Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

Property	Value
ISM Control	ISM-1690
Revision	2
Updated	Dec-23
Guideline	Not provided
Section	System patching
Topic	Mitigating known vulnerabilities
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Patch management ensures vulnerabilities are mitigated by applying vendor updates within two weeks of release when advisories are noncritical and no working exploits exist¹. This control requires configuring and enabling Windows Autopatch for all workstations via the Intune admin portal to automate timely patch deployment and reduce security risk².

Justification

The Essential Eight requires that non-critical patches for online services be applied within two weeks of release. Windows Autopatch implements this through deployment rings that progressively roll out updates:

Ring	Description	Approximate coverage	Deployment cadence
Test	A small set of devices used to validate the update	~1%	First available
First	Early-adopter devices (power users, IT)	~1%	1 week after Test
Fast	Broader early majority	~9%	1 week after First
Broad	Remaining production devices	~90%	2 weeks after Fast

By default, all devices in the Broad ring receive updates within two weeks of release, satisfying the Essential Eight ML1/ML2/ML3 cadence requirement for non-critical patches. For critical patches (zero-day or CVSS ≥ 9.0), Autopatch accelerates deployment to within 48 hours using an Expedited deployment policy.

Windows Autopatch covers four update types: Windows OS quality updates, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams. This consolidates patching of the most commonly exploited Microsoft software surfaces into a single managed workflow.

Licensing: Windows Autopatch requires Windows 10/11 Enterprise E3 or higher (included in Microsoft 365 E3+). It is not available on Windows Pro or Business editions.

Design Decision

[!NOTE] The Windows Autopatch configuration will be configured and enabled for all workstations via the Intune admin portal. It will ensure patching occurs within two weeks of release for vulnerabilities deemed noncritical by vendors.

Prerequisites

Permissions/Roles

Global Administrator role required to perform Windows Autopatch readiness assessment.²
Admin contacts must be defined for each area of focus during enrollment to facilitate support and communications.²

Dependencies

Microsoft Entra ID is required for co-management; devices must be enrolled in Entra ID and be either hybrid joined or Entra joined.¹
Microsoft Intune is required to enable Windows Autopatch enrollment; readiness checks involve Intune settings and Entra ID configuration. If co-management with Configuration Manager is used, include that integration.¹
If using Configuration Manager for co-management, ensure co-management requirements are met and a supported version is in place; plan to transition workloads to Intune as appropriate (pilot recommended).¹
Windows Autopatch device registration prerequisites must be reviewed prior to registering devices with Windows Autopatch.²

Implementation Steps

Configured and enable Windows Autopatch for all workstations via the Intune admin portal

Verify prerequisites for Windows Autopatch
- Microsoft Entra ID for co-management
- Microsoft Entra hybrid joined devices or Microsoft Entra joined devices
- Microsoft Intune (include Configuration Manager via co-management)
- For devices managed by Configuration Manager, ensure a supported Configuration Manager version is in place and switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (minimum Pilot Intune). Pilot collection must contain the devices you want to register into Autopatch. ¹
Run the Readiness assessment
- As a Global Administrator, go to Intune, then Tenant administration, and navigate to Windows Autopatch > Tenant enrollment. ²
- The Readiness assessment checks Intune settings to confirm deployment rings for Windows 10 or later and minimum administrator requirements and unlicensed administrators. ²
- The assessment provides a report and what steps are needed to be performed to get to a ready state. Once issues are resolved, move to the next step. ²
- If issues are present, follow the steps documented in the readiness guidance to resolve them (link: what steps are needed to be performed) [here]. ²
Verify admin contacts
- Sign into Intune.
- Under Tenant administration in the Windows Autopatch section, select Admin contacts.
- Select Add.
- Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket’s primary contact’s preferred language determines the language used for email communications.
- Select an Area of focus and enter details of the contact’s knowledge and authority in the specified area of focus.
- Select Save to add the contact.
- Repeat for each area of focus. ²
Register devices with Windows Autopatch
- IT admin reviews Windows Autopatch device registration prerequisites prior to register devices with Windows Autopatch. Windows Autopatch device registration prerequisites ²
- IT admin identifies devices to be managed by Windows Autopatch and adds them into the Windows Autopatch Device Registration Microsoft Entra group.
- Windows Autopatch then:
  - Performs device readiness prior registration (prerequisite checks)
  - Calculates the deployment ring distribution
  - Assigns devices to a deployment ring, based on the previous calculation
  - Assigns devices to other Microsoft Entra groups required for management
  - Marks devices as active for management so it can apply its update deployment policies
- IT admin then monitors the device registration trends and the update deployment reports. The detailed device registration workflow can be found in the Windows Autopatch device registration overview. ²

Ring-Based Patch Deployment Using Group Policy (on-premises and hybrid environments)

For organisations that cannot use Windows Autopatch (e.g., those without Windows Enterprise E3+ licensing, those using on-premises WSUS, or hybrid environments in transition), ring-based update deployment can be achieved using WSUS + Group Policy or Windows Update for Business (WUfB) + Group Policy. Both approaches implement the same progressive ring model as Autopatch, using GPO security filtering to stage update rollout across waves.

[!NOTE] The approach documented below is based on the best-practice model published by Group Policy MVP Alan Burchill at grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/³ and the Microsoft WSUS ring deployment guide.⁴

Approach 1 — WSUS with Group Policy client-side targeting

This is the traditional on-premises model. WSUS manages update approvals; Group Policy assigns devices to WSUS target groups and controls the deployment schedule for each ring.

Ring model:

Ring	WSUS target group	AD security group	Deployment schedule	Coverage
Ring 1 — Test / Pilot IT	`Ring 1 - Pilot IT`	`WSUS-Ring1-PilotIT`	First available after approval	~1–5% (IT staff, test devices)
Ring 2 — Broad IT	`Ring 2 - Broad IT`	`WSUS-Ring2-BroadIT`	+3–5 days after Ring 1	~5–10% (technical users)
Ring 3 — Broad Business (workstations)	`Ring 3 - Broad Business`	`WSUS-Ring3-BroadBusiness`	+7 days after Ring 1	~80–85% (standard users)
Ring 4 — Servers	`Ring 4 - Servers`	`WSUS-Ring4-Servers`	Separate maintenance window	All servers

[!IMPORTANT] Servers should always be in a separate ring with a distinct maintenance window, scheduled well after workstation rings have validated stability. A typical schedule is: workstations Friday night → Ring 1 servers Saturday midday → Ring 2 servers Sunday midday.³

Step 1 — Configure WSUS computer target groups

Open the WSUS Administration Console.
Under Computers > All Computers, select Add Computer Group.
Create groups matching the ring names above (e.g., Ring 1 - Pilot IT, Ring 2 - Broad IT, Ring 3 - Broad Business, Ring 4 - Servers).
In WSUS Options > Computers, set computer assignment to Use Group Policy or registry settings on computers to enable client-side targeting.⁴

Step 2 — Create a GPO per ring with client-side targeting

For each ring, create a dedicated GPO. Security-filter each GPO to its corresponding AD security group (remove Authenticated Users from the security filter and add the ring-specific group).³

Open Group Policy Management Console (gpmc.msc).
Create a GPO named using a consistent convention — e.g., WSUS - Workstations - Ring 1 Pilot IT.
In the GPO, navigate to: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
Configure:
- Specify intranet Microsoft update service location — point to your WSUS server URL (e.g., http://wsus.contoso.com:8530)
- Enable client-side targeting — Enabled; enter the WSUS target group name exactly as created in Step 1 (e.g., Ring 1 - Pilot IT)⁴
- Configure Automatic Updates — set to option 4 (Auto download and schedule the install); set install day/time to align with the ring’s maintenance window
- No auto-restart with logged-on users during automatic updates installations — configure to match your user impact policy
In Group Policy Management, set the Security Filtering on the GPO to the ring’s AD security group only.
Link the GPO to the appropriate OU(s) containing target devices.
Repeat for each ring GPO.

[!TIP] GPO naming convention: Prefix all WSUS GPOs consistently for easy identification in GPMC, e.g. WSUS - [Tier] - [Ring] - [Site]. For multi-site deployments, create site-specific variants (e.g., WSUS - Servers - Sydney - Round 1, WSUS - Servers - Sydney - Round 2) to stagger deployment across geographic locations within the same ring.³

Approach 2 — Windows Update for Business (WUfB) with Group Policy

For cloud-connected environments that want ring-based deployment without WSUS, Windows Update for Business delivers updates directly from Microsoft Update and uses Group Policy (or MDM) deferral periods to stagger rings. No WSUS server is required.⁵

Deferral ring model:

Ring	GPO name	Quality update deferral	Feature update deferral	Coverage
Ring 0 — Pilot	`WUfB - Pilot`	0 days	0 days	IT/test devices
Ring 1 — Fast	`WUfB - Fast`	5 days	30 days	Power users / early adopters
Ring 2 — Broad	`WUfB - Broad`	14 days	60–90 days	Standard production devices

[!NOTE] A 14-day quality update deferral on the Broad ring satisfies the ISM two-week non-critical patching requirement for devices that receive updates directly from Microsoft Update (no WSUS).

Step 1 — Ensure Group Policy ADMX files are current

Download the latest Windows 11 Administrative Templates from the Microsoft Download Centre and update the Central Store (\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions) to ensure WUfB settings are available in GPMC.

Step 2 — Create a GPO per ring with WUfB deferral settings

In GPMC, create a GPO per ring (e.g., WUfB - Pilot, WUfB - Fast, WUfB - Broad).
Navigate to: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business
Configure the following per ring:
- Select when Quality Updates are Received → Enabled; set Defer receiving a quality update for this many days to the ring’s deferral value (0 / 5 / 14).
- Select when Preview Builds and Feature Updates are Received → Enabled; set feature update deferral as appropriate.
- Manage updates offered from Windows Update → Enabled (disables WSUS targeting; omit this if WSUS is also in use).
Security-filter each GPO to an AD security group representing that ring’s devices.
Link the GPO to the relevant OU(s).

Step 3 — Pausing updates on a problematic patch

If a quality update causes issues after Ring 0 deployment, pause rollout to downstream rings:

Edit the Ring 1 / Ring 2 GPOs.
In Select when Quality Updates are Received, enable the Pause Quality Updates option and set the pause start date.
Updates will pause for up to 35 days or until the pause date is cleared.⁵

Essential Eight patch applications provides patch remediation guidance and how to leverage Intune integration for vulnerability remediation Essential Eight patch applications
ASD Blueprint: Windows update and patching - ASD’s Blueprint for Secure Cloud outlines patching design, update rings, and deployment strategies for Windows devices ASD Blueprint: Windows update and patching - ASD’s Blueprint for Secure Cloud
Configure Microsoft Intune for Zero Trust: Secure devices explains Windows Update policy enforcement to reduce risk from unpatched vulnerabilities Configure Microsoft Intune for Zero Trust: Secure devices
Walkthrough: Use CSPs and MDMs to configure Windows Update client policies covers CSP/MDM based update management and policy configuration Walkthrough: Use CSPs and MDMs to configure Windows Update client policies
Cloud-native patch management with Azure Arc-enabled servers describes maintenance windows and cloud-native patch orchestration Cloud-native patch management with Azure Arc-enabled servers
MCSB: Posture and Vulnerability Management provides guidance on rapid remediation and using Update Management for timely patching MCSB: Posture and Vulnerability Management
Best practices: Group Policy for WSUS covers the canonical ring/round-based GPO model for WSUS deployments, including security-filtered GPO design, client-side targeting, maintenance window scheduling, and multi-site staggered rollout strategies Best practices: Group Policy for WSUS — grouppolicy.biz ³
Deploy updates using WSUS describes Microsoft’s official ring deployment workflow using WSUS computer target groups and Group Policy client-side targeting Deploy updates using Windows Server Update Services ⁴
Configure Windows Update client policies via Group Policy covers the WUfB deferral model with quality/feature update ring settings, pause mechanisms, and GPO structure Configure Windows Update client policies via Group Policy ⁵

🛡️ Essential 8 Guide