/11 devices, the devices will start downloading the patches as soon as possible without waiting for device to check in for updates.
- Create a single profile / policy for different versions of Windows for example: Windows 10, 1809, 1909 etc. Windows update will evaluate if the update is applicable and then starts to download the patches.
- If a Device has already got the newer security patches installed, then it will not try to download / install the update again.
- When you create a Quality update profile to expedite the most recent patches deployment, it will ignore / override any deferral period you have set in Update ring policies for normal patch deployment cycles.
Steps to Create a Quality Update Profile
Please follow below steps to create a Quality update profile.
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Devices > Quality updates for Windows 10 and later > Create profile.
In the Settings tab, provide below details:
- Name – Provide a Name of the Profile. For example: Feb Quality Updates Expedited
- Description – This Profile will expedite the installation of February Quality Updates to all assigned Devices.
- Expedite Installation of quality update if device OS version less than – Select the most recent date which is for the most recent patches. For example: I have selected, 02/14/2023 – 2023.02 B Security Updates for Windows 10 and later which will expedite the installation of Februrary Security patches.
|Updates that include the letter B in their name identify updates that released as part of a patch Tuesday event. The letter B identifies that the update released on the second Tuesday of the month.|
Security updates for Windows 10/11 that release out of band from a patch Tuesday can be expedited. Instead of the etter B, out-of-band patch releases have different identifiers.
- Number of days to wait before restart is enforced – You can choose the number of days when the device will be restarted automatically. If you select 0 then the devices will be restarted as soon as the patches are installed. If the users are actively working on the devices then restart of the device can cause disruption in their work. The user will be notified but will have less time to save the work.
On the Assignments tab, you can Add an Azure AD security group which contains users or devices. When you add an Azure AD security group, Patch deployment will be expedited on those user’s devices.
If you assign this Quality update profile to an Azure AD security group containing users then the patches will be deployed on all the devices which belong to that user. If you want to control the patch deployment on devices then you can add an Azure AD security group which targets only devices. Click on Next to proceed to Review + Create page.
For example: I have added an Azure AD security group which contains 486 devices.
Review and Create
Review the configuration and then create the profile along with profile assignment. As soon as the policy is in place, the devices will start downloading the updates and Install. Depending upon the time limit specified for device restart, the devices will be restarted automatically.
How to monitor Expedited Quality Updates on devices
Now you have created a Quality update profile and assigned it to the devices. You should regularly monitor it to confirm if the expedited updates are getting downloaded and Installed successfully.
There are various ways in which you can check the update status on the targeted windows devices. Let’s check it:
Option 1 – Check Windows Expedited Update Report
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Reports > Windows updates> Reports tab.
- Click on Windows Expedited Update Report (Preview).
- Click on Select an expedited update profile and then select the Quality update profile for example: Feb Quality Updates Expedited. and then click on Generate Report to generate a report of the deployment progress.
Option 2 – Check Windows OS build version from Microsoft 365 apps admin center
You can also download an Inventory report from Microsoft 365 apps admin center. This report includes OS build number which should advise the current Patch level of Windows 10/11 device.
You can then use vlookup in excel to find the targeted devices and their patch level. For Example: I have pushed this Quality update profile to expedite Feb month security updates on an Azure AD security group containing devices.
I have verified from Microsoft 365 apps admin center if the patch has been successfully Installed or not. You will not get the status update of the OS build as soon as you assigned Quality update profile to end user devices.
You need to wait for data to get refreshed. This also depends upon the setting Number of days to wait before a restart it enforced setting in the Quality update profile as the security patches installation will only complete after a device has been restarted.
- Login on Microsoft 365 apps admin center.
- Click on Inventory and then click on Show all devices.
- Click on any device to open a pane on the right hand side. This pane will show details about that device including OS build which is showing as 10.0.19044.2604 (x64) – This is for February 2023 month patch level.
- You can also export the list of devices by using Export button on Devices page.
In this blog post, we have seen how to expedite the deployment of security patches on windows 10/11 devices by creating a Quality update profile. This way you can fix any Zero day threats by installing the latest and most recent windows patches provided by Microsoft.
Microsoft may just release a single out of band patch as well which will show while creating a Quality update profile. Instead of B Security Update… , it may have a different letter for example A security update….