Skip to content
Support
  • There are no suggestions because the search field is empty.

E8 Guide | Patch Operating Systems

This article explains how Devicie supports the operating system patching controls recommended by the ACSC Essential Eight.

Keeping operating systems up to date is critical for protecting against known vulnerabilities and exploits. The ACSC recommends applying patches promptly, removing unsupported versions, and maintaining visibility of OS vulnerabilities across the environment. Devicie supports this strategy by automating patch deployment through Windows Update for Business (WUfB) and leveraging Microsoft Defender for Endpoint for vulnerability detection.

What's Covered

Devicie supports the following controls related to patching operating systems:

  • Automatic deployment of OS updates through Windows Update for Business policies.

  • Configuration of Feature and Quality update profiles with safe deferral periods.

  • Removal of unsupported Windows versions from the environment.

  • Defender for Endpoint integration for continuous OS vulnerability visibility.

  • Automated asset discovery to ensure all managed devices are included in patch cycles.

What’s Not Covered

The following areas are outside Devicie’s scope and remain the responsibility of the customer:

  • Patching or vulnerability scanning for non-Windows operating systems.

  • Updates for unmanaged devices or devices not enrolled in Intune.

  • Third-party patching workflows (e.g. WSUS, SCCM) outside Devicie’s standard configuration.

  • Active monitoring or alerting on OS patch compliance outside of Intune reporting.

Potential Impact and Callouts

When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.

  • Updates are deployed according to defined update rings; plan testing windows to minimise disruption.

  • Defender for Endpoint P2 licensing is required for advanced vulnerability-based prioritisation.

  • Feature updates may cause compatibility issues with legacy applications and should be tested before broad rollout.

  • Devices must remain online and enrolled in Intune to receive updates.

Devicie Delivered Controls

ML1 ML2 ML3
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.   A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
Operating systems that are no longer supported by vendors are replaced.   A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.   Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
    Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
    Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
    Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
    Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
    The latest release, or the previous release, of operating systems are used.

 

Customer Responsibility

ML1 ML2 ML3
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.    
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
 

💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.