Quality Updates: International Preview of Mystery

Last Updated on October 18, 2022 by rudyooms

This huge blog will about deploying Quality Updates, the  Update Health Tools, and an alternative method to deploy the Quality Updates with proactive remediations within an hour!

Of course, with the latest Printer Nightmare issue, we needed to update some devices quickly. Even with the update installed you are still vulnerable and you will get some issues with label printers with this update. But that’s not what this blog will be about.

I am going to divide this blog into a lot of parts

  1. Introduction of the Intune Quality Updates
  2. Configuring the Quality Updates
  3. Monitoring the Quality Updates
  4. What are the Update Health Tools
  5. How to detect the Update Health Tools installation
  6. Installing the Update Health Tools manually
  7. Installing the Update Health tools Automatically
  8. Waiting for the Quality Update status
  9. Troubleshooting the Quality updates
  10. What to do now? Pushing the Update with Proactive Remediations!
  11. Results of the Proactive Remediations
  12. Reset the Whole device and try it again with Quality updates
  13. Reset the Whole device and start expediting on your own!
  14. Summary to get Quality updates working
  15. Conclusion

1. Introduction

By creating a Windows quality update preview policy, you can expedite the installation of the most recent Windows security updates as quickly as possible on devices you manage with Microsoft Intune.

Deployment of expedited updates is done without the need to pause or edit your existing monthly servicing policies. With expedited updates, you can speed up the installation of quality updates like the most recent Printer Nightmare Update or another out-of-band (OOB) security update for a zero-day flaw.

To speed installation, expedite updates use available services, like Windows Notification Services (WNS)  and push notification channels. These services will deliver the message to devices that there’s an expedited update to install. This process enables devices to start the download and install of an expedited update as soon as possible, without having to wait for the device to check in for updates.

So how does it work, I will try to explain it step by step.

  1. We will start by creating a Windows Quality update (expedite)policy profile in Intune to start deploying/expedite the Windows Quality Update
  2. When the expedited policy is created it will be processed by the Windows Update for Business Deployment service.
  3. After the policy has been processed by the WUfB-DS , WNS will make sure that the Microsoft Update Health Tools will receive the expedite policy.
  4. In the policy you created earlier, you configured the expedite restart deadline and triggers. Windows Update will honor these settings and will configure them.
  5. The policy will also trigger Windows Update on the endpoint to discover Updates for the endpoint.
  6. After scanning for updates, the update you specified in the expedite policy will be downloaded and installed.
  7. On the device, Windows Update will prompt the client to restart their device exactly like you configured within the deadline settings earlier.
  8. The Microsoft Update Health Tools will monitor the update progress and will report back the status with the use of telemetry (More on telemetry later)
  9. When the status is reported back you can monitor the status in Intune. The Windows Update settings on the device itself are changed back to settings that were previously configured in the WuFB update ring. Isn’t that nice?

2. Configuring the Quality updates

Before I am going to configure the quality updates, first we need to make sure the Windows update rings are set to the semi-annual channel.

Because expedite simply doesn’t support additional channels (at this time)

Now I am sure, the quality updates are going to be deployed to the devices I started with by creating a quality update profile. It’s very easy to do… just create a quality update profile and select the correct update “Expedite installation of quality updates if device OS version less than

you want to deploy and target the correct group.

With this setting, you could select how soon after installing the update a device will automatically restart to complete the update installation. You can select from zero to two days. The automatic restart is canceled if a device manually restarts before the deadline. If an update doesn’t require a restart, this setting isn’t enforced.

3. Monitoring the Expedited updates

As mentioned in the Expedite Update flow,  we could monitor the progress of the Quality updates we have configured by opening  Intune –> Devices –> Monitor.

After you have opened the Monitor section, please select the Windows Expedited updates option and select the profile you created earlier.

Click on generate a report to get  the Windows Expedited update report

Let’s take a look at why it’s failing. You can do so by clicking on the  “Not Registered” alert message

As shown above, it’s missing the Update Health Tools AKA Expedite client missing. These are necessary to deploy quality updates.

You could also check the same report by opening the reports option and selecting Windows Updates –> Reports

4. The Update Health Tools

Now we are pretty sure these are missing, we need to know what they are. The Update health tools (Expedite client ) are necessary and are of course a prerequisite when you want to start deploying the Quality Updates in Intune. So we need to make sure this update is already installed before the expedited updates could work.

This update includes files and resources that address issues that affect the update processes in Windows that may prevent important Windows updates from being installed.

These improvements help make sure that updates are installed seamlessly on your device, and they help improve the reliability and security of devices that are running Windows 10.

If you want to read some more about the Update Health Tools, you could visit this Microsoft website. It has information about the KB4023057 update

KB4023057: Update for Windows 10 Update Service components (microsoft.com)

5. Detecting the update health tools

There are many different methods to determine if the health tools (Expedite client) missing are installed, I am going to mention a few of them

1. Update Health Tools Folder

When the Microsoft Update health tools (Expedite Client) are correctly installed there must be a folder inside the program files folder as shown below.

2. Apps and Features

Another possibility to check if the Expedite Client is installed would be to simply open “app and features” and search for health. As shown below, because it wasn’t installed, there were no results

3.PowerShell

Powershell is also a very good option to determine if it is installed. Just launch Powershell and copy-paste this command:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match “Microsoft Update Health Tools”}

The results will let you know if it is installed or not. In the example above, it was installed!

6. Installing the Update for the Health tools Manually?

When you have some time to spare and you need to install the Health tools because you need them and they are missing for some reason, you could open edge and browse to: Catalog.update.microsoft.com

On this website start searching for KB4023057

But where is my 21h1 version? I tried to download the latest to just see what happens…

Instead of the Health update folder, a “rempl” folder is created?

When it’s not working, it’s always a matter of RTFM. You know what it stands for…. So I did….

Okay…. So downloading the update from the catalog isn’t going to work?. Are we going to ask all employees to check for updates manually?

As shown above, when the check for windows updates function is not removed as I have shown below…this could be an option? Not for me.

7.Installing the Health tools automatically

You could also download the Health Tools (Expedite client) manually!!

Download Unified Health Tools from Official Microsoft Download Center

It contains a simple MSI that you could select and upload to Intune… It’s way much easier now!

But if you are still interested in how you could do the same with a PowerShell script keep reading!

With my first attempt trying to install the update with the PSWIndowsupdate module, I forgot the most important thing… test it before you deploy it!!

This was my first PowerShell script

Install-PackageProvider NuGet -Force

install-module pswindowsupdate -force

install-windowsupdate -kbarticleid KB4023057 -force

But of course, this failed. So I needed to test the script execution without Intune. To do so I downloaded the psexec tool first and run the script in a system context.

I totally forgot to check if the pswindowsupdate module was accepting the -force argument… Shame on me…

So I changed it a little bit and added also some logging to it and deployed the PowerShell script to Intune


Try {
Install-PackageProvider NuGet -Force
install-module pswindowsupdate -force
install-windowsupdate -kbarticleid KB4023057 -acceptall
}
Catch {
$_ | Out-File C:\temp\errors.txt -Append
}

And after manual sync, the PowerShell script was executed without any problem, and the Update Health tools were installed perfectly!

8. Waiting for the Quality Update status

Now everything was good and after some waiting, waiting and coffee… The update status changed to “Pending” and “Validating”

When looking at the official Microsoft documentation, they are telling us this: “The Device has been added to the policy in the service and validation that the device can be expedited has begun”

So… it begins?

And So It Begins Lord Of The Rings GIFs | Tenor

But after a nice night of sleep, it still says the same thing, and looking on the device it still hasn’t been installed, it was still pending/waiting to be installed

I was expecting a nice toast notification as shown below with a notification  I need to restart my device!

9. Troubleshooting

But for now… nothing. What to do next? We are going to take a look at some requirements and how we could get some more information about what’s happening

Licensing Check:

When you want to make use of this service, you will need to have the proper license.

As I am mentioning in the summary, you will need to have been licensed for: Windows 10 Enterprise E3 or E5/Windows 10 Education A3 or A5/Windows 10 Virtual Desktop Access 

The best way to check if you are licensed? Graph! Open Graph explorer and enter this URL: https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans and click on “Run Query”

As shown below: When you are licensed, the windowsupdateforbusiness_deploymentserivce needs to be in the list. If it’s not there your tenant has not the correct license!

Notification Level:

To be sure I didn’t disable the notification update level I checked the Update ring again. As shown below… “use the default windows update notifications”

Again, making sure the notification update level is configured correctly is one of the requirements:

Telemetry settings

And of course like I also was mentioning in the expedite flow, telemetry is also needed so we need to make sure it’s configured. In the example below, telemetry is configured to “full”. So that’s not going to give us any problem. Please make sure telemetry is set a least to basic.

Why does it take so long to push an update? I was expecting it to be delivered within an hour.! Let’s dig further.

The Update health tools and update service

The Microsoft update health tools (Expedite client) are responsible for receiving the update, so I made sure the service which is created when you install the update health tools is started.

And when checking out this service, please make sure your windows update service isn’t disabled or something like that.

Windows Health Monitoring

Before you can monitor results and update the status for expedited updates, you must have configured Windows Health Monitoring. I can’t say it enough, it’s very important this is configured for some good reporting.

Of course, we were already using endpoint analytics so the Health monitoring policy was already configured for endpoint analytics. Maybe I forgot to also select the Update part?

As shown above, that also wasn’t the case and the problem was not the reporting part but the installing part.

LOGS:

Maybe you noticed in one of the pictures I showed you earlier, there is a log folder inside the update health tools folder. Let’s take a look at it, open the event log, and open the log file

That’s not a lot of good information, so we have got 2 options here.

  1. Powershell
  2. Perfview

Option 1 Powershell

With this option, we need to open de file explorer and open the log folder. We are going to convert them with the use of this command: Get-WindowsUpdateLog -etlpath. But to do so we need to change the names of the logs first. Select all of them and click on rename and type: WindowsUpdate

Open PowerShell and launch this command: Get-WindowsUpdateLog -etlpath “C:\Program Files\Microsoft Update Health Tools\Logs”

The Get-WindowsUpdateLog cmdlet merges and converts Windows Update .etl files into a single readable WindowsUpdate.log file.  If you want to read more about this command, please visit the Microsoft webpage : Get-WindowsUpdateLog (WindowsUpdate) | Microsoft Docs

All of the logs are now converted and readable, but unfortunately for me.. there was nothing useful in it.

Option 2: PerfView

We are going to download Perfview first:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=28567

After we have opened we can select the folder with all the etl files in it we noticed earlier.

As shown above, this is giving me more information than I expected to be honest.  Looking at the last line, it is giving us a registry key!

Register:

Now we have seen the registry key within PerfView let’s check it out! Open Regedit and open this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\settings

Looking at the picture above: you will notice the UHS.SERVERNAME. It’s the WUfB-DS I mentioned earlier

So I guess all the settings that could be needed are configured. But still, it wasn’t working.

When looking at the exp policies/settings registry key: Software\Microsoft\CloudMangedUpdate\Exp\Policies there is a policy created but why doesn’t it work as it should?

10. What to do now?

I truly love the idea of pushing these kinds of important updates with the Windows quality Updates preview feature but I want the update to be installed within the hour! Not waiting 24 hours or more because if you haven’t used Expedite Update feature previously and this is the very first time you have used the quality update preview to expedite an update, you may need to wait 24 hours before “all the pipes between all back end services” are connected.

So I created detection and a remediation PowerShell script to use with Proactive Remediations!.

I guess I love them. If you want to read more about them:

Proactive Remediations – Call4Cloud

So let’s create one.  Download these PowerShell scripts and select them when you are configuring the proactive remediation!

https://call4cloud.nl/wp-content/uploads/2021/07/updatewithproactive.zip

When taking a good look at the proactive remediations scripts you downloaded earlier, you will notice some things:

  1. I am using the pswindowsupdate to install the required update
  2. I am simply using the build-in get-hotfix PowerShell command to determine if the update is installed or not. You could also use this command: get-wmiobject -class win32_quickfixengineering
  3. If the update is not installed the remediation script will kick off and will try to install the update with the PS windows update tools.
  4. I am downloading serviceui.exe from my website to make sure I can show some messages from the system context to the user context. If you want to read more about this: Company App: Unchained – Call4Cloud
  5. I will create a scheduled task. This task will notify the user with a toast message from the System context to the User context and will install the update, after the update has been installed it will kick off another notification to the user about the status (step 6)
  6. After trying to install the update, it will again check if it has been installed correctly by again using the get-hotfix command. This output will be used for the proactive remediation status
  7. You may notice that both of the PowerShell scripts are converted to a base64 command.  You can read more on this blog about how to do this https://call4cloud.nl/2021/05/the-laps-reloaded/#third-part.
  8. I added the toast PowerShell scripts to the remediation script itself so you can change it to your liking.

11. Proactive remediations Results:

During the installation:

After the proactive remediations kicks-off you will notice within a few seconds the Windows module installer worker will be launched and the update is going to be installed and you will be prompted with a nice balloon notification!

After the installation:

I created a toast notification to be shown to the end-user when the update was successful and they need to reboot their device!

Also, get-hotfix (manually) will tell us the update is installed!

After some time the status was also reported back to Intune and was visible inside the Proactive remediations

Also exporting the Proactive remediations to CSV showed me the same output

If you look closely the Export button was gone again? I showed you in my last blog how you could do this with PowerShell if the export button was gone.

12. Reset the whole device and try it again with Quality Updates

As Gabe frost was mentioning It can take up some time before your tenant is ready to deliver those quality updates. So I reverted back to the hyper-v snapshot I took before I started with this whole blog but this time I just waited until after I recreated the Quality Update Policy.

And yes!!!! the update was scheduled and in progress. While watching the report in Intune I noticed some CPU load from the Windows installer process on the device and after a while, I got notified to reboot the device!

Again I opened PerfView and the Registry to take a look at what’s happening under the hood

When looking at this registry key, I noticed the same 2 settings which we specified in the Quality Update preview. The update we want to install and the grace period!

But I am not done yet… when looking at the Health Update tools, they are really necessary, so they must have a role to play? Yes, they do… After some playing around with the expediteupdater I noticed this: / requestid

It’s very nice to see you could also “trigger” the process? You only need to open the registry and note down this key inside the policies folder and request it as I did.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\exp\Policies

Of course, the key only exists when you configured/enabled a quality update policy

13. Reset the Whole device and trigger the quality updates on your own!

I guess now I know how it works and what to request, I want to know if I could manually trigger it? I again reverted back to my snapshot and opened the registry. I noticed 2 policies this time instead of

Okay? Let’s request something!

After a minute it was starting to scan for updates and showed us the “GetUpdatesInProgress

And it launched the Windows modules installer! I guess to install the required update?

And again after a minute or two, the expediteupdater.exe was finished and now we need to wait until the update is done installing.

And there it is!!!! Isn’t that a wonderful message to spot?

14. Summary to get Quality Update working:

  • Enable Health Monitoring in your Tenant
  • Make sure the Update Health Tools are installed
  • Make sure telemetry is configured
  • Configure the Update notification settings and make sure they are not disabled
  • Check the WuFB settings and make sure the service channel is configured to semi-annual channel
  • Make sure you are licensed to use it: Windows 10 Enterprise E3 or E5/Windows 10 Education A3 or A5/Windows 10 Virtual Desktop Access 
  • Make sure there are no legacy old GPOs interfering (Make sure Windows Update is not pointing to WSUS like an example)
  • Just wait.… if this is the first time you configured it in that tenant
  • Make sure there is some activity on the device 🙂
  • Maybe trigger it on your own… ?

Conclusion

I really love the idea you could update your Windows 10 immediately with the use of the Quality updates Preview but for me, it really took too long when you enable it for the first time.

Whats Taking So Long Smashing Table GIF - WhatsTakingSoLong SmashingTable Bored GIFs

Maybe it was because many people were using it to fix the Printer Nightmare bug with the 2021-07 update 🙂 or I still needed to wait 24 hours before everything was “connected”.

I switched to my backup plan to deploy those kinds of updates to their devices that needed it! And those toast messages are just great. But I am 100% confident all of the first delay issues are going to be resolved!

7 thoughts on “Quality Updates: International Preview of Mystery

  1. Outstanding work! I’ve been trying to figure this out for days now. I truly appreciate you sharing all this.

  2. Hola! thanks for a great article.
    Any clues on how to troubleshoot “in progress” QU?
    – Created new QU, targeted 2 devices, 5 days later they still show up as “In Progress”, no error.
    – Deleted QU, created new one, 24h later same report “In Progress”.
    – MUHS Logs confirm Tenant registered in WufB (seen this in other tenant, no Wufb Tenant registration), but I didn’t find QU profile getting ingested to registry. Didn’t find any policy in HKLM/Software….

    Thanks in advance for any feedback and/or comments.

    1. Hi,

      Thanx!
      Answering your question can be difficult as I don’t have my fingers on that device 🙂
      So to be sure, there are no settings configured inside this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\settings or the exp\policies setting?
      If not we can begin to look there… as the device still doesn’t received the policies

      1. Still trying to fix the issue.
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\settings
        Had a few keys (don’t remember them), keys had blank values.
        – Waited.
        – Waited.
        – Got Feb Updates, still nada.
        – Stopped service, deleted “uhs” key, restarted service, Keys appeared again.
        – Decided to Uninstall Microsoft Update Health Tools via add/remove programs
        – Tried to make the service reappear via “Check for Updates”, nada!
        – PSWindowsUpdate, Install-Windowsupdate…. It didn0t work.

        So, this is a lab, solution, “next”. But nope, I’m still going just for the fun of self-inflicting pain.

        Thanks!

  3. any idea about max items in the reports of Windows Update Feature update?
    When i check my Win11 deployment, it shows the exact details etc. It only has 16 machines linked to it.

    The 21h2 deployment, for all other machines is not showing any data during Generate Report action.

Leave a Reply

Your email address will not be published. Required fields are marked *

7  +  2  =