🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

Summary

Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. This implementation pushes critical OS patches within 48 hours using expedited updates managed by Intune and Windows Autopatch.¹²

Justification

Online services (SaaS, cloud infrastructure, web-facing applications) present a distinct patching challenge compared to endpoint OS patching: they are continuously internet-exposed, often managing large volumes of sensitive data, and critical vulnerabilities in these services are frequently targeted within hours of public disclosure.

The 48-hour window for critical/exploited vulnerabilities is specifically calibrated to the observed exploitation timeline. CISA KEV (Known Exploited Vulnerabilities Catalog) data shows that the median time-to-exploitation for actively exploited vulnerabilities dropped from 30+ days (2010s) to under 48 hours for many CVEs in 2022–2024. For online services, the attack surface is globally accessible — any delay beyond 48 hours significantly increases the probability of compromise.

Windows Autopatch Hotpatch (available for Windows 11 24H2+, Server 2025, and Azure Arc-enabled VMs) enables kernel-level patches to be applied without a restart on eligible Patch Tuesday months, enabling near-zero downtime patching for critical OS-level vulnerabilities in online service hosts. This is particularly valuable for internet-facing Windows Server workloads where maintenance windows are constrained.

For non-Windows online services (e.g., network appliances, Linux VMs, third-party SaaS), the 48-hour requirement is met through vendor-specific update mechanisms combined with Azure Update Manager (for Azure/Arc VMs) or manual emergency change procedures governed by the organisation’s change management framework.

Design Decision

[!NOTE] The Quality updates for Windows 10 and later policy will be deployed via Intune to expedite critical OS patches within 48 hours using Windows Autopatch. It will leverage expedited update capabilities to ensure timely patch installation on applicable devices. This will meet the ISM-1876 requirement for rapid patching of critical vulnerabilities.

Prerequisites

Licensing

• Microsoft Entra ID for co-management. ¹
• Microsoft Entra hybrid joined devices or Microsoft Entra joined devices. ¹
• Microsoft Intune (including Configuration Manager via co-management). ¹
• Windows Autopatch licensing prerequisites:
  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium
    These subscriptions enable Windows Autopatch functionality. ²

Dependencies

• Entra ID joined or Hybrid AD joined devices for Autopatch to manage. ²
• Microsoft Intune to manage Autopatch deployment. ¹
• Windows 10/11 version 1709 or later on target devices. ²
• Supported OS editions for Autopatch deployments: Pro, Enterprise, Education, Pro Education, Pro for Workstations. ²

Implementation Steps

Expedite OS patches via Quality Updates (Intune)

1. Create a Quality updates for Windows 10 and later (Preview) profile under Devices > Windows > Quality updates for Windows 10 and later (Preview).¹
2. Provide a name. It’s suggested that the name of the policy aligns to the quality update version being expedited for ease of reference.¹
3. Define the quality updates that Windows Update for Business expedites the installation of if the device Operating System version is less than.¹
4. Define the number of days until a restart of the device is enforced.¹
5. Assign the profile to a group containing all applicable Windows devices.¹

Note: If the number of days to wait before a restart is enforced is set to 0, the device will immediately restart upon receiving the update. The user won’t receive the option to delay the reboot.¹

Enroll devices to receive Hotpatch updates

1. Go to the Intune admin center.²
2. Select Devices from the left navigation menu.²
3. Under the Manage updates section, select Windows updates.²
4. Go to the Quality updates tab.²
5. Select Create, and select Windows quality update policy.²
6. Under the Basics section, enter a name for your new policy and select Next.²
7. Under the Settings section, ensure that the option “When available, apply without restarting the device ("Hotpatch")” is set to Allow. Then, select Next.²
8. Select the appropriate Scope tags or leave as Default. Then, select Next.²
9. Assign the devices to the policy and select Next.²
10. Review the policy and select Create.²
11. You can also Edit the existing Windows quality update policy and set the “When available, apply without restarting the device ("Hotpatch")” to Allow.²

Note: Turning on Hotpatch updates doesn’t change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.²

Additional related information

• ASD Blueprint for Windows update and patching describes best practices for patching in cloud and on-premises environments ASD Blueprint: Windows update and patching

• Windows updates API overview explains how Windows Update for Business and the Graph API support patch management Windows updates API overview

• Windows Autopatch Frequently Asked Questions provides prerequisites and capabilities for using Autopatch to manage patches Windows Autopatch FAQ

• Hotpatch for Windows Server describes patching options and server support for hotpatch deployments Hotpatch for Windows Server

• Azure Update Manager offers automated patching guidance for Azure VMs and non-Azure resources Azure Update Manager

• Windows 11 release information outlines hotpatch and baseline update scheduling by OS version Windows 11 release information