Published on

The one with the out-of-band update and Microsoft Intune

Authors

Introduction

Windows Update for Business is a free service that can be used to keep Windows 10 devices always up to date with the latest updates. You can configure WUfB with Microsoft Intune to control how and when Windows 10 devices are updated.

Currently, WUfB provides management policies for the following type of updates:

  • Feature updates: Contain not only security and quality revisions but also significant feature additions and changes. Feature updates are released semi-annually in the fall and the spring.
  • Quality updates: Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (commonly known as patch Tuesday). These include security, critical, and driver updates.
  • Driver updates: Updates for non-Microsoft drivers that are relevant to your devices.
  • Microsoft product updates: Updates for other Microsoft products, such as Office.

You might think that all types of updates are covered, yet a very important type of update is missing: Out-of-band updates are updates that are released at some other time than the release time of the type of updates I mentioned earlier. The usual reason for the release of an out-of-band update is to address a vulnerability or zero-day exploit that comes with very high risk and must be patched immediately. Although an out-of-band update can also be classified as a quality update, there is no option to deploy a very specific (out-of-band) update in a timely manner to Windows 10 devices with WUfB.

The ability to expedite Windows 10 security updates within the Microsoft Endpoint Manager admin center is available as a public preview, but unfortunately only for customers that have a Windows 10 Enterprise E3/E3, Windows 10 Education E5/A5 or Microsoft 365 Business Premium license in their subscription.

Fortunately, we can rely on Win32 app management to deliver out-of-band updates to Windows 10. Win32 apps in Microsoft Intune often are legacy applications that are prepared with the Microsoft Win32 Content Prep Tool. This tool will "convert" (legacy) application source setup files to the .intunewin format. Besides legacy applications, we can also use the tool to convert an out-of-band update. Once it is converted to a Win32 app, we can upload and add the Win32 app to Microsoft Intune.

In this blog post i'm going to cover an out-of-band update that Microsoft released a while ago to fix blue screens triggered by a earlier update when printing to various devices. Although the out-of-band-update is already superseeded with a more recent cumulative update, this blog will still come in handy when Microsoft releases a new out-of-band update that needs rapid deployment in your environment. PrintNightmare is unfortunately still a thing; point is that hopefully after reading this blog it will become clear that there is also an alternative way to distribute an out-of-band update.

Requirements

  • Either the Microsoft Win32 Content Prep Tool or the IntuneWin32App PowerShell module.
  • The current & future Windows 10 build numbers of the Windows 10 devices that requires patching. (based on OS build & UBR)
  • The out-of-band update we would like to deploy in .msu-format. (download manually from the Microsoft Update Catalog)

IntuneWin32App

With the IntuneWin32App PowerShell module, you can create a Win32 app, upload it to Microsoft Intune and create assignments. Since the module is published to the PowerShell Gallery, you can install it on your system by running the following command in an elevated PowerShell console:

Install-Module -Name "IntuneWin32App" -Force -Confirm:$false

If you prefer to use the Prep Tool, download the latest Microsoft Win32 Content Prep Tool from GitHub (version 1.8.3 at the time of writing), and extract the contents somewhere on your device. (C:\IntuneWinAppUtil for example). The -v parameter was made available in the 1.8.2 release, which means you can now check the version of the tool. Please note that with the Prep Tool you can only create a win32 package and you will have to upload it manually to Microsoft Intune.

In this blog post, I will be using the PowerShell module to prepare and configure the Win32 app.

Determine builds that require patching

I strongly recommend that you read this page first, so you will understand how to determine the Windows 10 OS build(s) and UBR (Update Build Revision) being > used in your environment. The latest build numbers for all Windows 10 versions can be found on the Windows 10 release information page.

Download the update

Assuming you are running Windows 10 20H2 in your environment, update KB5001649 is the one you are looking for. The OS Build for KB5001649 for Windows 10 20H2 is 19042.870. Hence, the CurrentBuildNumber equals 19042 and the Update Build Revision (UBR) equals 870. You can download the update manually from the Microsoft Update Catalog.

Create a new directory (I used Win32Apps as foldername) and save the .msu file in C\Win32Apps\KB5001649\Source. We'll use the IntuneWin32App PowerShell module to convert the .msu file into the .intunewin format. Also, create a new Powershell file with the following content and save it as DetectKB.ps1 in the C:\Win32Apps\KB5001649\Script\ folder. We'll use this script later as a detection script for the Win32App in Microsoft Intune.

DetectKB.ps1
$result = systeminfo.exe | findstr KB5001649


if ($result)
 {
    Write-Output "Found KB5001649"
    exit 0
 }
 else
 {
    exit 1
 }

Modify New-IntuneWin32AppRequirementRule.ps1

There is a chance you'll receive the following error when running the PowerShell code: New-IntuneWin32AppRequirementRule : Cannot validate argument on parameter 'MinimumSupportedOperatingSystem'. The argument "2H20" does not belong to the set "1607,1703,1709,1803,1809,1903" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

The current version of the IntuneWin32App PowerShell Module (v1.2.1) has not added support yet for the latest Windows 10 OS Builds. Duly note that the accepted MinimumSupportedOperatingSystem value for Windows 10 20H2 is 2H20. I find it rather confusing that Microsoft uses 2H20 instead of 20H2, but perhaps there is a good reason for that.

Please make the following changes to the New-IntuneWin32AppRequirementRule.ps1 file (stored in your PowerShell Modules folder) and make sure that PowerShell is restarted after making these changes.

From:

New-IntuneWin32AppRequirementRule.ps1
[ValidateSet("1607", "1703", "1709", "1803", "1809", "1903")]
        [string]$MinimumSupportedOperatingSystem,
  
$OperatingSystemTable = @{
        "1607" = "v10_1607"
        "1703" = "v10_1703"
        "1709" = "v10_1709"
        "1803" = "v10_1803"
        "1809" = "v10_1809"
        "1903" = "v10_1903"
        "1909" = "v10_1909"
        "2004" = "v10_2004"
    }

To:

New-IntuneWin32AppRequirementRule.ps1
[ValidateSet("1607", "1703", "1709", "1803", "1809", "1903", "1909", "2004", "2H20")]
        [string]$MinimumSupportedOperatingSystem,


$OperatingSystemTable = @{
        "1607" = "v10_1607"
        "1703" = "v10_1703"
        "1709" = "v10_1709"
        "1803" = "v10_1803"
        "1809" = "v10_1809"
        "1903" = "v10_1903"
        "1909" = "v10_1909"
        "2004" = "v10_2004"
        "2H20" = "v10_2H20"
    }

We can now finally run the Powershell code below to create and upload the Win32App to Microsoft Intune.

Create and upload Win32App to Microsoft Intune

CreateAndUploadMSUWin32App.ps1
# Package MSU as .intunewin file
Import-Module -Name "IntuneWin32App"
$WindowsUpdate = "KB5001649"
$SourceFolder = "C:\Win32Apps\$WindowsUpdate\Source"
$SetupFile = "windows10.0-kb5001649-x64_aca549448414a5ad559c742c39e9342468a23eb5.msu"
$OutputFolder = "C:\Win32Apps\$WindowsUpdate\Output"
$IntuneWinFile = "$OutputFolder\windows10.0-kb5001649-x64_aca549448414a5ad559c742c39e9342468a23eb5.intunewin"
$Win32AppPackage = New-IntuneWin32AppPackage -SourceFolder $SourceFolder -SetupFile $SetupFile -OutputFolder $OutputFolder -Verbose


# set displayname, publisher & description
$DisplayName = "Windows 10 20H2 Out-of-band update KB5001649" 
$Publisher = "Microsoft"
$Description = "Windows 10 out-of-band-update to fix BSOD triggered when printing to various devices"


# install & uninstall commandlines
$InstallCommandLine = "wusa.exe .\windows10.0-kb5001649-x64_aca549448414a5ad559c742c39e9342468a23eb5.msu /quiet /norestart -Wait"
$UninstallCommandLine = "wusa.exe /uninstall /kb:KB5001649 /quiet"


# requirement rules
$RequirementRule = New-IntuneWin32AppRequirementRule -Architecture x64 -MinimumSupportedOperatingSystem 2H20
$RequirementRuleRegistryCBR = New-IntuneWin32AppRequirementRuleRegistry -StringComparison -StringComparisonOperator 'equal' -StringComparisonValue '19042' -KeyPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -ValueName 'CurrentBuildNumber'
$RequirementRuleRegistryUBR = New-IntuneWin32AppRequirementRuleRegistry -IntegerComparison -IntegerComparisonOperator 'lessThan' -IntegerComparisonValue '870' -KeyPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -ValueName 'UBR'


# detection rules
$DetectionRuleScriptFile = "C:\Win32Apps\$WindowsUpdate\Script\DetectKB.ps1"
$DetectionRuleScript = New-IntuneWin32AppDetectionRuleScript -ScriptFile $DetectionRuleScriptFile -EnforceSignatureCheck $false -RunAs32Bit $false


# connect to intunegraph and create & upload win32 package
Connect-MSIntuneGraph -PromptBehavior Always
Add-IntuneWin32App -FilePath "$intunewinfile" -DisplayName $DisplayName -Description $Description -Publisher $Publisher -InstallExperience "system" -RestartBehavior "suppress" -RequirementRule $RequirementRule -AdditionalRequirementRule $RequirementRuleRegistryCBR,$RequirementRuleRegistryUBR -DetectionRule $DetectionRuleScript -InstallCommandLine $InstallCommandLine -UninstallCommandLine $UninstallCommandLine -Verbose

If all goes according to plan, the Win32 app is now successfully created, configured and uploaded to Microsoft Intune.

Deploy Windows update package as Win32 app

You can now deploy this very specific update package (.msu file) to Intune-managed Windows 10 devices as a Win32 app. Assign the Win32App to your AutoPilot devices, so you can deploy the update. Consider testing it with a single Windows 10 device first.

For testing purposes, I enrolled a fresh Windows 10 VM into Microsoft Intune with Microsoft Autopilot. After the initial Windows 10 OS install my device is initially running OS build 19042.631, which is less than the OS build that corresponds with the OS build we are aiming for, after the out-of-band update is installed. (19042.870)

os build pre out-of-band update

Downloading Windows update package

I assigned the Win32App update in Microsoft Intune to my AutoPilot device and waited for the magic to begin:

downloading out-of-band update

Windows update package installed

After a few minutes you will receive a toast-message that the update is installed and requires a reboot. This is really nice, since in the Win32App itself the parameter 'device restart behavior' is set to 'no specific action', yet we are informed that the device needs a reboot to complete the installation.

toast reboot out-of-band update

Windows update package verification

After the device is rebooted, Windows 10 is successfully updated to OS build 19042.870! We can verify this both in the eventlog and in the IntuneManagementExtension.log file on the Windows 10 device (located in C:\Programdata\Microsoft\IntuneManagementExtension).

Eventlog:

eventlog out-of-band update

IntuneManagementExtension.log:

detectionscript out-of-band update

Conclusion

In this blogpost I explained how to successfully deploy a Windows Update as Win32App with Microsoft Intune. Since not every customer has a Windows 10 Enterprise license in their tenant and the ability to expedite updates is currently (at the time of writing) still in public preview, you can always use this method to deploy Windows Updates that need rapid deployment.

More information:

Discuss on TwitterView on GitHub