Microsoft Portals
      Back to home
      1. Help Center
      2. Microsoft Portals

      How to deploy Quality updates in Microsoft Intune?

      Overview

      This knowledge base will demonstrate how to create and monitor Quality updates for Windows 10 and later in Intune. 

      With Quality updates for Windows 10 and Later policy, you can expedite the installation of the most recent Windows 10/11 security updates on devices you manage with Microsoft Intune. Deployment of expedited updates is done without the need to pause or edit your existing monthly update policies

      Prerequisites

      You must have the following licenses, subscriptions and network configurations.

      • Intune: Your tenant requires the Microsoft Intune Plan 1 subscription.
      • Microsoft Entra ID: Microsoft Entra ID Free (or greater) subscription.
      • Windows Editions:
        • Pro
        • Enterprise
        • Education
        • Pro for Workstations
      • Windows subscription and licenses:
        • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
        • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
        • Windows Virtual Desktop Access E3 or E5
        • Microsoft 365 Business Premium
        • Unsupported: Windows 10/11 Enterprise LTSC
      • The device is running a version of Windows 10/11 that is still in support.
      • The device is enrolled in Microsoft Intune and (hybrid) Entra joined.
      • The telemetry is enabled, on the device, with a minimum level of Required.
      • The Microsoft Account Sign-In Assistant (wlidsvc) service, on the device, is not Disabled.
      • The device has access to the network endpoints required for Intune managed devices.
      • The Intune setting Windows drivers, in an update ring, is set to Allow.
      • The Intune setting Enable features that require Windows diagnostic data in processor configuration in turned On.

      Create Quality update policies

      1. Navigate to Microsoft Intune portal, then select Windows 10 and later updates.

      2. Select Quality Updates then select Create profile.

      3. Under Deployment settings, enter and configure the following:
      Name: Windows Quality Update Policy - Pilot
      Description: Windows Quality Update Policy - Pilot
      Expedite installation of quality updates if device OS version less than: Select from the dropdown

      When selecting a quality update:

      • Updates are identified by their release date, and you can select only one update per policy.
      • Updates that include the letter B in their name identify updates that released as part of a patch Tuesday event. The letter B identifies that the update released on the second Tuesday of the month.
      • Security updates for Windows 10/11 that release out of band from a patch Tuesday can be expedited. Instead of the letter B, out-of-band patch releases have different identifiers.
      • When the update deploys, Windows Update ensures that each device that receives the policy installs a version of the update that applies to that devices architecture and its current Windows version, like version 1809, 2004, and so on.

      For Non-Security Expedite Updates it includes quality fixes after the previous B or Security release. Admins can expedite installation of the latest applicable qualify update on device without waiting for the deferral period.

      • Updates without the word SecurityUpdate indicate that it is not a security update. Updates that include the letter D in their name identify updates that are released since the latest patch Tuesday security week. You might also see 2024.01 OOB Update (out-of-band patch releases). Windows monthly update explained
      • Non-security updates are only shown when it is the most recent release. The drop-down list is updated to display the most recent two security updates, including if one is an out-of-band update. If the most recent non-security update is newer than the newest security update, then the non-security update is also included in the drop-down list. As a result, sometimes two updates are shown, and at other times, three updates are shown.
      • The non-security expedite updates apply to Windows 11 devices.

       

      Number of days to wait before restart is enforced

      • 0: A setting of 0 days means that as soon as the device installs the update, the user is notified about the restart and has limited time to save their work.
      • 1: A setting of 1 day or 2 days provides device users flexibility to manage a restart before it's forced. These settings correspond to an automatic restart delay of 24 or 48 hours after the update installs on the device.
      • 2: A setting of 1 day or 2 days provides device users flexibility to manage a restart before it's forced. These settings correspond to an automatic restart delay of 24 or 48 hours after the update installs on the device.

      Then select Next.


      4. Under Assignments, select the required pilot group. Then select Next.
      5. Under Review + create, review the settings then select Create.



      6. You can follow steps 3 to 5 to create the 'Windows Quality Update Policy - Production' where you assign it to 'All Devices' once pilot deployment has been satisfied.
      7. To monitor the Feature update policies, navigate to Monitor tab and click on 'Expedited quality update policies with alerts'