🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

Summary

Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist, reducing exposure to attacks. Configure and enable Windows Autopatch for all workstations via the Intune admin portal. For third-party applications deploy new version of the application via the Intune Enterprise Application Catalogue, otherwise repackaged and redeployed all applications that require security updates within the timeline. For the Edge web browser configure all devices to the Target Channel or Stable.¹²³

Justification

Critical patches and patches with working exploits represent the highest-priority remediation target because:

• A working exploit means attacker tooling already exists in the wild; every day without the patch extends the window for commodity attacks (ransomware, supply-chain loaders, worm propagation).
• CVSS Critical (≥9.0) leveraging network-accessible vectors can be exploited without user interaction, making them suitable for automated mass-compromise campaigns within hours of PoC publication.

Windows Autopatch addresses this with an Expedited deployment workflow that delivers updates to all rings simultaneously (bypassing the normal Test → First → Fast → Broad progression) and forces a restart within the configured grace period.⁴ This can reduce deployment time from two to four weeks down to 24–48 hours across the entire managed estate.

For Microsoft 365 Apps and Edge, Autopatch manages update channels. Setting Edge to Stable channel means updates are tested by Microsoft over four weeks before release; Target Channel (formerly Beta) delivers updates 4 weeks earlier for advanced validation. ACSC guidance recommends Stable for most devices with Target Channel for a small representative pilot.

Microsoft Enterprise App Management (EAM) removes the biggest bottleneck in third-party application patching: the repackaging burden. Without EAM, applying a critical update to a common app (e.g., 7-Zip, VLC, Zoom, Adobe Reader) requires an IT Pro to download the new installer, repackage it as a .intunewin, validate detection rules and return codes, test deployment, and then redeploy — a process that can take days and causes organisations to routinely miss the 48-hour window. EAM eliminates this entirely for supported apps: Microsoft pre-packages, pre-detects, and hosts the update; the IT Pro simply creates a supersedence relationship in the Intune console and assigns it. Combined with EAM’s SLO of 80–90% of app updates available within 24 hours of vendor release, this enables organisations to credibly meet the ML3 48-hour critical patch requirement for all EAM-covered third-party applications.⁵

Design Decision

[!NOTE] The Windows Autopatch service will be configured and enabled for all workstations via the Intune admin portal. For third-party applications, new versions will be deployed via Intune Enterprise Application Management, otherwise repackaging and redeploying all applications that require security updates will be performed within the required timeline. The Edge browser will be configured on all devices to the Target Channel or Stable release channel.

Prerequisites

• Licensing:
  • Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher.³
• Permissions/Roles:
  • A Global Administrator account is required to enable the Windows Autopatch readiness assessment in Intune.³
  • An Intune administrator account is required to manage readiness assessment, enrollment, and device management.³
  • Admin contacts must be defined for each Area of Focus before enrollment.³
• Dependencies:
  • Intune and Microsoft Entra ID must be configured to support readiness assessment and enrollment.³
  • Review and satisfy Device registration prerequisites before registering devices with Windows Autopatch.³

Implementation Steps

Windows Autopatch Deployment for Workstations

1. Enable Windows Autopatch for all workstations via the Intune admin portal. ³
2. Run the readiness assessment to verify Intune and Entra ID readiness for Windows Autopatch:
   • Open Intune, then go to Tenant administration -> Windows Autopatch -> Tenant enrollment and run the Readiness assessment. ³
3. Verify and configure admin contacts for all focus areas:
   • Devices, Device health, Updates, Microsoft 365 Apps for enterprise updates, Microsoft Edge updates, and Microsoft Teams updates. ³
4. Register devices with Windows Autopatch:
   • Review device-registration prerequisites, identify devices to manage, add them to the Windows Autopatch Device Registration group, and allow Autopatch to assign deployment rings and activate devices for management. ³
5. Monitor Autopatch deployment status:
   • Use the Autopatch dashboard in Intune to view current update status, OS version, and deployment ring assignment. ³

Third-Party Applications Patch Management via Intune Enterprise Application Catalogue

1. Deploy new versions of third-party applications via the Intune Enterprise Application Catalogue:
   • Use the Enterprise Application Management catalog to distribute updates to managed devices. ²
2. If updates are not available in the Catalogue, repackage and redeploy the updated applications within the required timeline:
   • Repackage and redeploy third-party apps to ensure security updates are delivered in a timely manner. ²
3. Monitor deployment progress and verify patch installation across devices using Intune reporting and Defender vulnerability integration as applicable. ²
4. Align patch timing with the defined window for third-party apps:
   • Apply patches within the appropriate timeframe for third-party applications (one month for general third-party app patches). ²

Microsoft Enterprise App Management (EAM) — Delivering Updates Without Repackaging

Microsoft Enterprise App Management (EAM) is an Intune add-on (available standalone or as part of the Microsoft Intune Suite) that provides the Enterprise App Catalog — a library of hundreds of pre-packaged Win32 applications maintained and hosted by Microsoft. IT Pros can deploy and update these applications directly from the Intune console without downloading, packaging, or testing installers themselves.

Why EAM matters for the 48-hour patching requirement:

Service Level Objectives (SLOs) for catalog updates:⁵

• 80–90% of app updates complete automated validation and are available in the Intune portal within 24 hours of Microsoft receiving the vendor update.
• Apps requiring manual validation complete within 7 days.
• High-usage or critical apps that fail automated validation are prioritised for expedited processing with a goal of 48 hours.

For applications on the ISM Essential Eight critical-patch scope (office productivity, browsers, email clients, PDF tools, security products), this SLO structure means EAM-covered apps can consistently meet the 48-hour patching window without any repackaging effort.

Steps to apply an EAM app update (guided supersedence):⁶

1. In the Microsoft Intune admin center, navigate to Apps > Enterprise App Catalog apps with updates.
   • This report lists all deployed EAM apps for which a newer version is available in the catalog.
2. Select the app and choose Update.
3. In the Update application pane, select Supersede app.
   • Intune creates a new app entry with the latest package and configures the supersedence relationship automatically.
4. Review the pre-filled installation details (install/uninstall commands, detection rules, return codes). Modify only if your environment requires non-default settings.
5. Set Assignments (same groups as the existing app deployment).
6. Select Review + create, then Create.
   • Intune deploys the new version to targeted devices and uninstalls the prior version via the supersedence relationship.

[!NOTE] Updates are not automatic. The EAM catalog notifies you that an update is available but does not apply it automatically. IT Pros must initiate the supersedence workflow above. Regularly review the Enterprise App Catalog apps with updates report — ideally as a scheduled task on every Patch Tuesday and on critical-vulnerability disclosure days — to identify apps needing update.

[!IMPORTANT] Licensing: Enterprise App Management is an Intune add-on, available as a standalone purchase or included in the Microsoft Intune Suite. It is not included in standard Intune P1/P2 or Microsoft 365 E3/E5 licences. Confirm your licence entitlement in the Microsoft 365 admin centre before planning an EAM deployment.

Supported applications: The Enterprise App Catalog contains hundreds of commonly deployed applications including 7-Zip, Adobe Reader, Audacity, Zoom, Slack, VLC, Python, and many developer, productivity, and security tools. For the complete current list, see Apps available in the Enterprise App Catalog.⁵⁷

Edge Browser Patch Configuration

1. In the Microsoft Intune admin center, navigate to Devices > Configuration profiles > Create profile.
2. Select Platform: Windows 10 and later, Profile type: Settings catalog.
3. Search for and add Microsoft Edge > Update settings.
4. Set Update policy override for Microsoft Edge to Always allow updates (recommended).
5. Set Target Channel override to Stable (or Beta for a pilot ring).
6. Assign the profile to the target device group and save.

[!NOTE] The Stable channel receives security updates rapidly. Edge is updated by Microsoft approximately every four weeks, with security patches backported within days of disclosure.

Additional related information

• Posture and Vulnerability Management provides rapid, automated remediation guidance and risk-based prioritization to accelerate vulnerability remediation across on-prem and cloud resources Posture and Vulnerability Management
• CVEs report consolidates vulnerabilities, release patches, and affected devices to track Windows Autopatch progress Common Vulnerabilities and Exposures (CVEs) report
• Protect your work information explains how cloud protections and Autopatch align with data protection goals in cloud environments Protect your work information
• Microsoft 365 vulnerability scanning and remediation outlines remediation timelines and processes for vulnerabilities across Microsoft 365 services Microsoft 365 vulnerability scanning and remediation
• Microsoft Defender Vulnerability Management provides asset visibility, vulnerability assessments, and remediation workflows integrated with endpoint management Microsoft Defender Vulnerability Management
• Microsoft Intune Enterprise App Management explains the Enterprise App Catalog model, service level objectives for update availability (80–90% within 24 hours), licensing, and the guided supersedence update workflow that allows IT Pros to deliver critical application updates without repackaging Microsoft Intune Enterprise App Management ⁵
• Add an Enterprise App Catalog app to Microsoft Intune covers the end-to-end process for adding, configuring, and assigning an EAM catalog app, including pre-filled detection rules and installation settings Add an Enterprise App Catalog app to Microsoft Intune ⁷
• Guided update supersedence for Enterprise App Management describes the update workflow: how to use the Enterprise App Catalog apps with updates report and create supersedence relationships to push new versions to devices Guided update supersedence for Enterprise App Management ⁶