🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

Summary

ISM-1901 addresses timely patching by applying vendor mitigations for vulnerabilities in operating systems, office productivity suites, web browsers, and security products within two weeks of release when vulnerabilities are non-critical and no working exploits exist.¹

Implementation aligns with ASD Blueprint guidance, mandating patches within two weeks of release or within 48 hours if an exploit exists.²

Justification

Priority applications — office productivity suites, web browsers, email clients, PDF applications, and security products — have the highest exposure to document-based and browser-based initial access vectors. Non-critical vulnerabilities in these applications (CVSS Medium/High, no working exploit) still represent a meaningful risk: the gap between “no public exploit” and “working exploit” is often measured in days to weeks, particularly for widely-deployed software.

A two-week remediation window for non-critical vulnerabilities is calibrated to balance operational change management constraints with the observed exploitation timeline. Microsoft’s Autopatch deployment rings (Test → First → Fast → Broad) deliver patches progressively over 7–21 days for standard quality updates, which aligns with the two-week requirement when the Broad ring deadline is set to 14 days.

For third-party priority applications (Adobe Reader, 7-Zip, VLC, etc.), the Intune Enterprise App Catalogue provides direct Microsoft-managed packaging for common applications — removing the re-packaging overhead and accelerating the two-week remediation timeline. For bespoke applications, the Win32 Content Prep Tool (.intunewin) remains the standard deployment path.

Design Decision

[!NOTE] The Windows Autopatch will be configured and enabled for all workstations via the Intune admin portal. For third-party applications, new versions will be deployed via Intune Enterprise Application Catalogue, otherwise re-package and redeploy all applications that required security updates within the timeline required. For the Edge web browser configure all devices to “Target Channel” or “Stable”

Prerequisites

• Licensing: Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) for Windows Autopatch. Microsoft Intune Plan 1 for Intune-managed app deployment.¹

• Permissions/Roles: Intune administrator access to create and assign update ring policies and application deployments. Windows Autopatch Manager role for Autopatch configuration.²

• Dependencies:

  • Devices enrolled in Microsoft Intune and Entra ID joined (or Hybrid Azure AD joined).¹
  • Microsoft 365 Apps configured to receive updates via the Semi-Annual Enterprise Channel or Monthly Enterprise Channel via Intune.¹
  • Microsoft Defender for Endpoint onboarded for vulnerability management reporting to verify patch coverage.¹

Implementation Steps

Enable Windows Autopatch and patch management via Intune

1. Register for Windows Autopatch in the Intune admin center (Tenant administration > Windows Autopatch). Complete the prerequisites check and activate the service for the tenant.²

2. Assign devices to the Windows Autopatch device registration group (Windows Autopatch Device Registration). Devices are automatically distributed across Test, First, Fast, and Broad deployment rings.²

3. Configure the Broad ring deadline to ensure all non-critical patches are installed within 14 days of release. In the Intune admin center, navigate to Windows updates > Update rings and verify the Quality update deferral for the Broad ring is set to 7 days with a deadline of 7 additional days (14 days total from release).¹

4. For Microsoft 365 Apps, configure the update channel to Monthly Enterprise Channel via Intune Settings Catalog (Microsoft Office > Update channel = Monthly Enterprise Channel). This ensures priority application patches are available within 4 weeks of Patch Tuesday at most, meeting the two-week requirement for most releases.¹

5. For Edge browser, configure the update policy in Intune Settings Catalog (Microsoft Edge Update > Update policy) to Always allow updates on the Stable channel. Verify via Defender Vulnerability Management that deployed Edge versions match the current stable release.¹

6. For third-party priority applications (Adobe, security products): use the Intune Enterprise App Catalogue for supported apps, or package updates using the Win32 Content Prep Tool (.intunewin) and deploy as required applications with a deadline of 14 days from CVE publication date.¹

7. Use Defender Vulnerability Management (Defender portal > Exposure management > Vulnerability management > Vulnerabilities) filtered by severity = Medium/High and component = priority apps to verify patch coverage fortnightly and confirm compliance with the two-week requirement.

Apply vendor mitigations for Adobe Acrobat using custom ADMX via Intune

The ISM-1901 requirement covers “patches, updates or other vendor mitigations” — meaning that when a patch has not yet been applied (e.g., is still progressing through deployment rings) configuration-based vendor mitigations can satisfy the intent for lower-severity vulnerabilities. Adobe’s FeatureLockDown security settings represent exactly this class of vendor mitigation: they eliminate entire vulnerability categories (JavaScript engine exploits, sandbox escapes, external resource injection) independently of whether a specific CVE patch has landed.

Configuring these settings via Adobe’s ADMX templates imported into Intune provides a policy-managed, auditable mitigation layer that complements patch deployment rather than replacing it.³⁴

Adobe FeatureLockDown settings as vendor mitigations for known PDF vulnerability classes:

[!NOTE] These mitigations do not replace patching. They reduce the exploitability of yet-to-be-patched vulnerabilities by eliminating the attack primitives those vulnerabilities typically rely on. Under ISM-1901, both the patch (applied within two weeks) and the interim mitigation (applied immediately) are relevant controls.

Step 1 — Download and import the Adobe ADMX template into Intune:

1. Download the ADMX template package from the Adobe Acrobat Enterprise Toolkit.
2. In the Microsoft Intune admin center, navigate to Devices > Manage devices > Configuration > Import ADMX tab.
3. Select Import, upload AcrobatReaderDC.admx (or AcrobatDC.admx for Acrobat Pro), then upload the matching AcrobatReaderDC.adml language file.
4. Confirm the import status shows Available before creating a policy.³

[!NOTE] Reader DC writes policies to HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown. Acrobat Pro DC uses HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown. Deploy the ADMX matching the installed product.

Step 2 — Create a vendor mitigation policy:

1. Navigate to Devices > Manage devices > Configuration > + Create policy.
2. Set Platform to Windows 10 and later and Profile type to Imported Administrative Templates (Preview).
3. Name the profile (e.g., Adobe Acrobat DC — Vendor Mitigations) and configure each setting from the table above.
4. Assign to all device groups that have Adobe Reader or Acrobat Pro deployed.³

Alternative: Direct registry OMA-URI for any setting not exposed in the ADMX UI:

[!IMPORTANT] Replace Acrobat Reader/DC with Adobe Acrobat/DC in each path when targeting Acrobat Pro DC. Verify applied values on a test device under HKLM\SOFTWARE\Policies\Adobe\...\FeatureLockDown using Registry Editor.⁴

Apply vendor mitigations for the Edge built-in PDF viewer via Intune Settings Catalog

For organisations using Microsoft Edge as the primary PDF viewer, equivalent vendor mitigations are applied through Edge’s native ADMX policies in the Intune Settings Catalog — no template import required. These settings reduce the attack surface exposed by PDF-related vulnerabilities in Edge’s built-in viewer between Stable channel update cycles.

To configure in Intune:

1. Navigate to Devices > Manage devices > Configuration > + Create policy.
2. Set Platform to Windows 10 and later and Profile type to Settings Catalog.
3. In the settings picker, search Microsoft Edge and filter by PDF Reader.
4. Add and configure each policy from the table above.
5. Assign to the same device groups as your Edge baseline policy.⁵

Additional related information

• Windows Update client policy configuration guidance via CSPs and MDMs provides guidance on when devices receive feature and quality updates and how to manage deferrals and scheduling Walkthrough: Use CSPs and MDMs to configure Windows Update client policies
• ASD Blueprint for Windows update and patching describes patch cadences aligned with Essential Eight requirements for two-week and 48-hour timelines ASD Blueprint: Windows update and patching

• Essential Eight patch applications provides recommended patch cadences and deployment methods for vulnerabilities across Office, web browsers, and security products Essential Eight patch applications

• Import custom ADMX templates in Microsoft Intune explains how to upload Adobe Acrobat ADMX and ADML files into Intune to create Imported Administrative Templates policies that apply vendor FeatureLockDown mitigations without requiring re-packaging Import custom ADMX templates

• Adobe Acrobat Enterprise Toolkit (Group Policy and Registry Reference) provides the official ADMX templates and full registry key reference for all Acrobat DC and Reader DC FeatureLockDown settings representing Adobe’s vendor-recommended security mitigations Adobe Acrobat Enterprise Toolkit

• Microsoft Edge PDF Reader policy reference documents PDFSecureMode, AlwaysOpenPdfExternally, NewPDFReaderEnabled, and PDFXFAEnabled — the Edge policies that apply vendor mitigations to the built-in PDF viewer via Settings Catalog Microsoft Edge PDF Reader policies