Deploying emergency zero-day patches is crucial for securing your organization’s devices and networks against cyber threats. Given the rising frequency and complexity of cyber attacks, swift action is essential to address zero-day vulnerabilities and reduce the chances of data breaches and system outages.
While you may have a regular patching cycle created using update rings, expediting quality update delivery when an immediate vulnerability requires fixing is essential.
In the Intune admin center, you can create a Quality update profile to speed up the deployment of updates on Windows devices managed by Intune. After the Expedited process finishes, the update process returns to the regular cycle configured in the Update ring profile.
Table of Contents
Key Aspects of Quality Update Profile
- When you expedite the Quality Update installation for Windows 10/11 devices, they will promptly download the patches, bypassing the usual wait time for them to check for updates.
- Only one Quality Update profile is required for all Windows versions. Windows Update will assess update eligibility and initiate patch downloads accordingly.
- Devices with up-to-date quality updates won’t be able to redownload or reinstall the updates.
- Creating a Quality update profile to expedite the deployment of the latest patches will override any deferral periods you’ve defined in Update ring policies for regular patch deployment cycles.
Step 1 – Create a Quality Update Profile
Here are the steps to create a Quality update profile:
- Sign in to the Intune admin center.
- Select Devices > Quality updates for Windows 10 and later > Create profile.
Settings tab
In the Settings tab, provide below details:
- Name – Provide a Name of the Profile.
- Description – Provide a useful description.
- Expedite Installation of quality update if device OS version less than – Choose the most recent date for the current patches, For Example: “02/14/2023 – 2023.02 B Security Updates for Windows 10 and later,” will expedite the installation of the February security patches [refer to the screenshot].
Updates labeled with the letter “B” in their name indicate that they were released as part of a “Patch Tuesday” event. (Usually second Tuesday of the month)
Security updates for Windows 10/11 that are released out of the regular “Patch Tuesday” schedule can also be expedited. Unlike the updates with the letter “B,” out-of-band patch releases have different identifiers.
Note
- Number of days to wait before restart is enforced – You can choose the number of days before the device is automatically restarted. If you select 0, the device will be restarted after the patches are installed. However, if users are actively working on the devices, an immediate restart can disrupt their work. While the user will be notified, they will have less time to save their work.
Assignments tab
Click on Add group to add an Entra security group containing devices.
Review and Create
Review the deployment and click on Create to start the deployment process.
Step 2 – Monitor Expedited Quality Updates Deployment
Now that you’ve created a Quality update profile and assigned it to the devices, it’s important to regularly monitor its performance to ensure that expedited updates are successfully downloaded and installed. Let’s check the steps:
Option 1 – Windows Expedited Update Report
- Sign in to the Intune admin center
- Select Reports > Windows updates> Reports tab.
- Click on Windows Expedited Update Report (Preview).
- Click on Select an expedited update profile and then select the Quality update profile, for example, Feb Quality Updates Expedited. Then, click on Generate report to generate a report on the deployment progress.
Option 2 – Using Microsoft Apps admin center
If you have not done so, setup the Microsoft Apps admin center. Here’s a step-by-step guide you can follow: Onboarding devices to Microsoft 365 Apps admin center
You can also download an Inventory report from the Microsoft 365 Apps admin center, which includes the OS build number. This information can help you determine the current patch level of your Windows 10/11 devices. You can then use VLOOKUP in Excel to identify the targeted devices and their patch level.
You’ll need to wait for the data to be refreshed, which also depends on the “Number of days to wait before a restart is enforced” setting in the Quality update profile.
- Sign in to the Microsoft 365 apps admin center.
- Click on Inventory and then click on Show all devices.
- Click on any device to open a pane on the right-hand side. This page will display details about that device, including the OS build, which is indicated as 10.0.19044.2604 (x64) – representing the patch level for February 2023.
- You can also export the list of devices using the Export button on the Devices page.
Conclusion
In this blog post, we’ve explored how to expedite the deployment of security patches on Windows 10/11 devices by creating a Quality update profile. This enables you to swiftly address zero-day threats by installing Microsoft’s latest and most recent Windows patches.
Microsoft may also release a single out-of-band patch, which will be visible when creating a Quality update profile. Instead of “B Security Update,” it may have a different letter, such as “A Security Update.”
