How Expedite Out-of-Band Security Updates

by | Jan 27, 2026 | Blog-Post | 0 comments

Over the past few days, I kept getting the same questions from clients and colleagues about the January 24, 2026 out-of-band update (KB5078127).

Do we really need to wait for our normal update rings?
How do we get this out quickly without creating chaos?
Is Intune actually the right tool for this?

If you manage Windows devices at scale, you’ve probably had the same thoughts. When Microsoft releases an out-of-band update, it’s usually for a good reason—and suddenly your carefully planned Patch Tuesday flow doesn’t quite fit anymore.

That’s exactly why I decided to write this post. I found myself explaining the same approach multiple times over the last few days, and rather than repeating it in meetings and chats, I wanted to put it all in one place and share it with everyone.

In this post, I’ll walk through how you can use Intune’s Expedited Quality Updates to roll out critical fixes quickly, and just as importantly, what to watch out for when you do. Hopefully, this helps you make a calm, informed decision the next time an out-of-band update lands in your tenant.

Expedited Updates

Intune actually gives us a tool for those It’s called Expedited Quality Updates.

What it does is pretty straightforward: it creates a high-priority update path that completely ignores your normal deferral settings. So if your update rings usually say “wait 5 days before installing quality updates” expedited updates don’t care. The selected update gets pushed as soon as the device can take it.

This is very much a break-glass feature. You don’t use it every month, but when Microsoft drops an out-of-band update for a serious vulnerability, this is the button people start hovering over.

A few things you really need to think about before using it

Expedited updates are powerful, but they’re not subtle. Before you deploy one, make sure you understand what you’re trading off.

1. You’re skipping your safety net

Your update rings exist for a reason. Pilot rings, broad rings, phased rollouts all of that is there to catch problems before they hit everyone.

When you expedite an update, you’re choosing to bypass that entire model.

The reality: if the out-of-band update causes issues, you won’t discover that in a small test group first. You’ll discover it in production. Everywhere. At the same time.

That doesn’t mean you shouldn’t do it but it does mean you should be very intentional about when you do.

2. Users are going to notice (especially the reboot)

This is not a “silent install in the background” kind of update.

Expedited updates come with tight deadlines for installation and restart, because the whole point is to secure the device as fast as possible.

What this looks like for users:
They’ll see notifications. They’ll be asked to restart. And if you set the deadline to 0 days, that restart can happen very quickly possibly right in the middle of a meeting or while they’re working on something unsaved.

This is where a bit of communication goes a long way. Even a short message like “we’re pushing a critical security fix today, please expect a reboot” can save you a lot of annoyed Slack messages later.

How to Configure an Expedited Update

Here is how to set it up in the Intune console.

Step 1: Create the Profile

  1. Go to Devices > Windows 10 and later updates > Quality updates.
  2. Click + Create profile.

Step 2: Settings & The “Hint” This is where you define which update is urgent.

  • Name: Give it a clear name (e.g., URGENT: Expedite Security Update [Date]).
  • Expedite installation if device OS version less than:
    • This dropdown list is populated by Microsoft with valid release targets.
    • Example Case: In our current scenario, you would look for the entry explicitly dated January 24, 2026 (or referencing the specific security release). Selecting this ensures devices don’t stop patching until they hit that specific build level.
  • Number of days to wait before restart:
    • 0 Days: The most aggressive. Forces the install and reboot ASAP.
    • 1 Day: Gives users a 24-hour grace period to finish work.

Step 3: Assignments Assign the profile to your devices.

  • Pro Tip: Even in an emergency, if you can afford a few hours, deploy to a small “Canary” group first to verify the OOB update doesn’t break critical business apps before hitting “All Devices.”

Monitoring the Status

Once deployed, standard update reports might lag. Use the dedicated Windows Expedited Update Report (under Reports > Windows Updates) to track progress.

In the case of our recent example, you would be watching the report to ensure devices are rapidly moving to builds 26200.7628 / 26100.7628.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

RSS Feed

Related Posts

Cloud Flow
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.