Quality Updates: International Preview of Mystery

Quality Updates: International Preview of Mystery

This huge blog will about deploying Quality Updates, the  Update Health Tools and an alternative method to deploy the Quality Updates with proactive remediations within an hour!

Of course, with the latest Printer Nightmare issue, we needed to update some devices quickly. Even with the update installed you are still vulnerable and you will get some issues with label printers with this update. But that’s not what this blog will be about.

I am going to divide this blog into a lot of parts

  1. Introduction of the Intune Quality Updates
  2. Configuring the Quality Updates
  3. Monitoring the Quality Updates
  4. What are the Update Health Tools
  5. How to detect the Update Health Tools installation
  6. Installing the Update Health Tools manually
  7. Installing the Update Health tools Automatically
  8. Waiting for the Quality Update status
  9. Troubleshooting the Quality updates
  10. What to do now? Pushing the Update with Proactive Remediations!
  11. Results of the Proactive Remediations
  12. Reset the Whole device and try it again with Quality updates
  13. Reset the Whole device and start expediting on your own!
  14. Summary to get Quality updates working
  15. Conclusion

1.    Introduction

By creating a Windows 10 quality update preview policy, you can expedite the install of the most recent Windows 10 security updates as quickly as possible on devices you manage with Microsoft Intune.

Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies. With expedited updates, you can speed installation of quality updates like the most recent Printer Nightmare Update or another out-of-band security update for a zero-day flaw.

To speed installation, expedite updates uses available services, like Windows Notification Services (WNS)  and push notification channels, to deliver the message to devices that there’s an expedited update to install. This process enables devices to start the download and install of an expedited update as soon as possible, without having to wait for the device to check-in for updates.

So how does it work, I will try to explain it step by step.

  1. We will start by creating a Windows 10 quality update (expedite)policy profile in Intune to start deploying/expedite the Windows Quality Update
  2. When the expedite policy is created it will be  processed by the Windows Update for Business Deployment service.
  3. After the policy has been processed  by the WUfB-DS , WNS will make sure that the Microsoft Update Health Tools will receive the expedite policy. (More on the MUHT later).
  4. In the policy you have created earlier, you configured the expedite restart deadline and triggers. Windows Update will honour these settings and will configure them.
  5. The policy will also trigger Windows Update on the endpoint to discover Updates for the endpoint.
  6. After scanning for updates, the update you specified in the expedite policy will be downloaded and installed.
  7. On the device, Windows Update will prompt the client to restart their device exactly like you configured within the deadline settings earlier.
  8. The Microsoft Update Health Tools will monitors the update progress and will report back the status with the use of telemetry (More on telemetry later)
  9. When the status is reported back you can monitor the status in Intune. The Windows Update settings on the device itself are changed back to settings that were previously configured in the WuFB update ring. Isn’t that nice?

2. Configuring the Quality updates

Before I am going to configure the quality updates, first we need to make sure the Windows update rings are set to the semi-annual channel.

Because expedite simply doesn’t support additional channels (at this time)

Now I am sure, the quality updates are going to be deployed to the devices I started with creating a quality update profile. It’s very easy to do… just create a quality update profile and select the correct update you want to deploy and target the correct group.

With this setting, you could select how soon after installing the update a device will automatically restart to complete the update installation. You can select from zero to two days. The automatic restart is cancelled if a device manually restarts before the deadline. If an update doesn’t require a restart, this setting isn’t enforced.

3. Monitoring the Expedited updates

As mentioned in the Expedite Update flow,  we could monitor the progress of the Quality updates we have configured by opening  Intune –> Devices –> Monitor.

Select the Windows Expedited updates option and select the profile you created earlier.

Click on generate a report to get  the Windows Expedited update report

Let’s take a look at why it’s failing. You can do so by clicking on the  “Not Registered” alert message

As shown above, it’s missing the Update Health Tools. These are necessary to deploy quality updates.

You could also check the same report by opening the reports option and select Windows Updates –> Reports

4.What are the Update Health Tools

Now we are pretty sure these are missing, we need to know what they are. The Update health tools are necessary and are of course a prerequisite when you want to start deploying the Quality Updates in Intune. So we need to make sure this update is already installed before the expedited updates could work.

This update includes files and resources that address issues that affect the update processes in Windows 10 that may prevent important Windows updates from being installed.

These improvements help make sure that updates are installed seamlessly on your device, and they help improve the reliability and security of devices that are running Windows 10.

If you want to read some more about the Update Health Tools, you could visit this Microsoft website

KB4023057: Update for Windows 10 Update Service components (microsoft.com)

5.How to detect if the update health tools are installed

There are many different methods to determine if the health tools are installed, I am going to mention a few of them

Update Health Tools Folder

When the Microsoft update health tools are correctly installed there must be a folder inside the program files folder as shown below.

Apps and Features

Another possibility would be to open “app and features” and search for health. As shown below, because it wasn’t installed, there were no results

PowerShell

Powershell is also a very good option to determine if it is installed. Just launch Powershell and copy-paste this command:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match “Microsoft Update Health Tools”}

The results will let you know if it is installed or not. In the example above, it was installed!

6.Installing the Update for the health tools Manually?

When you have some time to spare and you need to install the Health tools because you need them and they are missing for some reason, you could open edge and browse to:

Catalog.update.microsoft.com

On this website start searching for KB4023057

But where is my 21h1 version? I tried to download the latest to just see what happens…

Instead of the Health update folder a rempl folder is created?

When it’s not working, it’s always a matter of RTFM. You know what it stands for…. So I did….

Okay…. So downloading the update from the catalog isn’t going to work. Are we going to ask all employees to check for updates manually?

As shown above, when the check for windows updates function is not removed as I have shown below…this could be an option? Not for me.

7.Installing the Health tools automatically

UPDATE 22-07-2021

You can now download the Health Tools manually!!

Download Unified Health Tools from Official Microsoft Download Center

It contains a simple MSI which you could select and upload to Intune… It’s way much easier now!

But if you are still interested in how you could do the same with a PowerShell script keep reading!

With my first attempt trying to install the update with the PSWIndowsupdate module, I forgot the most important thing… test it before you deploy it!!

This was my first PowerShell script

Install-PackageProvider NuGet -Force

install-module pswindowsupdate -force

install-windowsupdate -kbarticleid KB4023057 -force

But of course, this failed. So I needed to test the script execution without Intune. To do so I downloaded the psexec tool first and run the script in a system context.

I totally forgot to check if the pswindowsupdate module was accepting the -force argument… Shame on me…

So I changed it a little bit and added also some logging to it and deployed the PowerShell script to Intune


Try {
Install-PackageProvider NuGet -Force
install-module pswindowsupdate -force
install-windowsupdate -kbarticleid KB4023057 -acceptall
}
Catch {
$_ | Out-File C:\temp\errors.txt -Append
}

And after manual sync, the PowerShell script executed without any problem and the Update Health tools were installed perfectly!

8.Waiting fot the Quality Update status

Now everything was good and after some waiting, waiting and coffee… The update status changed to “Pending” and “validating”

When looking at the official Microsoft documentation, they are telling is this:

So… it begins?

And So It Begins Lord Of The Rings GIFs | Tenor

But after some night sleep, it still says the same thing and looking on the device it still hasn’t been installed, it was still pending/waiting to be installed

I was expecting a nice toast notification as shown below with a notification  I need to restart my device!

9.Troubleshooting

But for now… nothing. What to do next? We are going to take a look at some requirements and how we could get some more information about what’s happening

Licensing Check:

When you want to make use of this service, you will need to have the proper license.

As I am mentioning in the summary, you will need to have been licensed for: Windows 10 Enterprise E3 or E5/Windows 10 Education A3 or A5/Windows 10 Virtual Desktop Access 

The best way to check if you are licensed? Graph! Open Graph explorer and enter this URL: https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans and click on “Run Query”

As shown below: When you are licensed, the windowsupdateforbusiness_deploymentserivce needs to be in the list. If it’s not there you are tenant has not the correct license!

Notification Level:

To be sure I didn’t disable the notification update level I checked the Update ring again. As shown below… “use the default windows update notifications”

Again, making sure the notification update level is configured correctly is one of the requirements:

Telemetry settings

And of course like I also was mentioning in the expedite flow, telemetry is also needed so we need to make sure it’s configured. In the example below, telemetry is configured to “full”. So that’s not going to give us any problem.

Why does it take so long to push an update? I was expecting it to be delivered within an hour.! Let’s dig further.

The Update health tools and update service

The Microsoft update health tools are responsible for receiving the update, so I made sure the service which is created when you install the update health tools is started.

And when checking out this service, please make sure your windows update service isn’t disabled or something like that.

Windows Health Monitoring

Before you can monitor results and update status for expedited updates, you must have configured Windows Health Monitoring. I can’t say it enough, it’s very important this is configured for some good reporting.

Of course, we were already using endpoint analytics so the Health monitoring policy was already configured for endpoint analytics. Maybe I forgot to also select the Update part?

As shown above, that also wasn’t the case and the problem was not the reporting part but the installing part.

LOGS:

Maybe you noticed in one of the pictures I showed you earlier, there is a log folder inside the update health tools folder. Let’s take a look at it, open the event log and open the log file

That’s not a lot of good information, so we have got 2 options here.

  1. Powershell
  2. Perfview

Option 1 Powershell

With this option, we need to open de file explorer and open the log folder. We are going to convert them with the use of this command: Get-WindowsUpdateLog -etlpath. But to do so we need to change the names of the logs first. Select all of them and click on rename and type: WindowsUpdate

Open PowerShell and launch this command: Get-WindowsUpdateLog -etlpath “C:\Program Files\Microsoft Update Health Tools\Logs”

The Get-WindowsUpdateLog cmdlet merges and converts Windows Update .etl files into a single readable WindowsUpdate.log file.  If you want to read more about this command, please visit the Microsoft webpage : Get-WindowsUpdateLog (WindowsUpdate) | Microsoft Docs

All of the logs are now converted and readable, but unfortunately for me.. there was nothing useful in it.

Option 2: PerfView

We are going to download Perfview first:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=28567

After we have opened we can select the folder with all the etl files in it we noticed earlier.

As shown above, this is giving me more information than I expected to be honest.  Looking at the last line, it is giving us a registry key!

Register:

Now we have seen the registry key within PerfView let’s check it out! Open regedit and open this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\settings

Looking at the picture above: you will notice the UHS.SERVERNAME. It’s the WUfB-DS I mentioned earlier

So I guess all the settings that could be needed are configured. But still, it wasn’t working?

When looking at the exp policies/settings registry key, there is a policy created but why doesn’t it work as it should?

10.What to do now?

I truly love the idea of pushing these kinds of important updates with the Windows 10 quality Updates preview feature but I want the update to be installed within the hour! Not waiting 24 hours or more because if you haven’t used Expedite Update feature previously and this is the very first time you have used the quality update preview to expedite an update, you may need to wait 24 hours before “all the pipes between all back end services” are connected.

So I created a detection and a remediation PowerShell script to use with Proactive Remediations!.

I guess I love them. If you want to read more about them:

Proactive Remediations – Call4Cloud

So let’s create one.  Download these PowerShell scripts and select them when you are configuring the proactive remediation!

https://call4cloud.nl/wp-content/uploads/2021/07/updatewithproactive.zip

When taking a good look at the proactive remediations scripts you downloaded earlier, you will notice some things:

  1. I am using the pswindowsupdate to install the required update
  2. I am simply using the build in get-hotfix powershell command to determine if the update is installed or not. You could also use this command: get-wmiobject -class win32_quickfixengineering
  3. If  the update is not installed the remediation script will kick off and will try to install the update with the PS windows update tools.
  4. I am downloading serviceui.exe from my website to make sure I can show some messages from the sytem context to the user context. If you want to read more about this: Company App: Unchained – Call4Cloud
  5. I will create a scheduled task. This task will notify the user with a toast message from the system context to the user context and will install the update, after the update has been installed it will kick off another notification to the user about the status (step 6)
  6. After trying to install the update, it will again check if it has been installed correctly by again using the get-hotfix command. This output will be used for the proactive remediation status
  7. You may notice the both of the  powershell script is converted to a base64 command.  You can read more on this blog about how to do this https://call4cloud.nl/2021/05/the-laps-reloaded/#third-part.
  8. I added the toast powershell scripts to the remediation script itself so you can change it to your likings.

11.Proactive remediations Results:

During the installation:

After the proactive remediations kicks-off you will notice within a few seconds the Windows module installer worker will be launched and the update is going to be installed and you will be prompted with a nice balloon notification!

After the installation:

I created a toast notification to be shown to the end-user when the update was successful and they need to reboot their device!

Also, get-hotfix (manually) will tell us the update is installed!

After some time the status also reported back to Intune and was visible inside the Proactive remediations

Also exporting the Proactive remediations to CSV showed me the same output

If you look closely the Export button was gone again? I showed you in my last blog how you could do this with PowerShell if the export button was gone.

12.Reset the whole device and try it again with Quality Updates

Like Gabe frost was mentioning It can take up some time before your tenant is ready to deliver those quality updates. So I reverted back to the hyper-v snapshot I took before I started with this whole blog but this time I just waited after I recreated the Quality Update Policy.

And yes!!!! the update was scheduled and in progress. While watching the report in Intune I noticed some CPU load from the Windows installer process on the device and after a while, I got notified to reboot the device!

Again I opened PerfView and the Registry to take a look at what’s happening under the hood

When looking at this registry key, I noticed the same 2 settings which we specified in the Quality Update preview. The update we want to install and the grace period!

But I am not done yet… when looking at the Health Update tools, they are really necessary, so they must have a role to play? Yes, they do… After some playing around with the expediteupdater I noticed this:

It’s very nice to see you could also “trigger” the process? You only need to open the registry and note down this key inside the policies folder and request it like I did.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\exp\Policies

Of course, the key only exists when you configured/enabled a quality update policy

13. Reset the Whole device and trigger the quality updates on your own!

I guess now I know how it works and what to request, I want to know if I could manually trigger it?

I again reverted back to my snapshot and opened the registry. I noticed 2 policies this time instead of

Okay? Let’s request something!

After a minute it was starting to scan for updates

And it launched the Windows modules installer! I guess to install the required update?

And again after a minute or two, the expediteupdater was finished and now we need to wait until the update is done installing.

And there it is!

14. Summary to get Quality Update working:

  • Enable Health Monitoring in your Tenant
  • Make sure the Update Health Tools are installed
  • Make sure telemetry is configured
  • Configure the Update notification settings and make sure they are not disabled
  • Check the WuFB settings and make sure the service channel is configured to semi-annual channel
  • Make sure you are licensed to use it: Windows 10 Enterprise E3 or E5/Windows 10 Education A3 or A5/Windows 10 Virtual Desktop Access 
  • Make sure there are no legacy old gpo’s interferring (Make suer Windows Update not pointing to WSUS like an example)
  • Just wait…. if this is the first time you configured it in that tenant
  • Make sure there is some activity on the device 🙂
  • Maybe trigger it on your own… ?

Conclusion

I really love the idea you could update your Windows 10 immediately with the use of the Quality updates Preview but for me, it really took too long when you enable it for the first time.

Whats Taking So Long Smashing Table GIF - WhatsTakingSoLong SmashingTable Bored GIFs

Maybe it was because many people were using it to fix the Printer Nightmare bug with the 2021-07 update 🙂 or I still needed to wait 24 hours before everything was “connected”.

I switched to my backup plan to deploy those kinds of updates to their devices that needed it! And those toast messages are just great. But I am 100% confident all of the first delay issues are going to be resolved!

Leave a Reply

Your email address will not be published. Required fields are marked *

4  +  4  =