Search This Blog

Wednesday, July 7, 2021

Fix PrintNightmare via Endpoint Manager using expedite updates

Introduction

With the expedited updates feature in Microsoft Endpoint you can deploy updates like the most recent patch Tuesday release or out-of-band security updates.

For example, we just saw a flaw with the windows print spooler where the attacker could execute arbitrary code with SYSTEM privileges on a non-patch system.

Not all updates can be expedited as it is currently only available for Windows 10 security updates.

So why use this feature instead of my configured Windows 10 ring rollout?

You want to use this feature to speed things up. Expedite updates uses the available services, like push notification channels, which is a process to download and install updates as soon as possible, without having to wait for the device to check in for updates.


Requirements

- Use Intune to expedite Windows 10 quality updates - Azure | Microsoft Docs


Create expedite patch deployment

Go to endpoint.microsoft.com

Choose Devices

clip_image002

 

Choose Windows 10 quality updates (Preview)

clip_image004

 

Create profile

clip_image006

 

Give it a name that you can easily find

clip_image008

 






Add groups

clip_image010

 

I have grouped devices into waves, so that I can test on small groups before going global

clip_image012

 

Create

clip_image014

 

Done

clip_image016

Patch report for your management

When something bad happens and your company is potentially at risk, management usually are a bit pushy on some reports. This is how you can give them what they want.

Go to endpoint.microsoft.com

clip_image018

 

Windows updates (preview)

clip_image020

 

Choose reports

clip_image022

 

Windows Expedited Update report (Preview)

clip_image024

 

Select an expedited update profile

clip_image026

 

Select the expedited update we created earlier

clip_image028

 

Generate

clip_image030

 

Export data and give it to the management.

clip_image032

Summary

I hope this post gave you some insight how to get around with zero-day patching and Endpoint Manager easily and quickly. It is here to ease your life as an admin in your daily job. Go try it out yourself!

Happy patching!

 

Source:

Use Intune to expedite Windows 10 quality updates - Azure | Microsoft Docs

Windows message center | Microsoft Docs

4 comments:

  1. Is this actually working for you? I have set this up the exact same way but nothing gets pushed to the clients. Reporting looks weird. Displaying 13 random devices with errors but no info on the remaining 200 windows machines....

    ReplyDelete
    Replies
    1. My environment were already patched because of my Windows 10 ring, so in this case my expedite policy didn't have to react.
      Make sure your prerequisites are in place and if it is still not working, create a MS ticket.

      It is still a preview feature so you might see bugs, but MS will support and help.

      Delete
  2. I am also seeing the same problem. Nothing is expedited...only the regular patch ring settings are working. Reporting is incorrect. Have opened MS ticket and we have confirmed prerequisites are in place.

    ReplyDelete
    Replies
    1. Hi Peter, you can reach me on Twitter https://twitter.com/MMelkersen

      I am also having a case running with MS on this topic. I am lucky that I have access to some of the product team, so as soon as I have the knowledge I will gladly share it with you.

      Delete