How to Expedite Windows Quality Updates Using Microsoft Intune

Start by logging into the Microsoft Intune admin center where you'll configure the expedite policy. This is where all Windows update management happens in modern enterprise environments.

Open your browser and navigate to the Intune admin center:

https://intune.microsoft.com

Once logged in, navigate through the menu structure:

1. Click Devices in the left navigation
2. Select Windows from the submenu
3. Click Windows updates
4. Select the Quality updates tab

You'll see the quality updates dashboard showing any existing policies and available updates. The interface displays current deployment status and available security updates that can be expedited.

Now you'll create the expedite policy that will override normal update deferrals. This policy type specifically targets critical security updates that need immediate deployment.

Click the Create button and select Expedite policy from the dropdown menu. This opens the expedite policy wizard.

Configure the basic policy settings:

Name: Expedite - 2026-03 Security Update - CVE-2026-XXXX
Description: Emergency deployment for critical vulnerability - March 2026 Cumulative Update
Platform: Windows 10 and later

The naming convention is crucial for tracking during security incidents. Include the month, year, and CVE number if known. This helps with audit trails and policy management.

In the Select quality update dropdown, you'll see available updates. For March 2026, you might see:

• 2026-03 Cumulative Update for Windows 11 version 25H2
• 2026-03 Cumulative Update for Windows 10 version 22H2
• Any available out-of-band (OOB) security updates

The deployment settings control how aggressively the update pushes to devices. For security updates, you'll want to balance speed with stability.

Configure these critical deployment settings:

Rollout settings:
├── Start rollout: Immediately
├── Rollout percentage: 10% (pilot group)
├── Deployment priority: High
├── Override existing deferrals: Automatic (enabled by default)
└── Restart deadline: 2-7 days (based on urgency)

The restart deadline is particularly important. For critical vulnerabilities, set it to 2-3 days maximum. For standard security updates, 7 days provides better user experience:

Critical CVE (CVSS 9.0+): 2 days
High severity (CVSS 7.0-8.9): 3-5 days
Medium severity: 7 days

The expedite policy automatically overrides any existing update deferrals configured in your Windows Update rings. This means devices that normally defer updates for 30 days will receive this specific update immediately.

Configure notification settings:

User notifications:
├── Show notifications: Enabled
├── Restart reminder frequency: Every 4 hours
├── Allow user to postpone: Until deadline
└── Auto-restart outside active hours: Enabled

Proper group assignment ensures the expedite policy reaches the right devices without affecting excluded systems like test environments or critical servers.

Click the Assignments tab and configure your target groups:

Include groups:
├── "Expedited Updates - Pilot" (10% of production devices)
├── "Critical Workstations" (high-priority user devices)
└── "Security Team Devices" (always first to receive updates)

Exclude groups:
├── "Test Environment Devices"
├── "Kiosk Devices"
├── "Legacy Application Servers"
└── "Update Exclusions - Temporary"

Create these Azure AD groups if they don't exist. Use dynamic membership rules for automatic population:

Dynamic rule for pilot group (10% sample):
(device.deviceId -contains "1") or (device.deviceId -contains "2")

Dynamic rule for critical workstations:
(device.deviceCategory -eq "Executive") or (device.department -eq "Finance")

The assignment logic processes in this order: Include groups first, then exclude groups override any inclusions. A device in both an included and excluded group will NOT receive the update.

Review the assignment summary before saving:

• Estimated device count should match your expectations
• Excluded devices should show in the summary
• No conflicting group memberships

After creating the policy, you need to ensure devices receive it quickly. By default, devices check in with Intune every 8 hours, but for security updates, you want immediate action.

Save and deploy the policy by clicking Create. The policy status will change to "Deploying" and then "Active" within a few minutes.

To accelerate deployment, force device synchronization using these methods:

Method 1: Intune Admin Center (Recommended)

1. Navigate to Devices > All devices
2. Select target devices (use filters for your pilot group)
3. Click Sync from the top menu
4. Confirm the sync action

Method 2: PowerShell on Target Devices

# Run as Administrator on target devices
Get-ScheduledTask -TaskName "PushLaunch" | Start-ScheduledTask

# Alternative method
Start-Process "ms-settings:windowsupdate" -Wait

# Force immediate update check
wuauclt.exe /detectnow /updatenow

Method 3: Group Policy (Hybrid environments)

REM Run on domain-joined devices
gpupdate /force
wuauclt /detectnow

Monitor the deployment progress:

1. Return to Devices > Windows updates > Quality updates
2. Click your expedite policy name
3. Review the Device status tab
4. Watch for status changes: "Pending" → "Installing" → "Installed"

Active monitoring during expedite deployments is crucial for catching issues early and ensuring successful security patch deployment across your environment.

Access the deployment dashboard:

1. Navigate to your expedite policy in Quality updates
2. Click the Device status tab
3. Review deployment metrics and device-level status

Key metrics to monitor:

Deployment Status Overview:
├── Total targeted devices: XXX
├── Successfully installed: XXX (target: >95%)
├── Installation in progress: XXX
├── Failed installations: XXX (investigate if >5%)
├── Pending restart: XXX
└── Not applicable: XXX (offline devices)

Common status codes and their meanings:

For failed installations, gather diagnostic information:

# Run on affected devices to check Windows Update logs
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)} | Select-Object TimeCreated, Id, LevelDisplayName, Message

# Check update history
Get-WUHistory | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)} | Select-Object Title, Date, Result, Description

Handle common deployment issues:

• Devices stuck in "Installing": Check available disk space (need 8-10GB free)
• "Access denied" errors: Verify devices are properly enrolled in Intune
• "Update not applicable": Device may already have the update or be on unsupported version

Once your pilot deployment succeeds, verify the updates are properly installed and expand to your full environment. This final step ensures complete security coverage.

Verify installation on pilot devices using multiple methods:

Method 1: PowerShell Verification

# Check installed updates (run as admin)
Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date).AddDays(-7)} | Sort-Object InstalledOn -Descending

# Verify specific KB (replace with your update KB)
Get-HotFix -Id "KB5034763" -ErrorAction SilentlyContinue

# Check Windows version and build
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, WindowsBuildLabEx

Method 2: Windows Update History

# Detailed update history
Get-WUHistory | Where-Object {$_.Title -like "*2026-03*"} | Select-Object Title, Date, Result, Size

Method 3: Registry Verification

# Check update installation registry
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" | Where-Object {$_.PSChildName -like "*KB5034763*"}

After confirming successful pilot deployment (>95% success rate), expand the rollout:

1. Return to your expedite policy in Intune
2. Click Properties > Assignments
3. Add additional groups in phases:

Phase 2 (Day 2): Add "Standard Workstations - Group A" (25% of remaining)
Phase 3 (Day 3): Add "Standard Workstations - Group B" (50% of remaining)
Phase 4 (Day 4): Add "All Production Devices" (remaining devices)

Monitor restart compliance and enforce deadlines:

# Check pending restart status across devices
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue

For devices approaching restart deadlines, send user notifications:

1. Navigate to Devices > All devices
2. Filter devices with "Pending restart" status
3. Select devices and use Remote actions > Send custom notification

Final verification steps:

• Confirm 100% of targeted devices show "Installed" status
• Verify no security vulnerabilities remain using vulnerability scanners
• Document deployment metrics for compliance reporting
• Update change management records with completion status