Expediting updates using Windows Autopatch

[anyweb]

Introduction

In the previous post I showed you what happens when a user or admin reset’s Windows after the August 2025 cumulative update (KB5063875) , basically the reset fails (rolls back).

That problem can be fixed by applying an out of band update which can be deployed manually or automatically to affected clients.

In this post I’ve once again teamed up with my buddy Paul to automate fixing this reset problem using Windows Autopatch in Microsoft Intune. It has a feature to Expedite updates. We’ve both tested this in our separate labs and are happy to share the results with you so that you too, can fix this in an automated way using Windows Autopatch.

Expediting updates

As the name sounds, this allows us to expedite (rush) updates to an Entra ID group containing our target computers, and this method can be used to get Quality Updates including Out of band updates to your devices via Windows Autopatch. There are some prerequisites, listed below:

• Devices meet the prerequisites for Windows Autopatch.
• Devices installed the update described in KB4023057 – Update for Windows 10 Update Service components (or a newer version).
• To verify that your devices meet the prerequisites for receiving an expedited update, use the Readiness test for expediting updates.

Let’s create our Expedite updates policy.

In Intune, browse to Devices, Windows Updates and select Quality Updates. In the Create + drop down, select Expedite policy.

Give the policy a suitable name and description. In the Select the quality update you would like to expedite, select the 08/26/2025 D Update for Windows 10 and later option.

If you are wondering what the D Update and B Security Updates are, here’s an explanation.

B updates

• Released on the second Tuesday of each month (commonly called Patch Tuesday).
• These are the mandatory, cumulative updates that include security fixes and sometimes reliability improvements.

D updates

• Released on the fourth week of the month (usually the preview releases).
• These are optional, non-security preview updates.
• They contain fixes and improvements that will roll into the next month’s B update.

to summarize…

• B = Security & required (Patch Tuesday)
• D = Optional preview (late month, contains fixes but no new security fixes)

So, as we already have deployed the August Cumulative update that would be the B update. We definitely need the fixes (out of band) that came after that and that would be the contained in the D updates.

Finally, if a reboot is required (and it is required), decide on how many days before it’s enforced,  so we’ll set it to 0 days.

After clicking Next, select the group(s) you want to target with these out of band updates.

Don’t worry about the fact that there’s no devices in that group yet, we’ll add them as needed later.

Click Next and the policy is created.

Finally, when you are ready to test this add one or more devices to the target Entra Id groups.

After the device gets the policy, and as long as there are no policy conflicts your end users should be notified about the pending restart.

 

After the restart is completed, you can verify Windows update settings, and view the history. The latest OOB (Out of band) update should be installed and as it’s also cumulative it will contain the fix to allow Windows reset to work again.

Job done!

Summary

While this ability to expedite updates in Windows Autopatch is welcome, it’s far from perfect. There are several problems, which we’ll list here:

Speed of delivery. The blurb from Microsoft claims the following, highlighted below

But in several VM’s where myself and Paul tested, the expedited update arrived in an anything but their claimed speed. In reality, the update took several hours to approx one day and numerous syncs on the clients and in the Intune console before we saw the popup. On some vm’s we are still waiting for the magic to happen even though all the prerequisites are in place.

Update: We got a reply from Peter Braune on Twitter, who stated the following, it may help you if you are going down this path.

We actually had to create a policy via settings catalog “Automatically receive optional updates”, to get this update rolling out to clients. Once the policy was in place the update was installed immediately. Downside, preview updates being rolled out automatically too.

Lack of ability to target a specific hotfix.  You you can only choose between B or D updates and hope that they include the fix you need. What we really wanted was to be able to specficially install KB5066189, but that’s not possible currently with this method via the console.

Lack luster reporting. If you want to see what’s happening with your expedited update in real time then you are out of luck. Of the several machines we targeted the reporting suggested nothing was wrong, which in a way was true because nothing was happening. And that’s the problem, how can you quickly determine whether your hotfix is applied or not to these target devices ?

Policy conflicts. After enabling Expedited updates, you might end up troubleshooting policy conflicts on your target devices if your tenant has had the following installed. Windows Autopatch – Office Update Configuration – Expedited (Expedited updates for CVE-2023-23397).

Hopefully Microsoft is listening and will improve this service going forward.

That’s it from us, see you in the next one.