Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This table outlines the ISM controls related to patch operating systems.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
ISM-1694 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Using Windows Update for Business, and defined update rings, the patches are installed with 2 weeks of release. |
ISM-1695 | 1, 2 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. | IT administrators deploy updates with a deadline configuration of the desired date in Microsoft Configuration Manager |
ISM-1696 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | IT administrators deploy updates with a deadline configuration of As soon as Possible in Microsoft Configuration Manager |
ISM-1701 | 1, 2, 3 | A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices. | Devices onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
ISM-1702 | 1, 2, 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices. | IT admin configures the Software Update feature of Configuration Manager to run a scan for missing patches on system at least once every 14 days. |
ISM-1877 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Using Windows Update for Business expedited patch deployment method, the patches are installed within 48 hours. |
ISM-1501 | 1, 2, 3 | Operating systems that are no longer supported by vendors are replaced. | Using the defined Rings, WUfB will automatically update devices to the latest feature update. |
ISM-1879 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Using the defined Rings, WUfB will automatically update devices to the latest feature update. |
ISM-1900 | 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware. | Devices will be onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
ISM-1902 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | IT admin configures the Software Update feature of Configuration Manager to run a scan for missing patches on system at least once every 14 days. |
ISM-1903 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Intune’s Drivers and Firmware deployment method deploys the latest secure Drivers and Firmware version. |
ISM-1904 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Intune’s Drivers and Firmware deployment method will be used to deploy the latest secure Drivers and Firmware version. |
ISM-1697 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Intune Driver and Firmware deployment method will be used patch the vulnerabilities in drivers and firmware |
ISM-1703 | 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers. | Devices will be onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
ISM-17041 | 1, 2, 3 | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. | Intune Application deployment method is used to remove unsupported applications and extensions2. |
ISM-18071 | 1, 2, 3 | An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. | Use a scanner to perform asset discovery and maintain asset inventory2. |
ISM-18081 | 1, 2, 3 | A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | DVM's vulnerability database is continuously updated as Microsoft and others discover vulnerabilities in software installed on your network2. |
Note
1 These controls cover both Patch Application and Patch OS within Essential 8.
2 For details on how to implement these controls, see Patch Applications Section.
Windows Update for Business (WUfB) enables IT administrators to keep their organization’s Windows devices up to date with the latest security and quality updates and Windows features by directly connecting these endpoints to Windows Update. IT administrators can use the integration between Microsoft Intune and WUfB to configure update settings on devices and configure the deferral of update installation.
Windows Update for Business provides management policies for several types of updates:
WUfB has the concept of Rings. Rings are a collection of WUfB settings and policies targeted to a specific group of devices. Organizations can use as many rings as required, although most organizations have settled on fewer rings than they may have previously used with other patching tools such as Microsoft Endpoint Configuration Manager. A recommended number of Rings to start with is between 3 to 5 Rings.
WUfB introduces some new concepts and terminology that administrators may not be familiar with:
Deadline Value | Grace Period Value | Forced Update Installation Time | Forced Reboot |
---|---|---|---|
0 | 0 | Immediately after detection | Immediately after installation |
2 | 2 | 2 days after detection | 2 days after update installation |
The following is a sample WUfB Ring configuration, with 5 total Rings. For each Ring, the recommended deferral, deadline, and grace period are listed. The complete configuration for each Ring have been provided for ease of reference.
Organizations should configure a ‘Ring 0’, comprised of dedicated testing devices.
These devices receive updates without any delay. Administrators can use these devices with the latest updates to perform an initial validation of critical applications and functionality still works as expected.
Quality Update Deferral | Feature Update Deferral | Deadline Value | Grace Period Value | Forced Quality Update Installation Time | Forced Reboot |
---|---|---|---|---|---|
0 | 0 | 0 | 0 | Immediately after release and detection | Immediately after forced update installation |
See Windows Update for Business Ring Configuration for the complete configuration for this Ring.
IT staff and selected early adopters comprise Ring 1, typically around 1% of total managed devices.
Apart from the initial testing with Ring 0, this Ring provides the first line of testing by users performing their day-to-day work to uncover any issues before an expanded number of devices receive the updates.
Quality Update Deferral | Feature Update Deferral | Deadline Value | Grace Period Value | Forced Quality Update Installation Time | Forced Reboot |
---|---|---|---|---|---|
2 | 10 | 2 | 2 | 4 days after quality update release and detection | 2 days after forced update installation |
See Windows Update for Business Ring Configuration for the complete configuration for this Ring.
Note
Exclude Privileged Access Workstations that would be used to troubleshoot and resolve issues should they occur from this Ring. The Broad Ring would be an appropriate Ring for these devices.
A random assortment, comprised of 9% of the organizations endpoints should be added to Ring 2.
These devices are configured to receive updates 4 days after release, allowing for more testing by an increased number of users before broad deployment to the rest of the organization.
Quality Update Deferral | Feature Update Deferral | Deadline Value | Grace Period Value | Forced Quality Update Installation Time | Forced Reboot |
---|---|---|---|---|---|
4 | 30 | 2 | 2 | 6 days after quality update release and detection | 2 days after forced update installation |
See Windows Update for Business Ring Configuration for the complete configuration for this Ring.
All remaining devices should be configured to be part of Ring 3.
By this stage, organizations have the confidence that updates can be broadly installed across their devices. Ring 3 configures updates to be deferred by 7 days from release before being automatically installed.
Quality Update Deferral | Feature Update Deferral | Deadline Value | Grace Period Value | Forced Quality Update Installation Time | Forced Reboot |
---|---|---|---|---|---|
7 | 60 | 2 | 2 | 9 days after quality update release and detection | 2 days after forced update installation |
See Windows Update for Business Ring Configuration for the complete configuration for this Ring.
Some organizations have a small number of critical devices, for example devices that are used by executive staff.
For these types of devices, organizations may want to further defer the installation of both quality and feature updates to minimize any potential disruption. These devices would be part of Ring 4, specifically for these critical devices.
Quality Update Deferral | Feature Update Deferral | Grace Period Value | Deadline Value | Update Installation Time | Forced Reboot |
---|---|---|---|---|---|
10 | 90 | 2 | 2 | 12 days after quality update release and detection | 2 days after forced update installation |
See Windows Update for Business Ring Configuration in the appendix for the complete configuration for this Ring.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
1694 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Using Windows Update for Business, and defined update rings, the patches are installed with 2 weeks of release. |
1501 | 1, 2, 3 | Operating systems that are no longer supported by vendors are replaced. | Using the defined Rings, WUfB will automatically update devices to the latest feature update. |
Intune provides the capability to expedite quality updates, speeding up the installation of quality updates, such as the most recent patch Tuesday release or an out-of-band security update for a zero-day flaw. To speed up installation, expedite updates uses available services, like Windows Push Notification Service (WNS) and push notification channels, to deliver the message to devices that there's an expedited update to install. This process enables devices to start the download and installation of an expedited update as soon as possible, without having to wait for the device to check in for updates.
To expedite quality updates:
Note
If the number of days to wait before a restart is enforced is set to 0, the device will immediately restart upon receiving the update. The user won't receive the option to delay the reboot.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
1877 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Using Windows Update for Business expedited patch deployment method, the patches are installed within 48 hours. |
1879 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Using the defined Rings, WUfB automatically updates devices to the latest feature update. |
Note
It's recommended to eventually remove the expediting quality update policy, usually once confirmed that the patch has been successfully deployed to all devices, or it's superseded by the next month’s updates.
Delivery Optimization is a cloud-managed solution that allows clients to download updates from alternate sources (such as other peers on the network) in addition to the traditional internet-based servers. When configured via Intune, Delivery Optimization settings can be configured for Windows devices to reduce internet bandwidth consumption when update binaries are downloaded.
With Windows Driver Update Management in Microsoft Intune, you gain the ability to oversee, authorize for deployment, and temporarily halt the rollout of driver updates across your managed Windows 10 and Windows 11 devices. Intune, alongside the Windows Update for Business (WUfB) Deployment Service (DS), handles the intricate process of identifying relevant driver updates for devices under a driver updates policy. These updates are categorized by Intune and WUfB-DS, streamlining the process of distinguishing between recommended updates suitable for all devices and optional updates tailored for specific needs. Through Windows driver update policies, you retain full control over the installation of driver updates on your devices.
Here's what you can do:
When a driver policy update policy is created, IT administrator can choose between automatic and manual updates.
Once the policy is created, let devices scan for updates for about a day or so. The Drivers to review column includes the count of new recommended driver updates ready to review for manual approval. In an automatic policy, Drivers to review stay at 0 since recommended drivers are automatically approved. This is a great indicator that new drivers have been discovered and are awaiting a decision whether to approve or decline deploying those drivers.
When an IT administrator approves a driver, additionally an approval date in future can be provided. Once drivers are approved, Intune managed windows device will receive them in the next policy sync cycle, which is typically every 8 hours.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
ISM-1697 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Intune’s Driver and Firmware deployment method will be used to approve and deploy the latest version of the driver that mitigates vulnerabilities |
ISM-1903 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | IT administrator approves the newer version of the firmware in the Intune console when firmware vulnerabilities are assessed as critical by the vendors |
ISM-1904 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | Intune’s Drivers and Firmware deployment method deploys the latest secure Drivers and Firmware version. |
Note
Update Compliance has been deprecated from March 2023.
Update Compliance allows for the monitoring of quality and feature updates for Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance collates Windows client diagnostic data to report on the status of updates on Windows devices into a Log Analytics workspace. Update Compliance displays information for all devices onboarded onto the service to help determine if they're up to date with the following:
For more information about the prerequisites for provisioning a Log Analytics workspace for Update Compliance, see Get started with Update Compliance - Windows Deployment.
Consolidated diagnostics data is presented in various reporting sections readily available in Update Compliance. Data collected is stored for 28 days within Update Compliance.
This section provides a breakdown of all Windows client devices and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within the section breakdown the issues encountered, such as devices with unsupported operating systems versions and missing security updates. Devices surfaced in these reports require remediation by an administrator. There's also a predefined list of queries that provide values but don't fit within any other main section, such as devices that have pending reboots, configurations paused and more.
This section lists the percentage of devices that are on the latest security update released for the version of Windows the device is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment.
This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices and summarizes bandwidth savings and utilization across multiple content types.
One of the most expensive aspects of the software update management process is to make sure devices (physical and virtual) are always healthy to receive and report software updates for each software update release cycle. Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results.
Windows Autopatch is a cloud service that automates patching for Windows, Microsoft 365 Apps for Enterprise, Microsoft Edge, Microsoft Teams, Surface Driver/Firmware, Published Drivers/ Firmware marked as Mandatory in Windows Update store, Windows 365 and Azure Virtual Desktop (AVD) for your organization. Windows Autopatch provides an extra layer for your organization to mitigate issues when deploying Windows Updates. Windows Autopatch deployment rings are segregated at the device level, meaning, during the Windows Autopatch device registration process, we assign devices to one of the deployment rings: Test, First, Fast, or Broad.
Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher. There are additional prerequisites for using Autopatch including some network configurations which should be considered part of the rollout.
The Readiness assessment tool checks the settings in Microsoft Intune and Microsoft Entra ID to ensure it works with Windows Autopatch as part of enrolling your tenant.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization.
To enable the Readiness assessment:
The Readiness assessment tool checks Intune settings to confirm deployment rings for Windows 10 or later and minimum administrator requirements and unlicensed administrators. It also checks your Microsoft Entra settings including co-management and licenses.
The Readiness assessment tool provides a report and advises of any issues that must resolved and what steps are needed to be performed to get to a ready state. Once issues have been resolved, you can move to the next step.
The purpose of this step is to confirm your organization has admins for each area of focus, such that the Windows Autopatch Service Engineering Team can contact your organization's admin regarding your support request in future and expands on the minimum admin set during the enrollment process.
Area of focus | Description |
---|---|
Devices | Device registration |
Device health | |
Updates | Windows quality updates |
Microsoft 365 Apps for enterprise updates | |
Microsoft Edge updates | |
Microsoft Teams updates |
Complete the following steps to add admin contacts:
Note
An admin may have multiple focus areas, especially in smaller organizations.
The Windows Autopatch device registration process is transparent for end-users.
Windows Autopatch must register your existing devices into its service to manage update deployments on your behalf. To perform device registration:
Any device (either physical or virtual) that contains a Microsoft Entra device ID, can be added into the Windows Autopatch Device registration Microsoft Entra group. This can be through either direct membership or by being part of another Microsoft Entra group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy.
Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. To register a new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:
Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
Windows Autopatch is available for Azure Virtual Desktop. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process as per physical machines. Windows Autopatch provides the same scope of service with virtual machines as it does with physical devices. However, Windows Autopatch defers any Azure Virtual Desktop specific support to Azure support, unless otherwise specified.
Autopatch provides a summary dashboard and various reports of current status and historical (longitudinal) reporting (up to 90 days) of all devices enrolled into Autopatch, which can be exported into a CSV file if needed. To view the current update status for all your enrolled devices:
The All Devices Report contains:
Information | Description |
---|---|
Device name | The name of the device. |
Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device. |
Serial number | The current Intune recorded serial number for the device. |
Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
Update status | The current update status for the device |
Update sub status | The current update sub status for the device |
OS version | The current version of Windows installed on the device. |
OS revision | The current revision of Windows installed on the device. |
Intune last check-in time | The last time the device checked in to Intune. |
ISM control Sep 2024 | Maturity level | Control | Measure |
---|---|---|---|
1694 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | For devices enrolled with Windows Autopatch, updates are installed within 2 weeks. |
1877 | 1, 2, 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Autopatch groups give the organization the flexibility to bring in deadlines to within 48 hours if necessary. |
1879 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | Autopatch groups give the organization the flexibility to bring in deadlines to within 48 hours if necessary. |
Microsoft Defender Vulnerability Management (DVM) delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices.
As a prerequisite, endpoints need to be onboarded to Microsoft Defender for Endpoint. There are other additional prerequisites for using DVM. Once onboarded, DVM is able to assess if vulnerabilities are applicable to individual devices and provide recommended actions.
Once devices have been onboarded to Defender for Endpoint, DVM can determine if any devices are potentially exposed to vulnerabilities and provide security recommendations for each identified weakness.
In the Microsoft Security Portal under Vulnerability Management > Inventories, software products identified across endpoints onboarded to Defender for Endpoint are shown, including the vendor name, weaknesses found, threats associated with them and exposed devices.
You can also look at software inventories on specific devices by navigating to the Device Inventory page. Select the name of a device to open the device page (like Computer1), then select the Software inventory tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information.
Opening the specific software page provides more details about the application as shown in following screenshot. Details displayed include:
The DVM capabilities are designed to bridge the gap between Security and IT administrators through the remediation request workflow. The DVM remediation actions can use native integrations to generate remediation tasks in Intune. Additionally, the DVM API can be used to orchestrate remediation processes and actions with third party tools where required. The following steps describe the remediation workflow using DVM and Intune:
To use this capability, enable the Microsoft Intune connection.
Note
Enabling the connection to Microsoft Intune is required to create a corresponding Intune security task when creating a remediation request in DVM. The option to create an Intune security task does not appear if the connection is not enabled.
Submitting a remediation request creates a remediation activity item within DVM, which can be used for monitoring any remediation progress. When an administrator submits a remediation request from the Security recommendations page, a security task is created that can be tracked on the Remediation page, and a remediation ticket is created in Microsoft Intune. This won't trigger remediation or apply any changes to devices.
The following image shows a security task created in Intune:
The Intune administrator then remediates the task based on the guidance provided. The guidance varies depending on the type of remediation that's needed. When available, remediation guidance includes links that open relevant panes for configurations in Intune.
Additional information on DVM can be found in Patch Applications Section.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
1701 | 1, 2, 3 | A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices. | Devices will be onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
1703 | 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers. | Devices will be onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
1900 | 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware. | Devices will be onboarded to Defender for Endpoint. Microsoft Defender Vulnerability Management will continuously monitor and detect risk across an organization’s devices. |
Compliance policies in Intune provide the capability to determine if a device is compliant or noncompliant based on whether a device can meet one or more configured requirements. This compliance state of the device is assessed when accessing corporate resources that are protected by Conditional Access to either allow or deny access to the resource.
Intune can determine if a device is either compliant or noncompliant based on the current Operating System version of the device. Using the device compliance grant control in Conditional Access, users will only be able to access corporate resources on devices that meet or exceed the minimum Operating System version.
A typical compliance policy that assesses devices based on their operating system value has been provided.
Note
The value supplied for the minimum OS version for both Windows 11 and Windows 10 will need to be incremented over time.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
1407 | 3 | The latest release, or the previous release, of operating systems are used. | Users using devices that don't meet the OS Version defined in the assigned Compliance Policy will be unable to access corporate resource, when used in combination with Conditional Access. |
Microsoft suggests using cloud services such as Microsoft Intune and Azure Update Manager to maintain system’s OS version and patching the vulnerabilities.
However, for systems and servers that are offline, Microsoft advises using Microsoft Configuration Manager’s Patch management capabilities. See Microsoft Configuration Manager for more details.
ISM control Sep 2024 | Maturity Level | Control | Measure |
---|---|---|---|
ISM-1695 | 1, 2 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. | IT administrators deploy updates with a deadline configuration of the desired date in Microsoft Configuration Manager |
ISM-1696 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | IT administrators deploy updates with a deadline configuration of As soon as Possible in Microsoft Configuration Manager |
ISM-1702 | 1, 2, 3 | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices. | IT admin configures the Software Update feature of Configuration Manager to run a scan for missing patches on system at least once every 14 days. |
ISM-1902 | 3 | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as noncritical by vendors and no working exploits exist. | IT administrators deploy updates with a deadline configuration of the desired date in Microsoft Configuration Manager. |
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowTraining
Module
Manage Windows updates in the cloud - Training
Learn about how to manage updates for your Windows devices.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.