![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
E8 Guide | Patch Applications
This article explains how Devicie supports the application patching controls recommended by the ACSC Essential Eight.
Patching applications is a foundational step in reducing the attack surface of endpoints. Timely updates protect against known vulnerabilities which can be exploited by malicious actors. This strategy focuses on ensuring applications such as browsers, email clients, PDF readers, and productivity suites are regularly updated and unsupported ones removed. Devicie helps enforce this strategy by automating application patching and leveraging integration with Microsoft Defender for Endpoint and Intune.
What's Covered
Devicie supports the following controls related to patching applications:
-
Timely patch deployment for commonly used business applications.
-
Onboarding to Microsoft Defender for Endpoint to enable vulnerability scanning and risk-based insights.
-
Policy-based removal of unsupported or unauthorised applications.
-
Detection of unsupported software, where Defender for Endpoint is licensed and fully integrated.
-
Scanning and remediation for a broader set of applications beyond core productivity tools at higher maturity levels.
What’s Not Covered
The following areas are outside Devicie’s scope and remain the responsibility of the customer:
-
Patching or vulnerability scanning for online services (e.g. SaaS platforms or self-hosted web apps).
-
Identifying unsupported online services, unless surfaced via Defender for Endpoint or third-party tools already configured by the customer.
-
Patching bespoke applications within strict timeframes (e.g. 48 hours for ML3), unless those apps are packaged and maintained by the customer.
-
Ongoing monitoring of Defender for Endpoint data or third-party vulnerability reports — Devicie does not provide centralised alerting or SIEM integration.
Potential Impact and Callouts
When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.
- Defender for Endpoint P2 licensing is required for some functionality (e.g. continuous vulnerability scanning, unsupported app detection).
- Customers should open a Devicie support ticket to request packaging or removal of apps not natively supported.
- Application patch compliance is dependent on device connectivity, Intune sync, and app packaging support.
- Bespoke apps must be repackaged by the customer for rapid patch cycles (especially ML3).
Devicie Delivered Controls
| ML1 | ML2 | ML3 |
| Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. | A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
| A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. | Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | |
| A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. |
Customer Responsibility
| ML1 | ML2 | ML3 |
| Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. | All ML2 controls are supported | All ML3 controls are supported |
| A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services. | ||
| Online services that are no longer supported by vendors are removed. | ||
| Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.