🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within one month of release.

Summary

ISM-1693 requires timely patching of applications beyond core productivity tools by configuring Windows Autopatch for all workstations via the Intune admin portal and deploying third-party app updates through the Intune Enterprise Application Catalogue, with re-packaging and redeployment as needed to meet the defined timeline[^1][^9]. Configuring the Edge browser to Target Channel or Stable ensures browser updates are delivered consistently, supporting rapid remediation of security vulnerabilities[^3].

Justification

Applications outside the high-priority category (office suites, browsers, email) still represent meaningful attack surface. History shows that attackers target all application tiers — image libraries, media players, compression tools, Java runtimes — particularly after high-value applications have been patched and defenders’ attention has moved on. A one-month window balances operational risk (testing, packaging, compatibility) with security posture.

The Intune Enterprise Application Catalogue provides a managed, curated library of pre-packaged applications where Microsoft maintains installers and security updates, significantly reducing packaging overhead and enabling near-automated patch deployment for supported applications. For unsupported applications, manual repackaging into .intunewin format and deployment via Win32 app is the fallback. Microsoft Enterprise App Management (EAM) removes the biggest operational bottleneck: the repackaging burden. Without EAM, updating a common app (e.g., 7-Zip, VLC, Python, Zoom) requires an IT Pro to download the new installer, repackage as .intunewin, validate detection rules and return codes, test, and redeploy — a process that can consume days of effort and causes organisations to routinely slip past the one-month window, particularly for lower-priority or rarely updated applications. EAM eliminates this entirely for supported apps: Microsoft pre-packages, pre-detects, and hosts the update; the IT Pro creates a supersedence relationship in the Intune console with a few clicks. Combined with an SLO of 80–90% of app updates available within 24 hours of vendor release, EAM makes compliance with the one-month window achievable with minimal manual effort for any EAM-covered application.[^4] [^1]: Essential Eight patch applications [^3]: Hotpatch updates [^4]: Microsoft Intune Enterprise App Management — overview and SLOs [^5]: Add an Enterprise App Catalog app to Microsoft Intune [^6]: Guided update supersedence for Enterprise App Management [^9]: Windows updates API overview

Design Decision

[!NOTE] The Windows Autopatch configuration will be enabled for all workstations via the Intune admin portal. For third-party applications, updates will be deployed via the Intune Enterprise Application Catalogue, otherwise applications that require security updates will be repackaged and redeployed within the required timeline. For the Edge browser, devices will be configured to Targe Channel or Stable.

Prerequisites

• Dependencies:
  • Devices must be enrolled in Microsoft Intune and managed by Intune, with enrollment in Entra ID and/or hybrid Azure AD joined. This is required to leverage Windows Autopatch and related update workflows. [^3]
  • Windows Autopatch capabilities must be available and considered in the target environment. Plan and configure update management using Autopatch features such as approvals and scheduling. [^9]
  • Intune is used to deploy patches for applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products, with patches deployed within one month of release. [^1]
  • Devices must be enrolled to receive Hotpatch updates. Create a Windows quality update policy in the Intune admin center, assign devices, and enable hotpatch settings as appropriate. [^3]
  • For third-party application updates, patches should be deployed via the Intune deployment method (Intune Enterprise Application Catalogue or equivalent) to ensure timely updates. [^1]

Implementation Steps

Configure Windows Autopatch via Intune admin portal

1. Open the Intune admin center. [^1]
2. Select Devices. [^1]
3. Under Manage updates, select Windows updates. [^1]
4. Go to the Quality updates tab. [^1]
5. Click Create, and select Windows quality update policy. [^1]
6. In Basics, enter a name for the policy and click Next. [^1]
7. In Settings, ensure that When available, apply without restarting the device (Hotpatch) is set to Allow. Then click Next. [^1]
8. Choose appropriate Scope tags or leave as Default. Then click Next. [^1]
9. Assign the devices to the policy and click Next. [^1]
10. Review the policy and click Create. [^1]
11. Optionally, edit the existing Windows quality update policy and set When available, apply without restarting the device (Hotpatch) to Allow. [^1]

Microsoft Enterprise App Management (EAM) — Delivering Updates Without Repackaging

Microsoft Enterprise App Management (EAM) is an Intune add-on (available standalone or as part of the Microsoft Intune Suite) that provides the Enterprise App Catalog — a library of hundreds of pre-packaged Win32 applications maintained and hosted by Microsoft. IT Pros can deploy and update these applications directly from the Intune console without downloading, packaging, or testing installers themselves.

Why EAM matters for the one-month patching requirement:

Service Level Objectives (SLOs) for catalog updates:[^4]

• 80–90% of app updates complete automated validation and are available in the Intune portal within 24 hours of Microsoft receiving the vendor update.
• Apps requiring manual validation complete within 7 days.
• High-usage or critical apps that fail automated validation are prioritised for expedited processing with a goal of 48 hours.

For general third-party applications in scope for ISM-1693, this SLO means that EAM-covered apps will typically be deployable within 1–7 days of release — providing a comfortable buffer against the one-month window and eliminating the time pressure that makes manual repackaging a recurring compliance risk.

Steps to apply an EAM app update (guided supersedence):[^6]

1. In the Microsoft Intune admin center, navigate to Apps > Enterprise App Catalog apps with updates.
   • This report lists all deployed EAM apps for which a newer version is available in the catalog. Review this report at least monthly (e.g., after each Patch Tuesday) to identify pending updates within the ISM-1693 scope.
2. Select the app and choose Update.
3. In the Update application pane, select Supersede app.
   • Intune creates a new app entry with the latest package and configures the supersedence relationship automatically.
4. Review the pre-filled installation details (install/uninstall commands, detection rules, return codes). Modify only if your environment requires non-default settings.
5. Set Assignments (same groups as the existing app deployment).
6. Select Review + create, then Create.
   • Intune deploys the new version to targeted devices and uninstalls the prior version via the supersedence relationship.

[!NOTE] Updates are not automatic. The EAM catalog notifies you that an update is available but does not apply it automatically. IT Pros must initiate the supersedence workflow above. Schedule a recurring task to review the Enterprise App Catalog apps with updates report at least monthly to ensure all applicable updates are actioned within the one-month ISM-1693 window.

[!IMPORTANT] Licensing: Enterprise App Management is an Intune add-on, available as a standalone purchase or included in the Microsoft Intune Suite. It is not included in standard Intune P1/P2 or Microsoft 365 E3/E5 licences. Confirm your licence entitlement in the Microsoft 365 admin centre before planning an EAM deployment.

Supported applications: The Enterprise App Catalog contains hundreds of commonly deployed applications including 7-Zip, Adobe Reader, Audacity, Zoom, Slack, VLC, Python, and many developer, productivity, and security tools. For the complete current list, see Apps available in the Enterprise App Catalog.[^4][^5]

Manage remaining third-party applications via Intune (manual repackaging fallback)

1. In the Microsoft Intune admin center, navigate to Apps > Windows > Add.
2. Select App type: Windows app (Win32) or search the Enterprise App Catalog for the application.
3. For Catalogue-listed apps, select the app, configure assignment settings, and deploy to the target device group.
4. For apps not in the Catalogue, package the updated installer using the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe), create a Win32 app deployment, and assign it to the device group.
5. Monitor deployment status in Apps > Monitor > App install status and verify successful installation before the one-month deadline. [^1]

Configure Edge browser to Target Channel or Stable

1. In the Microsoft Intune admin center, navigate to Devices > Configuration profiles > Create profile.
2. Select Platform: Windows 10 and later, Profile type: Settings catalog.
3. Search for and add Microsoft Edge > Update settings.
4. Set Update policy override for Microsoft Edge to Always allow updates (recommended).
5. Set Target Channel override to Stable (or Beta for a pilot ring).
6. Assign to the target device group and save. [^1]

Additional related information

• Windows updates API overview describes Windows Autopatch capabilities such as approvals, scheduling, gradual rollout, expedite, and safeguard holds Windows updates API overview
• Enable third-party updates explains how to subscribe to third-party catalogs and publish updates through the update point in Configuration Manager Enable third-party updates
• Available third-party update catalogs lists vendor catalogs that can be imported and deployed via the Third-Party Software Update Catalogs feature Available third-party software update catalogs
• Posture and vulnerability management provides guidance on rapid remediation of vulnerabilities and patch management for cloud resources Posture and vulnerability management
• Security Control: Vulnerability Management covers automated patching for third-party software and related controls Security Control: Vulnerability Management
• Security domain: operational security describes patch management policy requirements including patch windows, decommissioning, and vulnerability scoring Security domain: operational security
• Microsoft Intune Enterprise App Management explains the Enterprise App Catalog model, service level objectives for update availability (80–90% within 24 hours), licensing, and the guided supersedence update workflow that allows IT Pros to deliver application updates without repackaging — directly supporting the one-month patching cadence for general third-party apps Microsoft Intune Enterprise App Management [^4]
• Add an Enterprise App Catalog app to Microsoft Intune covers the end-to-end process for adding, configuring, and assigning an EAM catalog app, including pre-filled detection rules and installation settings Add an Enterprise App Catalog app to Microsoft Intune [^5]
• Guided update supersedence for Enterprise App Management describes the update workflow: how to use the Enterprise App Catalog apps with updates report and create supersedence relationships to push new versions to devices Guided update supersedence for Enterprise App Management [^6]