Although you may delay installing certain Windows security updates, but in most cases, you'd be the only person at risk. The situation is considerably more complex in organizations where IT and security admins are responsible for ensuring that all devices in their tenant follow the recommended cybersecurity practices. This is because they're not only higher value targets, but also because a "patient zero" device could end up infecting lots of other endpoints on the company network.
To tackle this problem, Microsoft recently implemented a process in Windows Update for Business (WUfB) that allows IT admins to expedite the rollout of security updates on Windows 10 and 11. This is especially important when safeguarding against 0-day vulnerabilities as this feature allows updates to be force-installed within a few days, depending upon your configuration.
Some of the pre-requisites of leveraging expedited Windows updates through WUfB and Intune include:
-
Licensing
-
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
-
Windows 10/11 Virtual Desktop Access (VDA) per user
-
Microsoft 365 Business Premium
-
-
Azure Active Directory (Azure AD)
-
Joined
-
Hybrid joined
-
-
Windows Update services
-
Devices must be configured to scan the Windows Update service and be receiving updates from it.
-
-
Update Health Tools Client
-
Update Health Tools KB4023057 must be installed on all relevant devices.
-
-
Recommended: Client/device data processing in Intune
-
Devices are configured to send diagnostic data for better experience.
-
In addition to configuring expedited updates, Microsoft also allows admins to view summaries of their organizational health status, see how many devices have been updated, and detect potential rollout issues through Intune. You can find more details on the dedicated webpage here.
In terms of best practices, Microsoft has recommended that IT admins first test expedited updates with older security updates. For example, thisOctober, they should test expedited security updates for July and see if all devices get the update. After that, expedited updates should be configured such that it expedites to the latest security release with the "Days to Reboot" option set to 1 or 2 days instead of 0 so workflows are not hampered by immediate installations.
Expedited Windows updates for security releases are now in public preview and Microsoft is also working on a mechanism for non-security updates, such as monthly non-security quality roll-ups.