So, Its Autopatch Expedited Releases
So wanted to take a few minutes to talk about Expedited release in Windows Autopatch. This is a function that flies a little under the radar as it's not something we use very often but when we need it, WE NEED IT!
What is an Expedited Update:
Really any time it is determined that a software update in most cases a security update can't wait for the traditional patching cycle we expedite or speed up the release timeframe to address failures or security concerns which may exist. Within the Microsoft eco system we refer to any update outside the traditional patching schedule as an OOB (Out of Band) Update.
Now that doesn't mean that Expedite and OOB are the same thing or mutually exclusive, OOB Out of band updates are released when Microsoft has determined a Security or reliability patch can't wait for the next patching cycle or patch Tuesday. Expedite is when we take any update whether an OOB or any other update either from Microsoft or any other vendor and deploy it right away or with an accelerated timeline. This would be expedited.
How does Windows Autopatch address expedite:
So, Windows Autopatch aims to keep its customers up to date, and take action to ensure this is always the case. With Expedite Autopatch has introduced a fixed expedite schedule which is applied to enrolled tenants, if an OOB update is released Autopatch will set the expedite schedule to get that OOB to your devices as soon as possible. This schedule enforces a reboot after 24hrs.
Note: This deployment allows your devices can be rebooted inside of Active hours or during the business day to ensure compliance. Typically, because these are critical health or security updates.
To learn more about OOB releases: https://learn.microsoft.com/en-us/windows/deployment/update/quality-updates#oob-releases
Now not all organization can adopt for the reason Windows Autopatch added a "opt out" option for global service lead expedite which I will talk about in just a bit.
To learn more on Windows Autopatch Expedite: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview#expedited-releases
Windows Autopatch "Turn off Service-Driven expedited quality updates" or "opt Out"
So, as I said earlier, we know one size does not fit all and many of the customer I have supported over the years, so there is an option to simply not participate in Service led expedite. What does this mean for your environment? Simply that if a Critical OOB is released it will not be applied until your predefined schedule is executed, this does put your end used at possible risk so be aware, I always try to put this discussion at a higher level than myself to ensure we have some cover if the choice to opt out, or to follow an expedited schedule has an unplanned negative impact.
Typically, if there is any flack for releasing an expedited updated, I have seen this in the form as some higher-level employee gets rebooted at an inconvenient time, at many organizations this is a cultural issue, where others just understand reboots are a necessary part of staying secure and protecting the company as well as the individuals. In any case be sure you weigh the benefits to the consequences when deciding to "Turn off Service-Driven expedited quality updates"