🛡️ Essential 8 Guide

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

Summary

Enforces a monthly cadence for applying non-critical operating system updates on Intune-enrolled workstations (Windows 10/11) and eligible Windows Server 2025 devices by deploying patches through Intune Windows AutoPatch, ensuring timely mitigation within one month of release when no exploits exist.¹²

[!NOTE] Windows Autopatch applies to Intune-enrolled Windows 10/11 Enterprise/Education workstations and Windows Server 2025 (Intune-managed) only. For non-internet-facing Windows Servers (2016/2019/2022), use WSUS + Group Policy (on-premises) or Azure Update Manager (Azure VMs / Arc-connected servers) to meet the one-month non-critical patching cadence. Network devices follow vendor-specific update procedures.

Justification

Non-internet-facing workstations, servers, and network devices present a lower immediate exploitation risk than internet-facing systems, but they remain critical targets for lateral movement once an attacker has established initial access. A one-month remediation window for non-critical vulnerabilities provides sufficient operational flexibility for organisations to test patches in lower environments (Test/First rings) and manage restart scheduling for business-critical systems.

Windows Autopatch’s four-ring deployment model (Test → First → Fast → Broad) was explicitly designed to spread patch risk across the device fleet while ensuring the Broad ring (representing the majority of devices) receives patches within the one-month window. The Broad ring default deadline of 21 days from release comfortably satisfies the one-month requirement.

Hotpatch (available for Windows 11 24H2+ and Windows Server 2025 on Intune-managed devices) enables kernel-level security patches to be applied without a device restart on eligible months, dramatically reducing the operational disruption of monthly patching for server workloads — removing the traditional barrier to timely patch application for non-internet-facing servers.

[!NOTE] Windows Server (2016/2019/2022) is not supported by Windows Autopatch. For these servers, configure equivalent patch deadline rings using WSUS Automatic Approval Rules (on-premises) or Azure Update Manager Maintenance Configurations (Azure/Arc). Target the same cadence: patch within 21–30 days of Patch Tuesday. Windows Server 2025 enrolled in Intune is eligible for Autopatch and Hotpatch — place these in the Broad ring or a dedicated server group.

For non-internet-facing network devices (routers, switches, firewalls) not managed by Intune, the one-month requirement is met through the organisation’s network device change management process, using vendor-specific update mechanisms and verified against Defender Vulnerability Management’s network device discovery inventory.

Design Decision

[!NOTE] The Intune Windows AutoPatch approach will be used to maintain a monthly patch cadence for non-critical OS updates on Intune-enrolled workstations (Windows 10/11 Enterprise/Education) and Windows Server 2025 devices enrolled in Intune.

For non-internet-facing Windows Servers (2016/2019/2022), apply non-critical OS patches within one month using one of the following tools:

• WSUS + Group Policy — configure an Automatic Approval Rule for Security/Critical update classifications with a deadline of 21 days
• Azure Update Manager — configure a Maintenance Configuration with a monthly schedule window and an end-time before the one-month deadline

For non-internet-facing network devices, apply vendor firmware updates within one month of release using the vendor-specific update process, verified against the Defender Vulnerability Management network device inventory.

Prerequisites

• Licensing:
  • Subscriptions required to use Windows Autopatch: Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5); Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5); Windows Virtual Desktop Access E3 or E5; Microsoft 365 Business Premium. ³
• Permissions/Roles:
  • Microsoft Entra ID (for co-management). ⁴
  • Microsoft Entra hybrid joined devices or Microsoft Entra joined devices. ⁴
  • Microsoft Intune (including Configuration Manager via co-management). ⁴
• Dependencies:
  • Intune enrollment and Windows Autopatch policy configuration in the Intune admin center to manage Windows updates and hotpatch updates. ¹
  • Device prerequisites: Entra joined or Hybrid AD joined; Windows 10 version 1709 or later; editions Pro, Enterprise, Education, Pro Education, Pro for Workstations. ³
  • Optional: Co-management with Configuration Manager support if used. ⁴

Implementation Steps

Enable Hotpatch updates with Intune Windows quality update policy

1. In the Intune admin center, go to Devices from the left navigation menu.¹
2. Under the Manage updates section, select Windows updates.¹
3. Go to the Quality updates tab.¹
4. Select Create, and select Windows quality update policy.¹
5. Under Basics, enter a name for the new policy and select Next. The policy to be created is the Windows quality update policy.¹
6. Under Settings, ensure that the option “When available, apply without restarting the device ("Hotpatch")” is set to Allow. Then, select Next. Noted that hotpatch updates do not alter existing deadline-driven or scheduled install configurations.¹
7. Select the appropriate Scope tags or leave as Default. Then, select Next.¹
8. Assign the devices to the policy and select Next. Noting that you can target specific device groups as needed.¹
9. Review the policy and select Create. The policy will enable hotpatch deployment for eligible devices.¹
10. You can also Edit the existing Windows quality update policy and set the “When available, apply without restarting the device ("Hotpatch")” to Allow.¹
11. Targeting and enforcement will apply to devices according to the policy configuration, with ineligible devices receiving the LCUs as applicable.¹

[!NOTE] Turning on Hotpatch updates doesn’t change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. See the referenced guidance for details.¹

Patch non-internet-facing Windows Servers (2016/2019/2022) within one month — WSUS approach

For on-premises domain-joined servers not eligible for Intune/Autopatch management, use WSUS with Group Policy to enforce a maximum 21-day install deadline:

1. In the WSUS Administration Console, go to Options → Automatic Approvals.
2. Click New Rule. Name it Monthly Non-Critical — Servers.
3. Set Rule properties:
   • When an update is in the following classifications: Security Updates, Critical Updates
   • Set the deadline to 21 days from approval.
4. Add the server computer groups that correspond to non-internet-facing server rings.
5. Click OK and run the rule immediately against existing updates.
6. Create a Group Policy Object linked to the server OUs with the following settings under Computer Configuration → Administrative Templates → Windows Components → Windows Update:
   • Configure Automatic Updates: 4 – Auto download and schedule the install
   • Specify intranet Microsoft update service location: Point to the WSUS server URL.
   • No auto-restart with logged on users: Disabled (allow forced restart for servers with no interactive sessions, or set a maintenance window).
7. Run gpupdate /force on a test server to confirm policy application, then verify compliance in the WSUS reports view.

Patch non-internet-facing Azure VMs and Arc-connected servers within one month — Azure Update Manager approach

1. In the Azure portal, navigate to Azure Update Manager.
2. Select Maintenance Configurations → Create.
3. Configure the maintenance window:
   • Schedule: Weekly or monthly recurring; set the maintenance window to last Saturday of the month (or equivalent date before the 28-day point).
   • Duration: 3–4 hours.
   • OS updates: Include Security and Critical update classifications.
4. Under Machines, add the Azure VM or Arc-connected server resource groups containing non-internet-facing servers.
5. Set Reboot setting to IfRequired to allow restarts during the maintenance window.
6. Save the configuration. Azure Update Manager will schedule and apply qualifying updates without a restart outside the window.
7. After each maintenance window, review the Update compliance view in Azure Update Manager and confirm that all servers show Compliant status within the one-month deadline.

Additional related information

• Hotpatch updates guide explains how to enroll devices and enable hotpatch deployment via Intune Windows Autopatch to maintain monthly update cadence Hotpatch updates

• Deploy a hotpatch quality update using Windows Autopatch describes how to query the hotpatch catalog and deploy updates to devices Deploy a hotpatch quality update using Windows Autopatch

• Essential Eight patch operating systems provides guidance on patch cadence and tooling for non-internet-facing systems including Intune and Azure Update Manager Essential Eight patch operating systems

• Windows updates API overview describes how Windows Autopatch manages content approvals scheduling and safeguards for deployments Windows updates API overview

• ASD Blueprint - Windows update and patching outlines design decisions for patching Windows endpoints in cloud and hybrid environments using Intune and related update rings ASD Blueprint - Windows update and patching

• Azure Update Manager overview explains how to manage updates at scale for Azure VMs and Arc-enabled servers, including maintenance configurations and compliance reporting Azure Update Manager documentation

• Configure Windows Server Update Services (WSUS) describes how to set up WSUS server synchronisation, automatic approval rules, and GPO-based deployment for domain-joined servers not managed by Intune Windows Server Update Services (WSUS)