🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

Summary

Addresses the risk of exploitation by ensuring critical operating system patches are applied within 48 hours of release. Expedited updates through Intune Windows Autopatch are used to push these patches quickly and reduce exposure to active exploits on Intune-enrolled workstations (Windows 10/11).¹²

[!NOTE] Windows Autopatch and Intune expedited updates apply to Intune-enrolled workstations (Windows 10/11 Enterprise/Education) only. For non-internet-facing Windows Servers, OS patching is delivered through WSUS + Group Policy (on-premises environments) or Azure Update Manager (Azure VMs and Azure Arc-connected servers). Network devices use vendor-specific update mechanisms. The 48-hour critical patching requirement applies to all of these scopes regardless of the management tool used.

Justification

Critical OS vulnerabilities — particularly those with working exploits or CVSS ≥ 9.0 on network-accessible attack vectors — represent an existential risk because the OS underlies all workloads and controls. Past incidents (EternalBlue/MS17-010, PrintNightmare/CVE-2021-34527, Log4Shell lateral movement via OS-level JVM) demonstrate that unpatched internal systems are rapidly exploited for lateral movement and ransomware deployment once an initial foothold is established, even in non-internet-facing environments.

The 48-hour window reflects the industry-observed timeline between public PoC publication and widespread automated exploitation, balancing:

• Minimising exposure window — most mass-exploitation events begin within 24–72 hours of PoC publication.
• Minimising operational risk — rushed patching without any validation can cause outages; the expedited Autopatch workflow includes a short validation phase on the Test ring before broad deployment.

How Intune Expedited Updates achieve 48-hour delivery:

1. Create a Quality updates for Windows 10 and later — Expedited profile in Intune.
2. The profile sets the expedite deadline to 0 days (immediate) and the restart grace period to 1 hour.
3. The policy bypasses the configured update ring deferrals and forces Windows Update to download and install the patch regardless of active hour / ring settings.
4. Devices enrolled in Windows Update for Business (WUfB) apply the expedited update independently; Autopatch manages the expedite workflow through its WUfB integration.

Complementary application-layer patching via Enterprise App Management (workstations only):

Expediting OS patches closes the OS-level vulnerability window, but the same workstations also run dozens of third-party applications — each independently exploitable. Microsoft Enterprise App Management (EAM) addresses the application layer on these Intune-enrolled workstations without requiring manual repackaging.

[!NOTE] EAM applies to Intune-enrolled Windows 10/11 workstations only. Windows Servers are not supported by EAM or the Enterprise App Catalog. Server-side application patching should follow WSUS/SCCM or Azure Update Manager workflows. Microsoft pre-packages and hosts updates for hundreds of common Win32 applications in the Enterprise App Catalog; IT Pros apply updates via a supersedence workflow in the Intune console in minutes rather than days. EAM’s SLO of 80–90% of app updates available within 24 hours of vendor release means that for EAM-covered apps, the same 48-hour patching cadence applied to critical OS patches (ISM-1696) and critical application patches (ISM-1692) is operationally achievable without a bespoke packaging pipeline.³

Design Decision

[!NOTE] The Windows Autopatch approach will be used to push critical OS patches within 48 hours. Intune expedited updates will be used to deliver these patches to Intune-enrolled workstations (Windows 10/11 Enterprise/Education).

For non-internet-facing Windows Servers, deploy critical OS patches within 48 hours using one of the following tools:

• WSUS + Group Policy — for on-premises domain-joined servers (configure an Automatic Approval Rule for Critical/Security classifications with a 0-day deadline)
• Azure Update Manager — for Azure VMs and Azure Arc-connected on-premises servers (configure a Maintenance Configuration with a 48-hour schedule window)

For non-internet-facing network devices (routers, switches, firewalls), follow the vendor-specific firmware update process and verify against the Defender Vulnerability Management network device inventory.

Prerequisites

• Licensing
  • Microsoft Defender Vulnerability Management (DVM) licensing is required, or a license for Microsoft Defender for Endpoint Plan 2 or E5 that includes vulnerability management capabilities¹.
  • If Intune is used for implementation, target devices require Microsoft Intune Plan 1 (typically included with Microsoft 365 E3+)¹
• Permissions/Roles
  • Access to the Defender Vulnerability Management portal requires membership in the Security Reader Azure AD built-in role¹
• Dependencies
  • Devices must be enrolled in Microsoft Intune and joined to Entra ID and/or hybrid Azure AD join (inferred prerequisites for Intune-based policy deployment and patching workflows) ¹
  • Devices must be onboarded to Defender for Endpoint to enable Defender Vulnerability Management capabilities (onboarding guidance and requirements are described in the context) ¹
  • The Defender portal must have the Intune connection enabled to enable remediation workflows and integrated tasks (Intune connection is used to create remediation tasks in Intune) ¹
  • To expedite OS patches within 48 hours, create and assign a Quality updates for Windows 10 and later profile under Windows Update for Business (WUfB) to enable expedited deployments ²
  • For expedited OS patching via Defender integration, use the Expedite quality updates workflow to define which updates are expedited and assign them to the target device groups ²

Implementation Steps

Push critical OS patches within 48 hours using Intune expedited updates using Windows Autopatch

1. Enable Defender Vulnerability Management (DVM) integration and onboard devices to DVM to support patching within 48 hours.¹

2. Onboard devices to Defender Vulnerability Management (DVM) if not already onboarded. If devices are already onboarded, DVM features are enabled. If not, ensure Defender for Endpoint is running in block mode and onboard devices via Group Policy, Endpoint Manager, or local scripts. Detailed guidance is available for onboarding Defender for Endpoint capabilities.¹

3. In the Defender portal, enable the Intune connection to enable remediation tasks. Navigate to Settings > Endpoints > General > Advanced features and turn on Microsoft Intune connection. Note: If Intune connection is enabled, you can create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.¹

4. Use the remediation workflow to address vulnerabilities. Go to Vulnerability management > Recommendations, select a security recommendation, and choose Remediation options. Fill out the form (including applicable device groups, priority, due date, and any notes) and submit. A remediation activity item is created in vulnerability management and a security task is created in Intune. The Intune admin accepts the task and remediates per the provided guidance, which may include links to relevant Intune configurations.¹

5. Expedite OS patches by creating a quality updates profile for Windows 10 and later and configuring it to expedite the installation of critical updates. Steps:
   • Create a Quality updates for Windows 10 and later profile under Devices > Windows > Quality updates for Windows 10 and later (Preview).²
   • Provide a name for the profile.²
   • Define which quality updates Windows Update for Business should expedite based on the device OS version.²
   • Define the number of days until a restart is enforced.²
   • Assign the profile to a group containing all applicable Windows devices. If the restart delay is set to 0, the device will restart immediately when the update applies.²

6. Monitor and verify patch deployment. Track remediation progress and patch status in both Defender Vulnerability Management and Intune to ensure critical OS patches are deployed within the 48-hour window.¹

7. Validate that the expedited deployment aligns with the vendor-identified critical patches and that Defender Vulnerability Management continues to identify newly disclosed critical vulnerabilities for rapid remediation.¹

Patching the application layer on the same devices using Enterprise App Management (EAM)

While this control (ISM-1696) targets OS-level patches, the Intune-enrolled workstations being patched also run third-party applications that require independent patching under ISM-1692 (48-hour critical) and ISM-1693 (one-month general). Microsoft Enterprise App Management (EAM) is the Intune-native mechanism for keeping these applications current without a manual repackaging pipeline.

[!NOTE] This EAM section applies to Intune-enrolled workstations (Windows 10/11) only. Windows Servers are not supported targets for EAM or the Enterprise App Catalog.

What EAM provides:

Steps to apply an EAM app update:⁴

1. In the Microsoft Intune admin center, navigate to Apps > Enterprise App Catalog apps with updates.
2. Select the app requiring an update and choose Update.
3. In the Update application pane, select Supersede app — Intune creates the new app version and supersedence relationship automatically.
4. Review pre-filled installation details and set Assignments (same groups as the existing deployment).
5. Select Review + create > Create. Intune deploys the new version and removes the prior version via the supersedence relationship.

[!NOTE] EAM updates are not automatic — IT Pros must initiate the supersedence workflow. Review the Enterprise App Catalog apps with updates report on every Patch Tuesday and on critical-vulnerability disclosure days to identify pending application updates alongside OS patch activities.

[!IMPORTANT] Licensing: Enterprise App Management is an Intune add-on (standalone or as part of the Microsoft Intune Suite). It is not included in standard Microsoft 365 E3/E5 licences.

Supported applications: The Enterprise App Catalog covers hundreds of commonly deployed Win32 applications. For the complete current list, see Apps available in the Enterprise App Catalog.³⁵

Apply critical OS patches to non-internet-facing Windows Servers within 48 hours

For Windows Server 2016/2019/2022 (not Intune-managed), use one of the following approaches to meet the 48-hour critical patching requirement.

WSUS + Group Policy (on-premises domain-joined servers)

1. In the WSUS Administration Console, go to Options → Automatic Approvals → New Rule.
2. Name the rule Critical — Servers 48hr. Set:
   • Classification: Critical Updates, Security Updates
   • Deadline: 0 days (immediate approval) — WSUS will push the update at the next WSUS sync cycle (typically every hour).
3. Assign the rule to the computer group containing non-internet-facing servers.
4. In Group Policy (applied to server OUs), set Computer Configuration → Administrative Templates → Windows Components → Windows Update:
   • Configure Automatic Updates: 4 – Auto download and schedule the install
   • Automatic update detection frequency: 1 (hour)
   • Allow automatic updates immediate installation: Enabled
5. After deploying a critical patch, monitor the WSUS Reports → Update Status Summary report; confirm all in-scope servers show Installed within 48 hours.

Azure Update Manager (Azure VMs / Arc-connected servers)

1. In the Azure portal, navigate to Azure Update Manager → Maintenance Configurations → Create.
2. Set Schedule type to One time (for emergency critical patches) or create a recurring configuration with a maximum 24-hour window once a week.
3. Under Update settings, select Security and Critical update classifications; set Reboot setting to IfRequired.
4. Assign the relevant Azure VM resource groups or Arc-enabled machine groups.
5. For zero-day or actively exploited vulnerabilities, trigger an on-demand assessment and deploy directly from Azure Update Manager → Machines → (select servers) → One-time update to push the patch immediately outside the maintenance window.
6. Review the Update compliance dashboard within 48 hours to confirm all targeted servers are listed as Compliant.

Additional related information

• ASD Blueprint for Windows update and patching provides design guidance for implementing patching and update controls in cloud-based Windows deployments ASD Blueprint: Windows update and patching

• Azure Update Manager overview explains how to manage updates at scale for Azure VMs and Arc-enabled servers, including on-demand assessment, maintenance configurations, and compliance reporting Azure Update Manager documentation

• Configure Windows Server Update Services (WSUS) describes how to set up WSUS synchronisation, automatic approval rules with deadlines, and GPO-based deployment for domain-joined servers Windows Server Update Services (WSUS)

• Microsoft Security Advisory 4025685 offers guidance for prioritizing and deploying critical security updates during high-risk exposure events Microsoft Security Advisory 4025685

• Walkthrough: Use Group Policy to configure Windows Update client policies explains how to manage update rings, deferrals, and automatic updates via Group Policy Walkthrough: Use Group Policy to configure Windows Update client policies

• Lifecycle FAQ - Windows clarifies servicing and update requirements and support timelines for Windows platforms Lifecycle FAQ - Windows

• OS Updates describes controls for Windows IoT Enterprise devices and how updates are managed and deployed OS Updates
• Microsoft Intune Enterprise App Management explains the Enterprise App Catalog model, service level objectives (80–90% of app updates within 24 hours), and the supersedence update workflow — the complementary mechanism for patching the application layer on the same workstations and servers this control protects at the OS level Microsoft Intune Enterprise App Management ³
• Add an Enterprise App Catalog app to Microsoft Intune covers the end-to-end process for adding, configuring, and assigning an EAM catalog app with pre-filled detection rules and installation settings Add an Enterprise App Catalog app to Microsoft Intune ⁵
• Guided update supersedence for Enterprise App Management describes the update workflow: using the Enterprise App Catalog apps with updates report and creating supersedence relationships to push new versions to devices without repackaging Guided update supersedence for Enterprise App Management ⁴