Introduction
Out-of-band (OOB) updates from Microsoft are critical patches released outside the regular “Patch Tuesday” cycle, often addressing high-impact vulnerabilities or bugs. As organisations increasingly adopt Microsoft Intune for modern endpoint management, understanding how to quickly deploy OOB updates across devices is vital for protecting enterprise environments.
In this blog post, we’ll guide you step-by-step through deploying OOB updates using Intune, including tips for compliance, reporting, and automation.
What Are Out-of-Band Updates?
Out-of-band updates are emergency patches released in response to critical security threats or significant product issues. Unlike cumulative updates, these are unplanned but essential.
Prerequisites
Before starting, verify that your devices and environment meet these Microsoft-supported requirements:
- Windows version: Devices must run Windows 10 version 1709 or later, or any version of Windows 11
- Intune management: Devices must be:
- Enrolled in Microsoft Intune
- Configured for Windows Update for Business
- Telemetry: Basic or higher telemetry level must be enabled
- No conflicting deferral policies
📚 Full prerequisites on Microsoft Learn
🧭 Step-by-Step: Deploy OOB Update Using Intune
Step 1: Open the MEM Admin Centre
- Go to Devices → Windows → Windows updates → Quality Updates
Step 2: Create a New Expedite Profile
- Click Create → Expedite police
Step 3: Configure Expedite Settings
- Name it clearly (e.g.,
OOB KB5061768 Deployment – May 2025) - Optionally provide a description
- Under Expedite installation of quality updates, select the latest Out-of-Band update
- For KB5061768, choose build 19045.5856
- Set the restart grace period to
0for immediate compliance (or up to 2 days, if needed)
Step 4: Assign the Expedite Policy
- Assign the profile to a device group or user group
- ⚠️ Do not mix group types for inclusion/exclusion—stick to one type
Step 5: Review and Create
- Click Next and then Create
- The profile will now begin expediting the update to targeted devices
📈 Expedite Out-of-Band Windows Security Update – Reporting in Intune
Once the Policy is active and telemetry is configured:
- Navigate to Reports → Windows updates
- Click on the Reports tab at the top
- Click on Windows Expedited Update Report
- Click on Select an expedited update profile
- Then, Click on Generate Report
You can also check the Expedited update failures through:
- Navigate to Devices → Windows → Monitor→ Windows Expedited update failures
- Select the OOB update
The report shows compliance status for each targeted device, including successes, failures, and pending updates. You can export the report to CSV for audit or security team reviews.
🔐 Why Expedite OOB Updates Using Intune?
Using Intune’s native expedite capability offers several benefits:
- No scripting or Win32 app conversion needed
- Immediate compliance for zero-day or critical patches
- Centralised reporting and audit tracking
- Scalable for thousands of devices
📝 Summary
Deploying Out-of-Band updates doesn’t have to be manual or slow. Microsoft Intune offers a streamlined, scalable way to enforce compliance with critical patches like KB5061768. Follow this guide to configure your environment and ensure rapid rollout, without the complexity of legacy methods.
